Flaw in standard puts VoIP gear at risk

VoIP is making it easier to wage cyberwar, an analyst reported last week, just as flaws that make some VoIP products vulnerable were revealed.

"By 2005, the United States and other countries will have the ability to conduct cyberwarfare," according to a Gartner report. "The increasing use of voice over IP and the converging of voice/ data networks is facilitating it."

Because IP networks are subject to sophisticated, automated attacks, voice traffic on those networks is more vulnerable, says David Fraley, author of "Cyberwarfare: VoIP and Convergence Increase Vulnerability."

The release of his report roughly corresponded with the announcement by a British government agency that the H.323 International Telecommunications Union standard used in many VoIP products contains flaws that can be exploited by attackers. Cisco, Microsoft and Nortel acknowledged that some of their products are susceptible to the weaknesses in H.323, which is an umbrella standard.

"This is exactly the type of opportunity an aggressor would use to attack the U.S.," Fraley says.

The vulnerabilities can leave products open to denial-of-service (DoS) and buffer-overflow attacks, and even let hackers load malicious code, according to the U.K.'s National Infrastructure Security Co-ordination Centre (NISCC), which commissioned the tests that uncovered the problem.

Affected devices range from firewalls to routers to IP phones, PBXs and softswitches, according to alerts put out by affected vendors. None has reported detecting attacks that try to take advantage of the vulnerabilities, but advisories from vendors had customers reviewing their networks and calculating their exposure.

"We're looking into it, trying to get a better feel for the problem," says Mike Phillips, director of IT for West Virginia University Foundation, which uses Cisco VoIP equipment in its 60-person Morgantown office. He says he wanted to talk to Cisco directly to assess his risk.

Chicago construction company Barton Marlow was breathing easy because it had the most recent versions of software and patches for its Cisco voice gear, says Phil Go, CIO. The company uses Cisco routers to carry IP voice and data between three offices across the country. The latest version of Cisco's IOS software corrects the H.323 problem.

It is most likely that the H.323 flaw would be used to disrupt networks rather than hijack voice calls and eavesdrop, says Jim Valentine, a senior network engineer for network integration and consulting firm International Network Services. Attacks that affect VoIP have been against general network infrastructure rather than targeted at VoIP gear, he says, but that will change. "As more and more VoIP is deployed, you'll see more and more exploits against it," he says.