its the end of the world as we know it

Here are some apocalyptic scenarios related to VoIP and SIP:

• SIP's Insecurity Blanket
• Report Finds VOIP Services Susceptible to Major Attacks Through SIP
• VoIP security industry -- guilty as charged

Not exactly positive reports on VoIP - what they're effectively saying is that VoIP's increase in the phone market is a ticking bomb that will have great repercussions from a security point of view.

But IMHO, one thing's for sure - with big vendors like Microsoft, entering the market .. VoIP is here to stay.

introduction to svmap

Svmap is a network scanner for SIP. Similar to nmap - it will scan for devices on ports specified by passing the right command line options. Once svmap finds a device that supports SIP, it will extract information from the response and identify the type of device. Anyone running this tool will typically end up with a list of IP addresses of SIP devices and the names for those devices.

A penetration tester or security auditor will probably find this tool particularly useful especially during reconnaissance. With the IP address, device name and possibly version at hand, he or she can then target security weaknesses specific to that device. A security administrator or security analyst can also make use of svmap to list different active SIP user-agents on the network. Based on this information, the security administrator then has the ability to identify rogue and vulnerable devices which can cause a security concern.

Svmap is able to scan for SIP devices much faster than generic UDP port scanners. Typical port scanners such as nmap, scan UDP ports by sending a packet to each port and expecting an ICMP packet which indicates that the port is closed. If no ICMP error is received within a reasonable time, the port scanner assumes that the port is either open or else filtered. While this method has worked for years, it can never be considered efficient or neat, (at least) because of two reasons:

• The majority of UDP ports are closed - therefore having to wait for each ICMP error to confirm that the port is closed is not a good idea
• Nowadays a lot of devices are behind firewalls or NAT and will never reply with an ICMP error

Svmap works by sending a UDP packet containing a SIP request to a range of specified IP addresses, and listing those that send back a valid SIP response. Since UDP is a connectionless protocol, this method can be relatively fast. For example, during testing we were able to identify around 200 SIP devices on one particular network, out of a scan of IP addresses in less than 3 minutes. On the other hand when we scanned the same network with nmap version 4.20 (default options for sU scan on port 5060), it took longer than 20 minutes at which point we stopped the scan.

For examples on how to use svmap check out the wiki.
Download the whole SIPVicious tool suite from the project page.

MediaDefender Phone Call was over VoIP

If you're not familiar with the leak, this article on TorrentFreak talks about phonecalls between a New York attorney and MediaDefender which were leaked out.

Funnily enough (for some), during the phone call one of the parties says: "what we could do if you wanted, change the port ... change the login, obviously the password, if you guys need to know the password that we're using we can just communicate that by phone. .... If you need to .. anything which is really really sensitive we can just communicate in this [phonecall] fashion".

There were different opinions on how this call was captured. One suggestion floating on the forums are that the VoIP call was recorded by one of the parties (MediaDefender or NY attorney) and put on a compromised server. Another idea is that that the call was sniffed by the attacker.

Which ever way this call was compromised, this show two things with regards to VoIP communications:

• Phone traffic now goes over the Internet. Don't assume that your call cannot be intercepted over the Internet .. that assumption is very outdated.
  
• Encryption definitely has an important place in VoIP security. In this case, it would probably have helped
  

Security Analysis of Voice-over-IP Protocols

This paper talks about the state of security or lack of of the VoIP protocols. It talks a lot about encryption and introduces some attacks in that area. Of interest:

• replay attack on SDES key exchange causing SRTP to use the same keystream in multiple sessions. This means that the attacker removes encryption from SRTP-protected data streams.
• An attack on ZRTP involving unauthenticated uesr IDs. This allows bypassing / disabling of authentication or a DoS attack.
• A security issue related to randomness in MIKEY