Server impersonation and SIP

Was reading Sipera's latest advisories. The server impersonation advisory caught my eye mostly because we've seen something similar to this over here during testing. We hadn't published this information until now .. so here goes.

A good number of SIP softphones, and we would assume VoIP phones (hardware), will ring upon receiving an INVITE request. Three months ago we worked on 3 stories, two of which describe protagonists abusing this behavior and are still unpublished. I'm working on getting these two stories published soon.

As hinted by the Sipera advisory, this behavior has a few implications; major ones being that it can be abused for spamming and social engineering attacks.

These are the softphones that were found to display this behavior:

• X-lite release 1011b
• Ekiga 2.0.11 (beta)
• SJPhone 1.65.377a

Also quickly tested Gizmo project 3.1.2 and it did not exhibit the same behavior. Did not try to spoof packet source ip etc.

How do you test for this?
Use your favorite SIP phone to call an address like sip:whatever@192.168.1.1:5060, where 192.168.1.1 is the destination IP of the SIP phone. There is no need to spoof IP addresses or anything like that for the above. In the story (that I'll try to publish tomorrow), the attacker makes use of X-lite. If making use of X-lite, select the option "target domain" in the "Send outbound via:" config.

If you have any results please post a comment or send me an email.

MediaDefender Phone Call was over VoIP

If you're not familiar with the leak, this article on TorrentFreak talks about phonecalls between a New York attorney and MediaDefender which were leaked out.

Funnily enough (for some), during the phone call one of the parties says: "what we could do if you wanted, change the port ... change the login, obviously the password, if you guys need to know the password that we're using we can just communicate that by phone. .... If you need to .. anything which is really really sensitive we can just communicate in this [phonecall] fashion".

There were different opinions on how this call was captured. One suggestion floating on the forums are that the VoIP call was recorded by one of the parties (MediaDefender or NY attorney) and put on a compromised server. Another idea is that that the call was sniffed by the attacker.

Which ever way this call was compromised, this show two things with regards to VoIP communications:

• Phone traffic now goes over the Internet. Don't assume that your call cannot be intercepted over the Internet .. that assumption is very outdated.
  
• Encryption definitely has an important place in VoIP security. In this case, it would probably have helped