Flaw in standard puts VoIP gear at risk

Voice over IP is making it easier to wage cyberwar, an analyst reported last week, just as flaws that make some VoIP products vulnerable were revealed.

VoIP is making it easier to wage cyberwar, an analyst reported last week, just as flaws that make some VoIP products vulnerable were revealed.

“By 2005, the United States and other countries will have the ability to conduct cyberwarfare,” according to a Gartner report. “The increasing use of voice over IP and the converging of voice/ data networks is facilitating it.”

Because IP networks are subject to sophisticated, automated attacks, voice traffic on those networks is more vulnerable, says David Fraley, author of “Cyberwarfare: VoIP and Convergence Increase Vulnerability.”

The release of his report roughly corresponded with the announcement by a British government agency that the H.323 International Telecommunications Union standard used in many VoIP products contains flaws that can be exploited by attackers. Cisco, Microsoft and Nortel acknowledged that some of their products are susceptible to the weaknesses in H.323, which is an umbrella standard.

“This is exactly the type of opportunity an aggressor would use to attack the U.S.,” Fraley says.

The vulnerabilities can leave products open to denial-of-service (DoS) and buffer-overflow attacks, and even let hackers load malicious code, according to the U.K.’s National Infrastructure Security Co-ordination Centre (NISCC), which commissioned the tests that uncovered the problem.

Affected devices range from firewalls to routers to IP phones, PBXs and softswitches, according to alerts put out by affected vendors. None has reported detecting attacks that try to take advantage of the vulnerabilities, but advisories from vendors had customers reviewing their networks and calculating their exposure.

“We’re looking into it, trying to get a better feel for the problem,” says Mike Phillips, director of IT for West Virginia University Foundation, which uses Cisco VoIP equipment in its 60-person Morgantown office. He says he wanted to talk to Cisco directly to assess his risk.

Chicago construction company Barton Marlow was breathing easy because it had the most recent versions of software and patches for its Cisco voice gear, says Phil Go, CIO. The company uses Cisco routers to carry IP voice and data between three offices across the country. The latest version of Cisco’s IOS software corrects the H.323 problem.

It is most likely that the H.323 flaw would be used to disrupt networks rather than hijack voice calls and eavesdrop, says Jim Valentine, a senior network engineer for network integration and consulting firm International Network Services. Attacks that affect VoIP have been against general network infrastructure rather than targeted at VoIP gear, he says, but that will change. “As more and more VoIP is deployed, you’ll see more and more exploits against it,” he says.

One continuing concern is that voice and data running on the same network opens businesses to the possibility that both services will be lost in one attack, says Steven Taylor, president of Distributed Networking Associates.

The Gartner report says converging voice and data onto IP networks adds to the potential damage IP attacks cause. “At the massive scale implied by cyberwarfare, DoS or another brute-force attack would be an effective tool against voice communications,” according to Fraley’s report.

The scope of targets that could become vulnerable is widening, Fraley says. For instance, the monitoring systems for dams, electrical grids, power plants and railroads – formerly handled by the public switched telephone network – are being shifted to IP networks, he says. “IP connections create different vulnerabilities,” he says.

Gartner suggests the best way to protect these networks is to design backups with the assumption that primary networks will be subject to repeated and widespread outages.

While Gartner’s warning was general, the NICC-reported flaw was found in a component of H.323, the session set-up phase known as H.225. The flaw is not with the protocol but rather with specific implementations of it as written by individual vendors.

Cisco, Microsoft, Nortel and some older versions of RADVision H.323 tool kits are known to be vulnerable. Companies investigating whether their gear is vulnerable include Avaya, Fujitsu, HP and Lucent, NICC says. The CERT Coordination Center at Carnegie Mellon University in Pittsburgh lists 56 companies as possibly being affected, but describes the vulnerability status of most of them as “unknown” (read the CERT advisory here).

Microsoft says the H.323 vulnerability affects its Internet Security and Acceleration Server by letting potentially malicious remote code be executed on the servers. An update to fix the problem is available on Microsoft’s Web site (read Microsoft’s advisory here).

Cisco says certain versions of its CallManager IP PBX are vulnerable, as is a version of its IP phone and its softswitch. Certain versions of its IOS system software also are affected, as are some router-based firewalls. Cisco lists products affected and whether fixes are available or planned (read Cisco’s advisory here). In some cases Cisco plans no fixes.

Nortel says its Succession 1000, Business Communications Manager and its 801.11 Wireless IP Gateway are affected.