Reach Out And Hack Someone
Gone are the days when telephones were dumb appliances that you simply plugged into the wall and forgot: Security researchers from one Internet security firm say they have located more than 100 vulnerabilities in hardware and software that powers the Internet-based phones used by many large companies today.
Turns out, many of these same vulnerabilities may also be present in the complex, distributed networks that control your local power grid, or ensure the distribution of your drinking water. But more on that in a bit.
Ottawa-based VoIPshield Systems, a company that makes products to help secure voice-over-IP (VoIP) networks, said it located more than 100 security holes in Internet-based phones made by the biggest players in the business, including Avaya, Cisco and Nortel. The company currently displays information on 44 of the vulnerabilities on its Web site, and it says many of the flaws are medium- to high-risk, meaning they could be used to intercept, redirect or initiate phone calls, or to simply disable phone service for the targeted user or company.
VoIPshield chief exec Rick Dalmazzi said the company's internal researchers uncovered the flaws over the past two years, and that all affected vendors have been notified. So far, vendor patches are available to address 17 of the vulnerabilities listed on its site.
Asked to name the most galling vulnerability of the lot, Dalmazzi said one vendor (Cisco) decided it was a good idea to hard-code a password for a management interface into the VoIP device that could not be changed by the user. Dalmazzi said Cisco told him it planned to correct that decision in future versions of the product.
VoIP-based vulnerabilities are interesting to me because they potentially open up a wide range of new attacks for bad guys. Many companies that use VOiP allow employees to access the corporate VoIP network remotely using software-based phones, often installed on company laptops. Imagine a computer worm that not only hijacks VoIP devices that manage incoming out and outgoing calls, but one that can also push malware down to connected clients, or record phone conversations and mail them out as MP3s to everyone in the victim's e-mail contact list.
"These are the types of threats that are not uncommon in the data world, but no one is thinking about them in the VoIP world," Dalmazzi said. "If our modest sized research team can find this many vulnerabilities, the guys looking at hacking VoIP for profit certainly won't have any problem."
So far, the criminal activity related to exploiting holes in VoIP has been limited mostly to petty theft of service. Well, at least those are the only incidents we're hearing about in the media. But I suspect that many types of attacks against VoIP systems either go unnoticed (either because they look to the corporate IT defenders similar to other types of more common Internet attacks, or because the company never tells anyone about the break-ins) or unreported.
But lest anyone think VoIP vulnerabilities are nothing to be concerned about, consider the rather shocking tidbit shared last month at the Black Hat hacker conference in Washington, D.C. by Jerry Dixon, former head of the Department of Homeland Security's National Cyber Security Division. Dixon warned that VoIP vulnerabilities are opening dangerous new avenues of exposure for the companies that own and operate our nation's most critical networks, such as those that support the electric power, water and manufacturing systems.
To lower costs and increase efficiency, most utilities these days use the Internet to keep tabs on and manage their far-flung substations and networks. These control networks, known as supervisory control and data acquisition (SCADA) networks, naturally expose these very sensitive and complex systems to extreme risk of degradation or destruction if they are not properly secured. One important aspect of securing SCADA systems involves separating them the administrative networks that utility employees use for everyday work, such as e-mail and browsing the Web.
Dixon said that while a great many SCADA operators he has spoken with claim they carefully segregate their SCADA and administrative networks, far too many have gone ahead and set up their VoIP systems on the same network that manages their SCADA systems.
"I asked a simple question of how many people were using VoIP," Dixon said, referencing a recent discussion he had in a meeting with SCADA operators. "Half the hands went up. Then I asked, 'Do you run a line from your administrative network into where the operating control system is,' and turns out a lot of them were actually running VOiP across their SCADA networks and that they weren't really segregated at all."
To make matters worse, the list of security holes discovered and reported by VoIPshield may increase that vulnerability, said Dave Endler, chairman and founder of the VoIP Security Alliance. Endler said even the brief descriptions that accompany each of the advisories offer a head start for attackers intent on finding and exploiting the flaws before they can be patched.
"It's certainly an impressive list, but the details call attention to a lot of issues that may be easier to find thanks to the descriptions of the vulnerabilities," said Endler, who also serves as director of security research for 3Com's TippingPoint - a company that pays freelance researchers to find and report software flaws. "Having that level of detail in the advisories might be positive in that that it adds pressure on the vendors to fix the vulnerabilities in timely manger, but could put others at risk."
That exact scenario played out recently with the emergence of WabiSabiLabi, a highly controversial company that last year set up an online auction house for security vulnerabilities. Just days after opening the first auctions to bidders, WSLabi was forced to cancel several of the auctions after security researchers used the details provided in the advisories to zero in on and publish information about the unpatched security flaws, effectively eliminating the auction value of that vulnerability information.
April 3, 2008; 5:15 PM ET
Categories: From the Bunker , Latest Warnings , New Patches , Safety Tips , U.S. Government
Save & Share: Previous: Secret Service Agent To Lead DHS Cyber Division
Next: Consumers Report $239 Million Lost To Cyber Fraud In '07
Posted by: TJ | April 3, 2008 7:12 PM | Report abuse
Posted by: Kevin Flynn: Cisco | April 3, 2008 8:22 PM | Report abuse
Posted by: brucerealtor | April 4, 2008 2:03 AM | Report abuse
Posted by: email@example.com | April 4, 2008 2:06 AM | Report abuse
Posted by: Dan | April 4, 2008 9:54 AM | Report abuse
Posted by: Jacob Brodsky, PE | April 4, 2008 11:27 AM | Report abuse
Posted by: Jerry Dixon | April 4, 2008 12:51 PM | Report abuse
Posted by: Bob Radvanovsky | April 4, 2008 1:53 PM | Report abuse
Posted by: Bob Radvanovsky | April 4, 2008 2:41 PM | Report abuse
Posted by: Kevin McGrath | April 9, 2008 9:13 AM | Report abuse
The comments to this entry are closed.