VoIP phone systems, relying on so-called soft phone software, may have thousands of potential vulnerabilities, researchers at Sipera Systems said at the annual Black Hat conference this week in Las Vegas.
Sipera revealed a technique that allowed researchers to take remote control of a PC running VoIP and the Session Initiation Protocol (SIP).
SIP is an application-layer control protocol used to create, modify and terminate sessions in IP PBX s, VoIP and other technologies.
The company's VIPER Lab research unit was able to take command of a PC running a soft phone VoIP application and cross boundaries into the data stored on the system. It did so by injecting a buffer overflow with an executable during an SIP-initiated call, according to Eric Winsborrow, Sipera's chief marketing officer.
The researchers took advantage of flaws in VoIP and SIP, he said. SIP and soft clients, including software shipped with Microsoft's Office Communication Server (OCS), use TCP ports 5060 and 5061, which are always open, unlike HTTP, which opens and closes port 80 as necessary.
The always-on state creates the potential for data theft from a laptop running a soft phone, Krishna Kurapati, Sipera's founder and CTO, told SCMagazine.com. Notably, the vulnerabilities - Sipera said it has uncovered more than 20,000 potential issues within VoIP – aren’t detected or stopped by traditional anti-virus products, he added.
The flaw has ramifications as enterprises move beyond what Sipera called VoIP 1.0 – VoIP running on a company's internal wide-area networking (WAN) infrastructure – and onto the internet. That environment, which Sipera called VoIP 2.0, will allow remote employees to access the corporate network from PC-based soft phones.
In VoIP 2.0 systems, a PC with a soft phone taken over remotely via a vulnerability such as a buffer overflow could be used to open files or gain access to the data resources within an enterprise, Winsborrow said. This should be a "huge scare" for chief security officers, he added.
Click here for the latest SC Magazine Podcast – July 30, 2007: Is the iPhone an IT security threat?