White hats expose VoIP security threat

Penetration testers have demonstrated a way of compromising computers by subverting VoIP software clients.

The testers, who are from VoIP security firm Sipera, claim that they have found similar vulnerabilities in several vendors' enterprise VoIP software clients. Sipera would not reveal the identity of the affected vendors, because they have not yet brought out patches.

The testers demonstrated a proof-of-concept exploit for one of the VoIP clients at the Black Hat security conference in Las Vegas on Wednesday. On a laptop running Windows XP SP2 with a Windows firewall, running McAfee antivirus, Sipera product manager Sachin Joglekar demonstrated a vulnerability that allows a hacker to cause a buffer-overflow condition.

This allows a small script to be inserted on the victim's laptop, which then enables the hacker to take control of the laptop and view directories, delete them, and steal files and data, Sipera claimed.

"Very specialized, small shell code, just bits and bytes, is inserted into a SIP message," Joglekar said. "As soon as the phone gets the malformed message, the shell code is executed on the laptop and opens a connection that allows an attacker to open a connection and steal files and data."

Joglekar claimed this was "very significant" because data could be smuggled "under the radar from the VoIP side", and that data security vendors were currently "not serious about VoIP".

"Previously there have been no threats to confidential data from softphones. Now there is a bridge built between the two islands," he said.

However, Jon Collins, service director with analyst firm Freeform Dynamics, said that, as few companies have yet rolled out VoIP, a more pressing security concern was "protecting employees from themselves" through education about social-engineering attacks, as working practices evolve.

"I'm not suggesting that finding VoIP or IM client holes isn't an issue, but there are 500 different ways of getting onto someone's laptop. Companies should be concentrating on protecting employees from themselves rather than worrying about external threats. Companies are trying to enable corporate employees to work from home. Corporate data is leaving the company--this is a major area of concern," said Collins.

Joglekar claimed that VoIP protocol subversion was an unrecognized problem in many vendor products. "We found vulnerabilities allowing shell-code execution in multiple vendor VoIP products and software," said Joglekar. "As different modes of communication like VoIP and IM are unified, privacy, security and compliance issues become (more significant)."

He said that most security products would be circumvented by VoIP client-exploit code, because finding anomalies required deep packet inspection and an understanding of VoIP user and client behaviour.

McAfee said that its antivirus software had not picked up the hack in the demonstration because the hack was proof-of-concept. "Both our consumer and enterprise generic products monitor the top 20 buffer-overflow methods," said McAfee analyst Greg Day. "If this is seen in the real world, we could create an antivirus signature, and would do that if it became common in the outside world."

Day said that behaviour-blocking in McAfee antivirus software would not stop this exploit because behaviour-blocking is "designed around a common threat rather than a proof-of-concept hacking technique". He added that McAfee had host and network intrusion-prevention products designed to stop this type of exploit.

Microsoft could offer no comment at the time of writing on how the researchers had managed to evade the Windows firewall.