INVITE of death, does this spell doom for VoIP?


13 March, 2009, by Peter Cox

The last couple of weeks have seen two significant VoIP vulnerability reports. The first, with the alarming name INVITE of Death, reported a vulnerability in an open source security product where a single malformed call request (or INVITE) can trigger a service failure (see http://ims-bisf.nexginrc.org/OpenSBC-vul.html). The tested product uses a popular SIP stack and so the same problem may appear in other products.

The second vulnerability, with the comparatively mundane name of SIP Digest authentication relay attack, is technically much more complex. The vulnerability was originally discovered by INRIA, a French National Research Institute and has now been documented in an Internet Draft.

The attack relies on making a call to a target device and then sending  a carefully designed sequence of valid messages which trick the target device into authenticating a second call made by the attacker. An attacker could use this technique to make calls via a commercial service provider at the victim’s expense. This is yet another example of a toll-fraud attack, a topic that I have discussed before.

Article continues after advert

Far from spelling doom for VoIP, the Invite of Death attack simply demonstrates that VoIP is affected by exactly the same types of vulnerabilities as any other IP application. In this case a simple implementation error leaves the application open to a remote Denial of Service attack. This vulnerability has already been fixed by the product developers.

The relay attack is more of a concern. The attack is made possible by protocol design features. This means that careful planning and implementation and well designed security controls are needed to protect against the threat.

Both of these vulnerabilities underline an important point. VoIP applications are open to application level security threats which can disrupt the service or allow an attacker to gain privileged access to the system.

Application level threats require application level security controls. So if you are relying on a generic firewall to protect your voice system, the chances are that it will not block or even detect these threats.

Tags: VOIP security
Print E-mail Add to favorites
Add Your CommentAdd Your Comment
More Options More Options
Peter Cox
Posted by
Peter Cox
on 13 March, 2009
More ArticlesMore Articles

Peter Cox is the founder and CEO of UM Labs Ltd, a company dedicated to researching VoIP security threats and developing effective controls against those threats. He has over 20 years experience of IP application security and was a co-founder of Firewall and email security specialist Borderware Technologies Inc.

Comments

blog comments powered by Disqus

INVITE of death, does this spell doom for VoIP?
Add Your CommentAdd Your Comment
Print E-mail Add to favorites
More Options More Options

News

Google Announces Instant Feature
Google Announces Instant Feature
Cisco And Itron Partner For Smart-Grid Networking
Cisco And Itron Partner For Smart-Grid Networking
Google Enables OpenID Log-In For Yahoo Users
Google Enables OpenID Log-In For Yahoo Users
News@5: Google Doodles, Vodafone Sells China Mobile Stake & Duke Nukem Demo
News@5: Google Doodles, Vodafone Sells China Mobile Stake & Duke Nukem Demo
iPod Nano iWatch Concept Image Emerges
iPod Nano iWatch Concept Image Emerges
Nokia Puts N8 Smartphone On Preorder List
Nokia Puts N8 Smartphone On Preorder List
Oracle To Pay Hurd $950,000 Per Year
Oracle To Pay Hurd $950,000 Per Year
Cisco And Citrix Partner For Desktop Virtualisation Solutions
Cisco And Citrix Partner For Desktop Virtualisation Solutions
iTunes Users License Songs, Not Buy Them, Court Rules
iTunes Users License Songs, Not Buy Them, Court Rules
No Anti-Terror Data On Police USB Stick
No Anti-Terror Data On Police USB Stick
Microsoft's Xbox 360 Special Edition Kinect UK Bundle Cheapest Yet
Microsoft's Xbox 360 Special Edition Kinect UK Bundle Cheapest Yet
IBM Unveils New Global Water-Management Projects
IBM Unveils New Global Water-Management Projects
eBay Launches Eco Friendly Packaging
eBay Launches Eco Friendly Packaging
New Google Doodle Adds To Mystery
New Google Doodle Adds To Mystery
New Spam Attack Exploits Facebook Flaw
New Spam Attack Exploits Facebook Flaw
More News

Hot Topics

Office Web
Office Web

Office web is the latest addition to Microsoft's Office business suite and is set to be the company's most revolutionary version.

Office 2010
Office 2010

Microsoft's 14th version of its award winning, multi-billion dollar cash cow business suite, is the company's most ambitious to date.

Spotify
Spotify

Spotify is certainly one of the most popular online music websites in the world which is a feat for a service that was officially launched only in February 2009

More Hot Topics  



 



Related Tags


News Now Logo




Hot Topics
Related Tags
 
 
Office WebOffice 2010SpotifyNokia OVIMicrosoft BingPalm Pre Windows 7 Release CandidateThe Pirate BayPhormGoogle Buying Twitter
Newsletter
 



Navigation
Channels
 RSS
 
Home
News
Deals
Reports
Reviews
Terms
Podcasts
Events
All Channels
SecurityNetworkingStorageOpen SourceWindows7Android  New!
All ChannelsSecurityNetworkingStorage
Search
 

© 2009 Net Communities.All rights reserved.   About usContactPrivacy PolicyTerms and ConditionsWhat is this site?AdvertiseTechdealspro Disclaimer
  • Apple
  • Mobiles
  • Mobile Services
  • Iphone
  • VoIP
    • Forgot your password?