Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Fatih Ozavci from Context Information Security highlights risks of growing VoIP attack surface and threats

August 2016 by Fatih Ozavci

With more organizations turning to VoIP (Voice over Internet
Protocol) and cloud-based Unified Communications (UC) systems to underpin their
commercial services and corporate communications, IT response and security testing
teams are struggling to keep pace with the VoIP attack surface and growing number of
threats in the wild, according to Fatih Ozavci from Context Information Security,
speaking at the Black Hat USA conference today.

“A lack of understanding of modern VoIP and UC security, means that many service
providers and businesses are leaving themselves at risk to threat actors repurposing
this exposed infrastructure for attacks such as botnets, malware distribution,
vishing, DoS and toll fraud,” said Ozavci.

Ozavci points to potential vulnerabilities in major UC product suites and IMS
platforms, such as bypassing security measures, injecting malicious content to
messaging, caller identity spoofing and billing bypass, along with problems caused
by insecure configurations. “By exploiting these vulnerabilities, attackers could
gain unauthorized access to client systems or communication services such as
conference and collaboration, voicemail, SIP trunks and instant messaging,” said
Ozavci.

The BlackHat presentation highlights weaknesses in UC messaging, federated
communications and collaboration services that could be used to gain unauthorized
access to the UC environment and client systems, as well as attacking client systems
using signaling protocols and messaging. “These attacks can be used to compromise
the client systems connected using protocol and software vulnerabilities,” said
Ozavci, adding, “Dial plans, misconfigured SIP trunks, conference and network
infrastructures are also major targets for advanced attacks.”

The Context researcher has also looked at media transport protocols such as (S)RTP
for voice calls, file, desktop and presentation sharing. The media transmitted may
have confidential or sensitive information, which can be an object of PCI, COBIT or
compliance requirements such as credit card information on calls to IVR services or
customer privacy information.

“Due to insecure encryption and design issues, sensitive information in the media
that’s been transmitted can be exposed and compromised,” said Ozavci.

To help raise awareness of these VoIP and UC vulnerabilities, Ozavci has developed
open source tools Viproxy and Viproy that can be used for VoIP penetration testing.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts