Skip the navigation
News

New cross-site scripting attack targets VoIP

Proof of concept shows vulnerability in VoIP desktop clients using SIP

By Jon Brodkin
October 30, 2007 12:00 PM ET

Network World - Security researchers have found a way to execute cross-site scripting attacks through VoIP clients, introducing a dangerous new threat almost no one is guarding against, according to vendor Secure Computing Corp.

"It's simply the first time we've seen what's regarded as a Web 2.0 exploit ... being used against VoIP," said Paul Henry, vice president of strategic accounts at Secure Computing. "Few [people], if anyone, bother filtering the VoIP communications happening over SIP because they don't want any performance degradation. Hence, these types of attacks are going to grow."

VoIP desktop clients using the Session Initiation Protocol are the problem area, Henry said. Security researchers discovered the flaw on Oct. 8 and posted a proof-of-concept code on the Internet describing the vulnerability, which they found in a Linksys VoIP product. Henry is not yet aware of the attack being used against real users but said it's just a matter of time now that the proof of concept is out there.

"It's the tip of the iceberg," Henry said. "I'm very concerned specifically about VoIP because most people who deploy VoIP are doing so in order to save money. ... I'm seeing very little consideration given to security. The field is ripe for picking by the bad guys."

Henry called it irresponsible to publicly disclose security vulnerabilities without first giving the vendor a chance to create a patch. However, some researchers have said they want to raise awareness about risks with earlier public disclosures, because vendors are slow to respond to vulnerabilities.

This particular cross-site scripting attack could be used to install software on a PC allowing hackers to record and listen to VoIP phone calls, according to Henry. A financially motivated hacker might listen to the conversations of the chief financial officer at a large public company toward the end of a quarter to learn information useful in stock trading.

The same attack could also target mass audiences by installing keyloggers that steal usernames, passwords and other information that could help a criminal raid a bank account, Henry said.

While the reported vulnerability has to do with Linksys, Henry believes it probably spreads across most vendors.

"There are so many new VoIP products hitting the market today. I don't believe they're being developed with security first in mind," he said.

The burden then falls on people deploying a VoIP system to install a product that examines inbound traffic and blocks scripts with malicious intent, according to Henry.

Reprinted with permission from NetworkWorld.com. Story copyright 2010 Network World, Inc. All rights reserved.
Additional Resources
Forrester Consulting - Optimizing Users and Applications in a Mobile World
WHITE PAPER
Solving application issues over the WAN requires careful consideration. Based on their independent research, Forrester Consulting offers recommendations on how to tackle application performance issues, insufficient bandwidth and the inability to quickly restore users in a disaster.

Read now.

Security KnowledgeVault
WHITE PAPER
Security is not an option. This KnowledgeVault Series offers professional advice how to be proactive in the fight against cybercrimes and multi-layered security threats; how to adopt a holistic approach to protecting and managing data; and how to hire a qualified security assessor. Make security your Number 1 priority.

Read now.

Cut Communications Costs Once and for All
WHITE PAPER
New IP-based communications systems are being deployed by small and midsized businesses at a rapid rate. Learn how these organizations are enabling faster responsiveness, creating better customer experiences, speeding office or mobile interactions, and dramatically reducing existing communications costs.

Read now.

Networking White Papers
Digital Transformation: Creating New Business Models Where Digital Meets Physical
Individuals and businesses alike are embracing the digital revolution. Social networks and digital devices are being used to engage government, businesses and civil...
Make the Connection: Better Network Connectivity Drives Transformation
Network connectivity is more than just plumbing. Leading organizations today see high-performance network connectivity as a critical enabler of competitive advantage, and not...
Virtualizing Government Infrastructure
All server virtualization solutions are not created equal. The more-with-less agenda for government agencies is tailor-made for server virtualization, which is evolving into...
Moving Service Management to SaaS
Today, organizations can enjoy similarly substantial benefi ts by migrating their IT service management functions to a software-as-a-service model. This paper shows how...
Achieving 360 Degree Network Visibility with Nimsoft
360° network visibility is critical for ensuring continuous availability of networks, servers, and applications-anything less could
have costly bottom-line implications.
All Networking White Papers
Networking Webcasts
Optimizing Networks for the Cloud
Join guest speaker, Rohit Mehra, IDC Director of Enterprise Communications Infrastructure, to explore current trends, discuss best practices for optimizing Data Center and...
Unified Communications 101
What's the best way to implement a unified communications solution for your organization?
Try the OptiView® XG on your network - FREE
The OptiView® XG is the first dedicated tablet with automated network and application analysis -- fastest way to root cause. XG raises the...
Apps QuickStart Series Part 2: Designing and Deploying SQL Server on VMware vSphere
Download this webcast to learn about the design considerations for virtualizing SQL workloads, performance and scalability information and high-availability options, as well as...
Apps QuickStart Series Part 1: Designing and Deploying Exchange 2010 on VMware vSphere
Download this webcast to learn the virtual hardware design considerations for Exchange 2010, deployment using the building block approach, options for high-availability and...
All Networking Webcasts
Newsletter Sign-Up

Receive the latest news test, reviews and trends on your favorite technology topics

Choose a newsletter
  1. View all newsletters | Privacy Policy
IT Jobs