Can someone eavesdrop on your enterprise VoIP calls? Almost certainly. It hasn't been talked about much in the press but the simple fact is, these networks are vulnerable to snooping.
Jason Ostrom is ready to prove it.
As director of Sipera Systems' VIPER (Voice over IP Exploitation Research) Lab, Ostrom has been busy devising ways to sniff out VoIP vulnerabilities. He's just released VIPER's latest offering, UCSniff, a free tool capable of listening in on calls within an enterprise. Lots of calls.
UCSniff has two modes. First it can 'learn,' discovering all phones and extensions on a network and mapping their addresses. Within learning mode the program also can launch a 'directory module,' sucking out contact data from a user's directory and adding that information to its own directory.
Having learned its way around the system, UCSniff can then 'target' users for eavesdropping, picking out individual phones by extension in order to zero in on calls made by a particular caller.
It gets better. Rather than just hearing one side of a conversation, UCSniff is bi-directional. Using G.711 and G.722 codecs, the program can automatically listen in on and record both sides of a conversation. This has ramifications. Suppose the VP of Sales is chatting about strategy with the CEO. What's it worth to the competition to know what is being said? If UCSniff can hear it, that's pretty solid evidence that the bad guys can too.
Ostrom, who unveiled his work at the recent Toorcon security conference in San Diego, explains that some of the components of UCSniff are to some extent already available. This program pulls together those disparate elements for the first time and automates their capabilities.
The program has its limitations. In particular, it requires a physical connection to the network in order to do its work, in particular a laptop that can be plugged in to the Ethernet port of the organization under examination. "You have to have access to a physical port where the phone is located," Ostrom said.
Given this requirement, the program is best thought of as modeling the potential for an inside eavesdropping attack.
But not entirely. Ostrom points to the possibility of a hotel guest plugging in, with no one around to watch. "There is no one that is going to monitor you in those rooms, so physical security is a huge issue," he said.
Others in the IT security community have been working along similar lines. In September, SecureLogix released a suite of VoIP assessment tools to seek out SIP threats including denial-of-service, eavesdropping and man-in-the-middle attacks. Developers Mark Collier and Mark O'Brian said their project enhanced and simplified the use of tools already at play within the security community.
(See our in-depth, hands-on, tutorial about the SecureLogix suite and a host of other SIP security tools.)
Ostrom is glad to see SecureLigix in the game, which he describes as a team effort within the security community. Rather than promote particular solutions to the problem of eavesdropping, Ostrom said his work at this point is all about education.
In order to generate interest in remediation, the security community first must demonstrate to enterprise users the reality of the threat. Then users can begin to adopt some of the best practices already defined as being useful against diverse VoIP threats.
(Again, for a detailed look at those best practices, see VoIPplanet.com's two-part tutorial Testing SIP Security on a Budget.)
This approach helps to explain why Sipera will be giving UCSniff away for free when the beta release comes out in a couple of weeks. "It's in the spirit of the security community, its openness and education awareness," Ostrom said. Hence the use of an open-source platform, Linux, to underlie the program. "I really think that knowledge is power and when you give it away for free, that becomes a selling point for the tool."
UCSniff is not a finished product. Further iterations should include the ability to port to Windows, as well as support for video eavesdropping via the H.323 standard.
At the same time, Ostrom's beta version already anticipates changes within the industry. In addition to incorporating the G.711 standard, the program also makes use of the G.722 standard. While G.722 is only emerging at the moment, Ostrom included it on the grounds that it will eventually become a predominant force on the scene.
If Ostrom is right that knowledge is power, it seems likely that UCSniff could give security professionals a powerful new tool, a new way of knowing just where things stand within their VoIP networks.