Black Hat 2007: VoIP security reaches tipping point

By Bill Brenner, Senior News Writer 01 Aug 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Zimmermann calls his new creation Zfone, a VoIP phone software product that lets users encrypt their calls over the Internet. Zfone uses a new cryptography protocol called ZRTP, which has a better architecture than such other VoIP security protocols as SIP (Session Initiation Protocol), H.323 and IAX. Users can download a free beta of Zfone from the Zfone Project Web site.

"Zfone sits in the IP protocol stack and runs as a filter, and it works with multiple programs such as Windows Mobile, Apple iChat, Symbian and Nokia," he said before running a demonstration of how the technology works.

It's getting easier for the bad guys to use something like spyware to tap the VoIP conversations of judges, prosecutors and the police. Phil Zimmermann Creator - PGP, Zfone

To show how Zfone can protect VoIP sessions from man-in-the-middle attacks without the need for PKI or certificate authority, Zimmermann initiated two VoIP calls with someone in the audience using iChat and then Gizmo, a free Internet phone application.

"To prevent a man-in-the-middle attack, we have to use the same session key," he said, pointing out how his software allows for that to happen. "When you have the same session key at both ends, there can be no man in the middle."

Throughout his presentation, Zimmermann stressed the importance of encrypting VoIP transmissions, even though, as he noted, some in the government believe that would hobble law enforcement's ability to tap VoIP conversations as part of criminal investigations. The problem, he said, is that organized criminal outfits are quickly figuring out how to turn the tables by tapping VoIP calls made by the authorities attempting to bring them to justice.

"We have to encrypt our phone calls because the VoIP environment just isn't safe," he said. "It's getting easier for the bad guys to use something like spyware to tap the VoIP conversations of judges, prosecutors and the police."

Zimmermann's demonstration received a positive response from the audience, and other experts backed his claim that it's no longer difficult for digital miscreants to exploit VoIP insecurity.

Special Black Hat coverage Check out more of SearchSecurity.com's special news coverage of Black Hat USA 2007.

Himanshu Dwivedi and Zane Lackey of San Francisco-based digital security firm iSEC Partners Inc. gave a presentation on the various ways attackers can exploit SIP, IAX and H.323. The latter, they say, is particularly vulnerable to attack, but that most users assume H.323 is secure because little evidence to the contrary has been presented. They urged the audience to build a layered defense, noting that the state of VoIP security is as bad now as it was a couple years ago.

"Four to five years ago, we started hearing about the security problems of VoIP, and it's really no better today," Dwivedi said. "The security vendors are not on top of the problem and users are relying on protocols they think are safe, when in fact they are not."

The two then ran through a series of examples showing how attackers could exploit the protocols to listen in on VoIP conversations and extract sensitive information in the process, and create havoc through denial-of-service attacks and by impersonating certain people on the call. IDs, time stamps and certain hashing functions can easily be sniffed, they warned.

Several Black Hat attendees said their organizations aren't using a lot of VoIP yet, but that they know it's something they'll soon have to deal with.

Andrew Fried, an IT security specialist with the U.S. Treasury Department, said his agency wants to increase its VoIP capabilities and hopes the Black Hat sessions will bring him up to speed on the security risks he'll have to be worrying about.

"The government is trying to push more and more work at home and VoIP will be used as part of that … but fraudulent use of VoIP is something we're more concerned about, with [attackers] making calls in the name of the IRS using VoIP services that are nearly untraceable," Fried said. "Welcome to the world of fraud."

Tags: Monitoring Network Traffic and Network Forensics,  Information Security Laws, Investigations and Ethics,  Network Protocols and Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Monitoring Network Traffic and Network Forensics Best practices for (small) botnets Botnet masters turn to Google, social networks to avoid detection Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Information Security Laws, Investigations and Ethics Melissa Hathaway urges more cooperation, government attention to cybersecurity Cybersecurity czar candidate questions clout of new position DHS fills National Cybersecurity Center post FTC shutters rogue ISP for hosting malicious content, botnets Experts optimistic of Obama cybersecurity plan WH cybersecurity plan needs private sector guidance Obama announces creation of cybersecurity coordinator position Cybersecurity Act of 2009: Power grab, or necessary step? Face-off: Who should be in charge of cybersecurity? Feds should get private sector advice on cybersecurity Network Protocols and Security How to keep networks secure when deploying an 802.11n upgrade Expert calls SSL protocol vulnerability a non issue How to prevent phishing attacks with social engineering tests How SSL-encrypted Web connections are intercepted DNSSEC deployment challenges can be overcome Microsoft issues SMB vulnerability advisory, patch pending Microsoft repairs Windows media, TCP/IP vulnerabilities How to test IPv6 infrastructures DNSSEC deployments gain momentum since Kaminsky DNS bug Kaminsky interview: DNSSEC addresses cross-organizational trust and security

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bridge  (SearchSecurity.com) computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) inverse mapping  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) network forensics  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary