Sipera sounds VoIP security alarm

The proliferation of voice over IP and softphones—as well as smartphones, which combine Wi-Fi access with cellular technology—poses a significant security risk for enterprise data networks, a leading security software company is saying today. Sipera Systems, which specializes in VoIP security, said research by its Viper Labs shows it is possible for hackers to take control and delete or steal data from a laptop running an enterprise VoIP softphone.

The company is demonstrating the dangers of VoIP-based attacks on corporate networks today at the Black Hat USA 2007 Conference. Sipera operates both a group that looks for exploits and other vulnerabilities and a separate organization that designs security software, said Krishna Kurapati, founder and chief technology officer.

“We have found that smartphones, where you can download the client and do VoIP on the phone, are more vulnerable to hacking because they have limited memory and limited capacity,” Kurapati said. The company tested numerous brands of phones and software clients, he added. “In some cases, you could cause a [denial-of-service] attack or exploit that phone and make it into a bot and then use that phone to send spam.”

VoIP softphones and smartphones that run VoIP clients are more vulnerable to hacking because “they are having for the first time to support an open protocol such as [session initiation protocol],” Kurapati said. “This is a very porous protocol that can be easily hacked into because, for example, a SIP message, which is used for call set-up or initiation, can be sent to the phone directly. In this scenario, every phone acts as a server since it is always available to receive calls. Anybody can send a request to that phone. That is both good and bad. When they send that message, it can be for many purposes; it could be DoS; it could be toll fraud.”

And the hacking isn’t limited to the VoIP service itself, he added, but can use VoIP as a way of getting at data stored on a laptop.

“We can send a SIP message to a softphone running on a laptop, and it takes control of that laptop,” he said. “It can copy certain files or delete them.”

Traditional firewalls can’t stop these threats, Kurapati added, and neither can traditional authentication security processes. Sipera believes most enterprise IT managers aren’t aware of the dangers.

What the industry needs, and what Sipera is working to provide, he said, is technology developed for real-time communications that takes a comprehensive look at incoming traffic to protect suspicious content or anomalies. Sipera is regularly publishing VoIP vulnerabilities that it has detected on its Web site, and the numbers are in the thousands, the company said.