VoIP Research on the Rise

So, if you watch any of the vulnerability lists that are out there, you may have noticed a recent spike in vulnerabilities that have been identified in various VoIP implementations from various vendors. If you’re not sure what I’m talking about, you might think about heading on over to http://www.microsolved.com and downloading our free threat intelligence tool, Watchdog.

If you’re already a Watchdog user, you may have noticed that MSI decided to go from green to yellow earlier this week. That decision was based upon the release of several vulnerabilities that have been identified in Cisco’s implementation of various VoIP protocols (oh yeah, and it’s patch Tuesday). Those issues ranged in vulnerabilities that could allow remote code execution to denial of service. We’ve also seen several problems arise in Avaya’s implementation of VoIP protocols over the past couple of months as well.

MSI has been saying that VoIP vulnerabilities were going to start popping up, for some time now. If I remember correctly, we started addressing this in our State of the Threat presentations about a year and a half ago. Over that time we’ve seen significant progress in the tools that have been developed to assist in managing VoIP deployments. While those tools have helped a lot of companies with their VoIP implementations, we’ve also seen them introduce unintended risks into their environments. We’ve also seen many more much more nefarious tools that are allowing attackers to gain access to the VoIP system. And if you consider how useful fuzzing has become at identifying unknown problems in network traffic and applications, the sky is the limit when trying to determine where VoIP vulnerability research is going to end up. That is why MSI is ecstatic to have been approached by several different entities to perform VoIP Risk Assessments on their VoIP systems.

While a VoIP specific Risk Assessment may be a fairly new thing, the premise is not. It’s simply a way of applying a proven methodology to assess whether the new (or old) VoIP system hasn’t introduced unknown risks into the environment. The methodology that we use is very similar to our normal Risk Assessment of an Information Security Program, though there are some minor steps that had to be added and tweaked. The primary goal of these responsible organizations is to ensure that they are performing their due diligence by having a third party assess their VoIP implementations, and we applaud them for their initiative.

This entry was posted in General InfoSec by Troy Vennon. Bookmark the permalink.

About Troy Vennon

I recently separated from the U.S. Marine Corps after 8 years. I spent the first 3 1/2 years building classified and unclassified networks all over the world. There was a natural progression from building those networks to securing those networks. My last 4 1/2 years in the Marine Corps took me to Quantico, Va where I was stationed with the Marine Corps Network Operations and Security Command (MCNOSC). While with the MCNOSC, I was a member of the Security section, which was responsible for the installation and daily maintainance of the 34 Points-of-Presence that made up the Marine Corps 270,000+ user network. After a period of time with Security, I moved over to the Marine Corps Computer Emergency Response Team (MARCERT). There I was the Staff Non-Commissioned Officer of the MARCERT, which was responsible for the 24x7 monitoring of network traffic across the Marine Corps. Specifically, we monitored network traffic for malicious intent and investigated any network incidents as they occurred. While with the MCNOSC, I attained my CISSP, CCNA, and OPST (OSSTMM Professional Security Tester). I have been with MicroSolved for the past 4 months as the Senior Security Engineer, Technical Lead, and Project Manager.

Leave a Reply