[VOIPSEC] [VOIPSA Tech Board] Do we want to make a statement onthis VoIP hacking story to the VOIPSEC list? First Major VoIPHacking Scheme Uncovered

dhiraj.2.bhuyan at bt.com dhiraj.2.bhuyan at bt.com
Mon Nov 7 12:35:52 CST 2005 

There are security issues in many of the current VoIP billing solutions that still needs to be addressed. For example, a "modified" SIP phone may initiate a call and once the call is established, the SIP phone terminates the call (at SIP layer), but continues sending and receiving the RTP media steams. Since the RTP media stream is end to end (for most VoIP solutions), the billing system is fooled into believing that the call is over. 

Dhiraj Bhuyan
Senior Security Researcher
British Telecom, UK

-----Original Message-----
From: Voipsec-bounces at voipsa.org on behalf of Igor Shatenko
Sent: Mon 11/7/2005 5:49 PM
To: Bogdan Materna; Richard Timmons; Paul Slaby; dan_york at Mitel.com; leaders at voipsa.org; Voipsec at voipsa.org
Subject: Re: [VOIPSEC] [VOIPSA Tech Board] Do we want to make a statement onthis VoIP hacking story to the VOIPSEC list? First Major VoIPHacking Scheme Uncovered
 
Hi,

 

Issue is definitely overblown by media. It is look like the bug in
software and not the fundamental issue of billing services. I think, In
general, call billing should be based on Call initiation and RTP stream
continuity versus end call setup. Regarding vulnerability: every clam
like this should be supported by hard evidence, rather then talking
about some billing companies. I agree with Dan on this.

 

Sincerely,

 

Igor Shatenko

 

Senior Security Analyst

VoIPshield Systems Inc.
16 Fitzgerald Road, Suite 250

Ottawa, Ontario K2H 8R6

Tel. (613) 224-4443 ext. 320
fax (613) 224-3891

SIP: 313 at voipshield.com
email: ishatenko at voipshield.com
<mailto:ishatenko at ishatenko@voipshield.com> 

 

________________________________

From: leaders-bounces at voipsa.org [mailto:leaders-bounces at voipsa.org] On
Behalf Of dan_york at Mitel.com
Sent: November 7, 2005 12:02 PM
To: leaders at voipsa.org
Subject: [VOIPSA Tech Board] Do we want to make a statement on this VoIP
hacking story to the VOIPSEC list? [VOIPSEC] First Major VoIP Hacking
Scheme Uncovered
Importance: High


VOIPSA Tech Board members, 

While we discussed - and dismissed - this "story" about a massive VoIP
hacking scheme on our own internal "leaders" list 
for the VOIPSA technical board, someone did post the link to the public
VOIPSEC mailing list (as shown below).  I've also 
personally fielded yet more inquiries from various folks who have seen
this story cross-posted in various places. 

Given that we know that it's overblown hype, do we want to make what
amounts to a public statement to that effect? 

I'm not saying that we issue a news release, etc., but a reply to the
posting in the VOIPSEC mailing list from, say, you, 
David (not to put you on the spot, but... ), or Jonathan or someone else
from the VoIPSA board might be an effective way to 
pour some water on the fire (and show that VOIPSA has some value in its
communication between members).  I honestly 
hate to give the article author the additional exposure of a response...
so I don't know. 

Perhaps something like: 

  We have investigated the article and as best we can tell this has to
do with modifying the billing codes to obtain free calls, 
  something that has always been a concern in PBX environments and
something which most products guard against.  We 
  have contacted VOIPSA members, including one quoted in the article,
and received agreement that this is not anything new 
  and is not at all anything specific to VoIP.  VOIPSA members continue
to monitor the issue but at the moment have not 
  been able to find any indication of actual exploits of this suggested
vulnerability beyond a couple of isolated cases. 

The problem, of course, is that any response like that begs the addition
of: 

  We would ask the author to make publicly available any information he
has about actual exploits as we have not yet 
  found any real evidence of this. 

Or something like that.  On the one hand, I don't think we want to
challenge the author, but on the other hand, I think we 
want to make sure people don't treat this as a real threat. 

I don't know if we want to do this, but if there was a statement from
VOIPSA, I think it would help reassure people (and we 
individual members can then point to the VOIPSA message). 

Thoughts?   Should we do this?   

Regards,
Dan 

-- 
Dan York, CISSP, Director of IP Technology, Office of the CTO
Mitel Corporation   http://www.mitel.com/  dan_york at mitel.com
Ph: +1-613-592-2122   350 Legget Drive, Ottawa, ON, K2K 2W7 Canada
PGP key (F7E3C3B4) available for secure communication

----- Forwarded by Dan York/Kan/Mitel on 11/07/2005 11:21 AM ----- 

 

Hank Nussbacher <hank at efes.iucc.ac.il> 
Sent by: Voipsec-bounces at voipsa.org 

11/06/2005 01:25 AM 

        
        To:        voipsec at voipsa.org 
        cc:         
        Subject:        [VOIPSEC] First Major VoIP Hacking Scheme
Uncovered




http://www.accessintel.com/cgi-bin/press/show.cgi?1130972376

"According to Zipper, hackers have figured out a way to manipulate the
IP 
stream in order to steal long-distance service. Many in the
communications 
industry are keeping things quiet while they assess the full extent of
the 
potential damage, but sources admit this security breach "could expose a

lot of companies to a great deal of fraud.""

-Hank


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list