The last couple of weeks have seen two significant VoIP vulnerability reports. The first, with the alarming name INVITE of Death, reported a vulnerability in an open source security product where a single malformed call request (or INVITE) can trigger a service failure (see http://ims-bisf.nexginrc.org/OpenSBC-vul.html). The tested product uses a popular SIP stack and so the same problem may appear in other products.
The second vulnerability, with the comparatively mundane name of SIP Digest authentication relay attack, is technically much more complex. The vulnerability was originally discovered by INRIA, a French National Research Institute and has now been documented in an Internet Draft.
The attack relies on making a call to a target device and then sending a carefully designed sequence of valid messages which trick the target device into authenticating a second call made by the attacker. An attacker could use this technique to make calls via a commercial service provider at the victim’s expense. This is yet another example of a toll-fraud attack, a topic that I have discussed before.
Far from spelling doom for VoIP, the Invite of Death attack simply demonstrates that VoIP is affected by exactly the same types of vulnerabilities as any other IP application. In this case a simple implementation error leaves the application open to a remote Denial of Service attack. This vulnerability has already been fixed by the product developers.
The relay attack is more of a concern. The attack is made possible by protocol design features. This means that careful planning and implementation and well designed security controls are needed to protect against the threat.
Both of these vulnerabilities underline an important point. VoIP applications are open to application level security threats which can disrupt the service or allow an attacker to gain privileged access to the system.
Application level threats require application level security controls. So if you are relying on a generic firewall to protect your voice system, the chances are that it will not block or even detect these threats.