Looking through the rear view mirror:
“Something Old (H.323), Something New (IAX), Something Hollow (Security) and Something Blue (VoIP Administration) by H. Dwivedi & Z. Lackey gave a very good overview of the security weaknesses of VoIP protocols. Very specifically, they outlined significant weaknesses in the H.323 protocol and the emerging Market driven protocol AIX associated with Asterisk PBX. Additionally they outlined the risks of Administrative weaknesses including poor configuration management and the lack of Security emphasis with these protocols.
“Z-Phone” with P. Zimmerman, as the deployment of VoIP grows and Session Initiation Protocol (SIP), becomes the new predominate protocol in this area, the issue of Encryption comes up. This presentation focused on Z-Phone a protocol developed and promoted by Paul Zimmerman. This encryption requires no infrastructure like Public Key Infrastructure (PKI) to be set up and is secure on a call-by-call basis, and light enough to be handled from Phone to Phone.
“VoIP Security Methodology and Results” from B. Dempster, this presentation gives many of the key weaknesses of implementing a VoIP network. During the presentation, he parallels the weaknesses of a traditional Data Network with its Firewalls, IPSs, Security managers, and Applications. He identifies that the VoIP based network, as it converges, takes on the Data world’s weaknesses, and adds the impact of non-intuitive security issues of the voice world.
“Transparent Weaknesses in VoIP” by Peter Thermos reviews the high-level attacks that can take place in a VoIP environment that is using Media Gateway Control Protocol (MGCP). During his presentation, he also demonstrates live one identified weakness in Z-Phone encryption. Also during this presentation, he quickly shows a number of other threats like Presence Hijacking and Caller-Id spoofing. The closure of this presentation talks about methodologies to secure a VoIP network.
The CTO and his technical staff presented “Vulnerabilities in WiFI / Dual-Mode VoIP Phones” by Sachin Joglekar, which in the end. This presentation highlighted the vulnerabilities and complexities of securing a network with Dual-Mode WiFI phones. During the demonstration BlackBerries were frozen, defaults setting that are not secure have been identified and attack vectors demonstrated.
Through the looking Glass:
This series of demonstrations and talks during BlackHat clearly indicates the growing awareness of Security threats in the Voice arena. Our responsibility as leaders in Industry and Information Security is to understand the business advantages of enabling new technology in our Networks and Applications, and provide the security and privacy required by law and expected by our Executives and End users. This track also demonstrates the absolute need we have the real security threats of VoIP and ways to defend against them.
R S S feed
