After years of hype and mostly unfulfilled promise, VoIP has begun making some headway in large enterprises. A lot of IT managers are attracted by the technology’s potential to help them save money through lower phone bills and converged services. And don’t think that the attackers haven’t noticed VoIP’s emergence. At the ToorCon conference in San Diego this weekend, Jason Ostrom, a security researcher with Sipera VIPER Lab, gave a talk that featured several tools he’s built, including VoIP Hopper, that can be used to test the security of VoIP deployments and look for potential attack vectors.
Ostrom talked about a new tool he’s developed, called UCSniff, that enables a user to monitor VoIP traffic on a network in several different ways. The most interesting and potentially useful function of UCSniff is its ability to sniff all of the conversations on a particular extension. It also can be set to passively monitor all of the VoIP traffic on a network and learn the interactions among devices, discovering which extensions belong to whom. Then, once that mapping is accomplished, the user can identify which devices he’s interested in monitoring and target those specifically.
Ostrom said he plans to port UCSniff to Windows in the near future and that it will also soon include support for the H.323 standard. Much of the threat to VoIP networks at this point has come from various denial-of-service attacks, but security experts for years have been warning that the nature of IP phones and the ways in which VoIP networks are set up could make them susceptible to traffic-sniffing attacks like the ones that Ostrom described.
Ostrom and some of his coworkers also have developed a third tool, called XTest, which can test VoIP infrastructures for security problems. XTest is designed specifically to audit wired 802.1x implementations, and can check the strength of the passwords used in these implementations through an offline EAP-MD5 dictionary attack against the password file.