Jericho Forum voices concerns over VoIP security
A leading member of the Jericho Forum has criticised the security of voice-over-IP technology after security researchers revealed that it was possible to eavesdrop on VoIP conversations.
An eavesdropping vulnerability was revealed on the popular Full Disclosure mailing list on Wednesday. Vulnerability researchers Humberto Abdelnur, Radu State and Olivier Festor claimed the exploit could allow a remote attacker to turn a VoIP phone into an eavesdropping device, citing a Grandstream SIP phone as an example.
The Jericho Forum is an international group of leading corporate security professionals, academics and vendors, and promotes the development of secure software architectures, among other IT security interests.
Paul Simmonds, a member of Jericho Forum’s board of management, said that VoIP is not yet ready for use in businesses. “We don’t consider VoIP to be enterprise-ready,” Simmonds told ZDNet.co.uk. “You can’t run VoIP on a corporate network because you can’t trust every single device on that network. VoIP as it stands certainly isn’t secure. Going forward, everybody should be using inherently secure protocols.”
Simmonds said it was not part of Jericho Forum’s mission to promote any particular protocol as being more secure. Instead he insisted that best practices for secure software development should be adhered to. “From a Jericho standpoint, it’s not for us to say you must use these protocols or these protocols. You simply shouldn’t be sending data over a network insecurely, relying on network security â because it isn’t secure,” he said.
Simmonds recommended that all data packets in a business network, including VoIP packets, be encrypted.
The researchers who found the Grandstream flaw claim that some SIP stack engines have “serious bugs” which allow an attacker to automatically make a remote phone accept a call without it ringing or without the handset being taken off the hook. “The attacker might be able to listen to all conversations that take place in the remote room, without being noticed,” wrote the researchers on the Full Disclosure mailing list.