Network News

X My Profile
View More Activity

Reach Out And Hack Someone

Gone are the days when telephones were dumb appliances that you simply plugged into the wall and forgot: Security researchers from one Internet security firm say they have located more than 100 vulnerabilities in hardware and software that powers the Internet-based phones used by many large companies today.

Turns out, many of these same vulnerabilities may also be present in the complex, distributed networks that control your local power grid, or ensure the distribution of your drinking water. But more on that in a bit.

Ottawa-based VoIPshield Systems, a company that makes products to help secure voice-over-IP (VoIP) networks, said it located more than 100 security holes in Internet-based phones made by the biggest players in the business, including Avaya, Cisco and Nortel. The company currently displays information on 44 of the vulnerabilities on its Web site, and it says many of the flaws are medium- to high-risk, meaning they could be used to intercept, redirect or initiate phone calls, or to simply disable phone service for the targeted user or company.

VoIPshield chief exec Rick Dalmazzi said the company's internal researchers uncovered the flaws over the past two years, and that all affected vendors have been notified. So far, vendor patches are available to address 17 of the vulnerabilities listed on its site.

Asked to name the most galling vulnerability of the lot, Dalmazzi said one vendor (Cisco) decided it was a good idea to hard-code a password for a management interface into the VoIP device that could not be changed by the user. Dalmazzi said Cisco told him it planned to correct that decision in future versions of the product.

VoIP-based vulnerabilities are interesting to me because they potentially open up a wide range of new attacks for bad guys. Many companies that use VOiP allow employees to access the corporate VoIP network remotely using software-based phones, often installed on company laptops. Imagine a computer worm that not only hijacks VoIP devices that manage incoming out and outgoing calls, but one that can also push malware down to connected clients, or record phone conversations and mail them out as MP3s to everyone in the victim's e-mail contact list.

"These are the types of threats that are not uncommon in the data world, but no one is thinking about them in the VoIP world," Dalmazzi said. "If our modest sized research team can find this many vulnerabilities, the guys looking at hacking VoIP for profit certainly won't have any problem."

So far, the criminal activity related to exploiting holes in VoIP has been limited mostly to petty theft of service. Well, at least those are the only incidents we're hearing about in the media. But I suspect that many types of attacks against VoIP systems either go unnoticed (either because they look to the corporate IT defenders similar to other types of more common Internet attacks, or because the company never tells anyone about the break-ins) or unreported.

But lest anyone think VoIP vulnerabilities are nothing to be concerned about, consider the rather shocking tidbit shared last month at the Black Hat hacker conference in Washington, D.C. by Jerry Dixon, former head of the Department of Homeland Security's National Cyber Security Division. Dixon warned that VoIP vulnerabilities are opening dangerous new avenues of exposure for the companies that own and operate our nation's most critical networks, such as those that support the electric power, water and manufacturing systems.

To lower costs and increase efficiency, most utilities these days use the Internet to keep tabs on and manage their far-flung substations and networks. These control networks, known as supervisory control and data acquisition (SCADA) networks, naturally expose these very sensitive and complex systems to extreme risk of degradation or destruction if they are not properly secured. One important aspect of securing SCADA systems involves separating them the administrative networks that utility employees use for everyday work, such as e-mail and browsing the Web.

Dixon said that while a great many SCADA operators he has spoken with claim they carefully segregate their SCADA and administrative networks, far too many have gone ahead and set up their VoIP systems on the same network that manages their SCADA systems.
"I asked a simple question of how many people were using VoIP," Dixon said, referencing a recent discussion he had in a meeting with SCADA operators. "Half the hands went up. Then I asked, 'Do you run a line from your administrative network into where the operating control system is,' and turns out a lot of them were actually running VOiP across their SCADA networks and that they weren't really segregated at all."

To make matters worse, the list of security holes discovered and reported by VoIPshield may increase that vulnerability, said Dave Endler, chairman and founder of the VoIP Security Alliance. Endler said even the brief descriptions that accompany each of the advisories offer a head start for attackers intent on finding and exploiting the flaws before they can be patched.

"It's certainly an impressive list, but the details call attention to a lot of issues that may be easier to find thanks to the descriptions of the vulnerabilities," said Endler, who also serves as director of security research for 3Com's TippingPoint - a company that pays freelance researchers to find and report software flaws. "Having that level of detail in the advisories might be positive in that that it adds pressure on the vendors to fix the vulnerabilities in timely manger, but could put others at risk."

That exact scenario played out recently with the emergence of WabiSabiLabi, a highly controversial company that last year set up an online auction house for security vulnerabilities. Just days after opening the first auctions to bidders, WSLabi was forced to cancel several of the auctions after security researchers used the details provided in the advisories to zero in on and publish information about the unpatched security flaws, effectively eliminating the auction value of that vulnerability information.

By Brian Krebs  |  April 3, 2008; 5:15 PM ET
Categories:  From the Bunker , Latest Warnings , New Patches , Safety Tips , U.S. Government  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Secret Service Agent To Lead DHS Cyber Division
Next: Consumers Report $239 Million Lost To Cyber Fraud In '07


I've always had a bad feeling with VoIP stuff that it was like putting all your eggs in one basket. It also goes against the philosophy of KISS, Keep It Simple Stupid. That dumb phone is looking pretty smart now!

