Beguiling but Beware: Ajax, VOIP

SAN DIEGO -- Some of the slickest new technologies online -- VOIP and Ajax -- are dangerously insecure, and likely to only get worse as they become more prevalent, according to security researchers presenting their findings at the ToorCon security conference. Voice over internet protocol is going mainstream, available to consumers and increasingly replacing the private phone systems in businesses of all sizes. Like the traditional phone, a VOIP call is broken into two parts, or channels. The first is signaling, which negotiates things like when to start and stop a call, what to do if another call comes in, and what to do if something about the call changes. The second part is media, the bit where we talk. In most VOIP systems neither of these channels is actually encrypted. According to Dustin Trammell, VOIP security researcher at Tipping Point, this leaves most VOIP calls vulnerable. Calls can be hijacked without either party's knowledge anywhere along the route over the net that connects the call, and nearly all VOIP systems can fall victim to signal-channel attacks that can fake caller ID, degrade call quality, end calls suddenly, and crash the end device -- either your VOIP phone or computer. Internet telephony can even fall victim to denial-of-service attacks that flood a phone with fake requests to start a call, rendering it useless. Trammell makes the point that even securing a call with all possible measures currently available amounts to mitigation rather than a truly secure environment. "In VOIP, many times there's no clear-cut solutions," Trammell told the ToorCon audience. "Sometimes the best we can do is limit the severity of the impact." Phones are by their nature something that lets you talk to anyone freely - and therefore will never be completely private. But he makes the point that VOIP could be far more secure than it is without developing any new technology. According to Trammell many VOIP vendors have argued that these security flaws are hard to exploit, but he listed more than 20 freely available tools specific to attacking VOIP in his talk, pointing out that the barrier to VOIP hacking is not only low, but getting lower all the time. That's likely to become an issue as VOIP becomes more prevalent. more>>>