Top VoIP Vulnerabilities in 2008
Sipera recently announced its list of Top 5 VoIP Vulnerabilities in 2007. A similar more detailed list was also released “Top 9 VoIP Threats And Vulnerabilities” by CMP Channel. Sipera has provided some input to the article so they are essentially the same list with a few more thrown in to make the list Top 9. These VoIP vulnerabilities stated are nothing new and have existed and remain almost the same since VoIP hit mainstream, however its good to release a Top 10 list every year to keep reminding people that it still exists!!
Top 5
Remote eavesdropping
VoIP Hopping
Vishing (Caller ID spoof and identity theft)
Toll fraud
The Skype worm
Top 9
VoIP Spam
VoIP Over Wi-Fi
Lack Of Robust Implementation
Weak Default Settings
While the threats to the VoIP landscape remain the same since VoIP’s introduction, the vulnerabilities have grown over the years. However VoIP exploits have yet to get attention akin to data theft or application flaws. There are many causes to this, arguably proprietary protocols, less publicity to VoIP related incidents, impact of exploits limited to small target groups (Home VoIP users, one company’s phone systems). In my view here are few more practical reasons why VoIP exploits will not be mainstream for 2008:
- VoIP endpoints being limited in resources, and with varied implementation leads to less successful exploitation
- Eavesdropping on VoIP calls still requires an advisory to the be in the path of the communications
- Companies understand and are willing to accept risks to their VoIP infrastructure (they place more importance to data networks)
- Exploited endpoints don’t yet create botnets (OS/application exploits in the wild are built and exploited for creating C&C botnets - less ROI for attackers)
That being said my picks for Top 6 VoIP Vulnerabilities for 2008:
Remote Eavesdropping
Default Configuration Weakness - Server and Endpoints
VoIP Client Application Worms (ym,gtalk,skype,msn,gizmo,office com. ser.)
FemtoCell-UMA Tunneling (carrier networks targeted)
DoS/Code Execution on Poorly Implemented VoIP Registrar/Hardware
VoIP Hopping
No related posts.
