Given the number of Cisco VoIP implementations in companies where the telephone constitutes a business critical system this vulnerability quite rightly send chills down the spine of many a communications manager, especially as avoiding the problem is difficult. Ideally, Cisco would release a patch to better handle malformed or malicious traffic and recover from network errors. However, whilst Secure Test responsibly informed the vendor of the problems several months ago, as yet, there have been no visible signs of progress. Understandably there may be greater problems in patching 'dumber' devices such as telephone hardware, relative to providing security updates for PC's and servers. But, if the window of exposure cannot be effectively shortened by a company with the development capacity of Cisco, this could be seen as a good argument not to run phones on open IP networks until these problems have been overcome.

Having discovered the vulnerabilities with regard to DoS attacks, tests then moved on to see whether the ARP spoofing attacks, specifically data interception, were possible. Any fan of spy films will know that telephone tapping is perfectly possible on traditional PSTN based phones. Since this usually requires a hardwire tap to be set into the PBX, however, this becomes a question of the physical security of the core infrastructure. Initial tests on VoIP phones, however, have shown that where data is not encrypted, it is relatively easy to intercept, listen-in on or record conversations on any phone, from any other phone point on the network. Worryingly, most of the commonly used VoIP phones do not encrypt traffic by default and currently, many do not even support the necessary protocols to make this possible.

Initial tests on the Cisco 7900 have proved that it is possible to carry out an ARP attack on a target phone which draws the data stream through the attackers' computer. As any conversation is transmitted in the clear using standard RTP (Real time Transfer Protocol), this can easily be decoded, listened in-on and recombined in real time, leaving the victim(s) none the wiser.


As researchers found it relatively simple to develop a tool to automate this process, it can safely be assumed that such tools are freely available on the Internet. This means that where VoIP handsets do not support the secure RTP protocol necessary to protect traffic (as with all current Cisco phones) it should be assumed that all communications could be intercepted.

All of the attacks outlined above are difficult to guard against as they work using the very essence of convergence; that you do not physically segregate the data network and the phone system. Even where separate IP networks are used, you can simply plug a PC in to the telephone network via the phone port. As one of the major advantages of VoIP is computer telephony integration (ie. screen pop-up with call information and multi-channel CRM systems) most hardware phones contain a built in switch to allow a PC and a phone to occupy the same port.