The VoIP 'revolution' has been talked of since the 1990's as the 'next big thing' in the enterprise telecoms sector; saving companies vast amounts of money on both call charges and internal network infrastructure and support costs. But just as the VoIP market is finally taking a cautious step towards delivering some of its long-overdue promise, the increasing priority of IT security may force it two steps back.
Recent research, by Secure Test, on the Cisco 7900 series VoIP phones have revealed serious security concerns (Note: Secure Test have independently tested the Cisco 7900 as this is the most widely used enterprise VoIP solution. Similar problems may well exist in other vendors products). With susceptibility to both DoS (denial of service) attacks and interception issues, it is clear that transferring phone systems to an IP network opens them up to many of the same security concerns as Ethernet data networks. More worryingly, phone systems may be harder or even impossible to patch.
Like many IP devices Cisco's VoIP phones are vulnerable to ARP (Address Resolution Protocol) spoofing, allowing 'man-in-the-middle' attacks and including data interception and packet injection. This means that any VoIP phone can be tapped by anyone else with a phone on the same network, any individual VoIP phone can be crashed easily and any VoIP network infrastructure is heavily vulnerable to DoS attacks.
Looking first at the vulnerabilities of VoIP phones to DoS attacks, Secure Test's initial research has shown that Cisco 7900 series phones, specifically where running the default Skinny (SCCP) protocol for messaging, can be crashed relatively easily using one of several methods. By attaching a PC to the VoIP network it is possible to send malformed messages to a target phone or to cause a buffer overflow on one of several fields resulting in a crash. By performing any of these attacks on the switchboard phone, research demonstrated that it would be relatively trivial for an attacker to disable an entire phone system in minutes.
Further research then went on to show that using a similar DoS attack, a Cisco 1760 VoIP enabled router was also vulnerable. Sending a message of 50,000 characters plus to port 2000 (the TCP port used by the router to communicate with the phones) causes every VoIP phone on the network to reboot or crash, completely disrupting communications.
Given the number of Cisco VoIP implementations in companies where the telephone constitutes a business critical system this vulnerability quite rightly send chills down the spine of many a communications manager, especially as avoiding the problem is difficult. Ideally, Cisco would release a patch to better handle malformed or malicious traffic and recover from network errors. However, whilst Secure Test responsibly informed the vendor of the problems several months ago, as yet, there have been no visible signs of progress. Understandably there may be greater problems in patching 'dumber' devices such as telephone hardware, relative to providing security updates for PC's and servers. But, if the window of exposure cannot be effectively shortened by a company with the development capacity of Cisco, this could be seen as a good argument not to run phones on open IP networks until these problems have been overcome.