VOIP Scanning on the increase

Various service providers and vendors have noticed an increase in VoIP scanning traffic. Arbor Networks mentioned VoIP attacks as one of their increasing concerns. A Norwegian honeynet detected various INVITE requests trying to get VoIP systems on the internet to dial specific numbers. This scan is for open VOIP relays. VoIP attacks are nothing new really and some people in the telco-fraud business seem to have been around for quite a while. What is new is that they are getting detected more and more (and I'm getting more emails about this) which probably means that the scans are on the increase.

Some traffic is borne from custom tools, probably designed from stage one to conduct fraud. Other traffic is generated by publicly available tools such as SIPVicious. My suggestion is to scan your network with SIPVicious, remove any SIP devices that should not be exposed to the internet. If the VoIP system needs to be exposed, at least make sure the the user extension passwords are not predictable (use svcrack to test this).

Here's some blogs and articles that mentioned SIPVicious scans:

• Belgian network security notes from Arbor networks
• Microsoft: What’s Travelling on the Wire (part 2)

If you came across any such scans or related stories drop me an email.

New SIPVicious release 0.2.4

Just updated the release of SIPVicious to 0.2.4 to include a couple of bug fixes in svwar and a new feature. The new "--template" parameter allows you to make use of format strings to create more flexible ranges. Some examples include scanning prefixes or suffixes.. which apparently can be quite useful with certain environments ;-)

Many thanks to Teodor Georgiev for his patience and help in making SIPVicious more robust and reliable!

Here's a link to the full Changelog.

Grab the tarball or the zip file.
To upgrade to the svn version simply run "svn update" as usual - enjoy

Ladies and Gentlemen please welcome..

EnableSecurity! I will be publishing my security research and rants as well as providing Security Consultancy, Research and Design. A brief "who am I" can be seen at the Linkedin Profile page, while Google has further details.

So what sort of things am I doing?

• Wireless security auditing
• Web Application Security
• VoIP security research
• Reverse Engineering

I'll continue developing SIPVicious and publish additional tools to help security professionals get the job done.

And one more thing - I suggest that you subscribe to the RSS as I shall be releasing some research later on this week.

its the end of the world as we know it

Here are some apocalyptic scenarios related to VoIP and SIP:

• SIP's Insecurity Blanket
• Report Finds VOIP Services Susceptible to Major Attacks Through SIP
• VoIP security industry -- guilty as charged

Not exactly positive reports on VoIP - what they're effectively saying is that VoIP's increase in the phone market is a ticking bomb that will have great repercussions from a security point of view.

But IMHO, one thing's for sure - with big vendors like Microsoft, entering the market .. VoIP is here to stay.