Posted by: TJ | April 3, 2008 7:12 PM | Report abuse

Cisco posted a Security Advisory concerning these issues to its Product Security Incident Response Team's (PSIRT) website at on April 3. The advisory includes information on a free software update that addresses the vulnerabilities. Kevin Flynn, Cisco, San Jose, CA.

Posted by: Kevin Flynn: Cisco | April 3, 2008 8:22 PM | Report abuse

With all of these security flaws in VoIP systems, why is there so much concern about being unable to effectively track and intercept terrorists who are using these systems for their communication capabilities?

Posted by: brucerealtor | April 4, 2008 2:03 AM | Report abuse

Speaking of 'dumb phones,' when does Verizon Wireless intend to offer an unlimited package for its customers like Sprint now is for $99 or whatever plus fees and taxes?

I pay more than that for 2,000 minutes with Verizon Wireless with no frills.

Verizon Wireless -- feel free to respond to my e-mail adr.

Posted by: | April 4, 2008 2:06 AM | Report abuse

I think the comment "To lower costs and increase efficiency, most utilities these days use the Internet to keep tabs on and manage their far-flung substations and networks" isn't quite right. Utilities are using TCP/IP networking, but more generally private networks. Internet access via VPN's is also in use.
In addition, new cyber-security standards from FERC and NERC are increasing the oversight of the security of these connections.

Posted by: Dan | April 4, 2008 9:54 AM | Report abuse

As someone who designs and maintains a SCADA system, let me be the first to assure everyone that if the system is truly critical, nothing about it with will have anything to do with the the internal office network, never mind the Internet. I have maintained this policy for many years prior to 9/11.

The problem is many in the office see this fountain of real time data from their utility SCADA systems as something they'd like to have on their desk. Sadly, many have made connections without evaluating the risks. These security compromises happen because many assume that SCADA is obscure, and therefore the risks are negligible. New standards such as ISA-99 and NIST SP 800-53 have vastly improved the risk assessment process. These standards are now very much in the spotlight among many utilities.

The SCADA risks that Krebs quotes from Jerry Dixon highlights the degree of ignorance on this issue. While it may be true that some do use the Internet as a telecommunications medium, most use in-line encryption (such as SSL or TLS). These are proven, battle tested methods used by every major Internet presence for exchanging large sums of money.

So what about a denial of service? Keep in mind that the first letter of the acronym SCADA stands for Supervisory. It is a supervisory system designed to be autonomous in case the communications fails. Good design mandates that it will be programmed to do something safe in that event.

Nevertheless, SCADA security is still in its infancy. Many engineers and IT professionals with a great deal of experience and education are volunteering their time and money to work on setting standards, and educating managers. Things may look bleak now, but they are moving forward at a pace I have never seen before in more than 20 years of working at a utility.

Posted by: Jacob Brodsky, PE | April 4, 2008 11:27 AM | Report abuse

The key point to take away, is that the admin networks are getting bridged with mission critical ones. This is a problem as highlighted by previous comments. Most of the companies I've spoken to do have a policy around this however reality has shown us that it is not always followed.

To Jacob's point, I agree that if it's critical it should be air-gapped but as it has been demonstrated through security assessments and direct comments from those that manage those networks they often do get bridged, whether intentional or un-intentional contrary to policy. Whether it was through a bridged host or an extension of the VOIP connectivity.

Posted by: Jerry Dixon | April 4, 2008 12:51 PM | Report abuse

If I may throw in my 'two cents' worth...

The problem isn't so much an issue about 'risk' as it is an issue about 'process'. The business 'process' whole endeavor is to reduce cost through cost-saving measures and place like-minded products onto the same network. With control systems networks, this is bad juju, as the largest risk faced are flood or DoS attacks (as being the more common ones).

Routine audits and conducting active exercises (and including forensics management best-practices) are just a few possible venues which this will reduce risk, which unfortunately, does not exist within many utilities (energy, water, etc.). The question comes down to: how do you *make* industry do it? Do you *force* an industry to a level of compliance? If so, what are the penalties, and who gets punished if it's violated?

Honestly, I see having something similar to HIPAA enter this arena. Problem is, will industry like it...probably not.

Posted by: Bob Radvanovsky | April 4, 2008 1:53 PM | Report abuse

I wanted to clarify something with regards to 'HIPAA'. The governance relates to patient and organization security and privacy within healthcare. The implication was that something that has an industry-wide impact similar to HIPAA, but not based on its function.

Posted by: Bob Radvanovsky | April 4, 2008 2:41 PM | Report abuse

"I think the comment "To lower costs and increase efficiency, most utilities these days use the Internet to keep tabs on and manage their far-flung substations and networks" isn't quite right. Utilities are using TCP/IP networking, but more generally private networks. Internet access via VPN's is also in use."

Dan is totally correct here and Brian needs to do more research in the future before spreading the FUD around as that's the last thing we need. Are some vendors making products that can utilize the Internet to communicate with SCADA systems? Yes they are but most of us in the SCADA cyber security field are smart enough not use these features unless it can be proven that they are highly secure and there is some major additional benefits by going the very risky Internet route.

Posted by: Kevin McGrath | April 9, 2008 9:13 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company