I just want to add some (maybe) answers and notes:
1. Insufficient verification of data
- Can be handled with different Secure VoIP solution:
- SRTP, SSIP, TLS, IPSEC, ...
2. Execution flaws
- This is not just the VoIP topic, this is general
- I think developers do care about SQL queries and stuff.
3. String/array/pointer manipulation flaws
- This it again not just the VoIP topic. The same applies when you are using for example an Internet Banking application.
4. Low resources
- Not anymore, plus the VoIP processing is pretty lightweight (if you don't use compression, encryption, ..., but anyway the signaling is lightweight)
5. Low bandwidth
- Looks like you are talking about BW at the provider's side. Answer: Load balancing
6. File/resource manipulation flaws
- I don't think so.
7. Password management
- The same applies to your bank account - anyone who has access to the servers in your bank may have access to your account.
- Some implementations of VoIP are using PKI instead of username/password.
8. Permissions and privileges
- True.
9. Crypto and randomness
- This is an issue if you are providing a service for different endpoints from different vendors. The problem is that some VoIP clients may support encryption, some don't, some in one way, other in other way :-/
- But this is more a problem of standardization.
- In one vendor solution it is not an issue.
10. Authentication and certificate errors
- Yeah the theory is right, but usually VoIP applications are now protected against this issue.
11. Error handling
- Again the Internet banking ... brute force may work with almost anything. The question is if you have enough power and time :)
12. Homogeneous network
- Having a homogeneous network is usually preferred - you are managing only one kind of devices, one vendor, ...
- It's true that if there is a 0-day exploit - yeah, your entire network may be down in some minutes. But usually if you are following some security best practices - it's not a problem.
13. Lacking fallback system
- SIP SRV for example
- Cisco UCM Cluster
- ...
14. Physical connection quality and packet collision
- Yeah, this is a real problem :-(
- In some ways can be handled by using QoS techniques
At the end, I think VoIP is ready to be deployed. We should not be afraid of using new technologies. Every new technology may bring new challenges, but it's up to us if we will overcome those challenges, or we will invent something new, hopefully better ;-)
And one joke (but real) at the end (I just wrote this into my personal blog maybe 3 or 4 days ago but it is about this topic):
What's the difference between calling using a PSTN or cell phone and VoIP?
Well, if you use a PSTN or cell phone, then usually you start your conversation by saying "Hi, how are you? ..."
If you are using a VoIP, you ususally start your conversation by saying "Can you hear me? No, still no? Hallloooo, do you hear me? Oh, finally, So Hi, how are you? ..."
Latest convergence headlines from Network World:
The world enterprise telephony markets
BT's fully-managed video solution
|
Does Verizon's Voyager stack up to the iPhone? |
|
|
5 IT skills that won't boost your salary 
[1,407]
Women 4 times more likely than men to cough up personal info [589]
Japan's 10 funniest tech-related commercials [Videos] [407]
Throwing away a promo CD is "unauthorized distribution"? [1,265]
Adults too quick to dismiss educational video games [682]
Attack of the iPhone clones [Slideshow] [578]
10 things IT needs to know about AJAX [1,258]
This Year's 25 Geekiest 25th Anniversaries [Slideshow] [409]
|
|
Nothing new here. Please move along...
These are for the most part generic vulnerabilities - VoIP security has been done better elsewhere
VoIP security has been done better elsewhere
Any references pointers for the rest of us?
Or is this some kind of "special" group that one needs a secret handshake to obtain this wisdom?
phon1k
There is nothing new in VoIP security
The article out of its contexts from the entire book can give an impression like these are unsolvable problems. It was based on one chapter only!
All of the listed problems have a solution, and I hope we covered most of those solutions in the book. VoIP can be implemented correctly, if you give it a thought.
Unfortunately not all VoIP engineers come from IT background. And not all of them know anything about TCP/IP or the past problems with web or databases. Most of them know nothing about insecure programming practices. VoIP is a merger of telephony and IP-communications. It shares and mixes problems from both of these domains.
Some clarifications:
1. Insufficient verification of data: majority of the DEPLOYED devices do not use encryption, and even if they do they do not have data verification (those are two separate issues)
2. Execution flaws: VoIP application servers are not the same as Web application servers. I wish they were, so we did not have to make the same mistakes over and over again.
12. Homogeneous network: Ask yourself when did you last update the software on all the phones? If you feel confident with the answer then this is not a problem.
But as I said, this list is not about new vulnerabilities. All these have a solution available. A good deployment of VoIP is always better, faster, cheaper and more reliable than PSTN or cellular.
/Ari Takanen
replace "VoIP" with any other application...
...And you've seen this article a hundred times before.
Unfortunately equating
Unfortunately equating synchronous (i.e. realtime apps. such as VoIP/video) with asynchronous communications (i.e. email/IM/web application) creates a false perception of what security objectives are required in order to protect VoIP or any other real-time multimedia application. Indeed several existing security concepts can be used to provide protection. Some of the questions that typically need to be addressed are: (a)are these security concepts currently being implemented by products, (b) what are the requirements for real-time applications, (c) how effective are the current solutions?
Approach it as you were to build a car for the right purpose. Traveling across the Antarctic versus wining Formula-1 requires that the vehicles maintain different properties specific to the objectives of the mission (i.e. durability versus speed). Although in both cases the vehicles will have wheels, an engine (with different horse power), seats and a chasi they will differ greatly according to the objectives of the mission/purpose.
So, indeed conceptually we can use current methods to protect VoIP. But how we do that properly is a question that several people in the industry are working on.
Peter
VOIP Vulnerabilities
13. Lacking fallback system ??
there is a well worked fallback system, the good old TDM system...
TDM as fallback - NOT
Come on, I have never in my life owned a fixed line phone. I have used cellular only since 1991. Our company also has never (for close to 10 years) had fixed line phones. Everyone is mobile.