SIP phone users - beware01/09/2007 Written by Jakub Maslowski
If you follow news related to IT security then you already know that using VoIP services, that use SIP isn’t the safest way to guarantee communication for your home or company. Session Initiation Protocol (SIP) devices can be vulnerable to eavesdropping. That’s a fact.
There are tons of hardware and software using SIP, and many of our and your internet providers are also using it. Let me explain how potentially harmful and dangerous this can be for us, the end-users.
Eavesdropping for adversarial purposes is the less danger, and possibility that this will happen, is low. More possible is, that these vulnerabilities will be used in espionage in industry, since these devices are well used in companies.
Another view is, that intelligence and investigation agencies (like FBI) will use them to wiretap communication. Moreover, full-disclosure list brought in last days more interesting links and informations concerning SIP phones.
Sûnnet Beskerming (Australian IT firm) published comment about implications:
“The research that was published indicates that, for at least one vendor, it is possible to automatically call a SIP device from that vendor and have it silently accept the call, even if it is still on the hook — instantly turning it into a classic bugged phone. Whereas historic telephony bugs needed physical targeting of the line running to a property or place of business, the presence of VoIP in the equation allows bugging from anywhere in the world with equal ability. Now anyone can do from their armchair what only spies and law enforcement used to be able to do from inside the telephone switch /pit /distribution board, though it’s still illegal to do so.”
It seems that SIP phones and devices are in heavy fire of many security researchers. Exploit for one vendor’s SIP has been posted on the net while ago. Cisco SIP devices are vulnerable again DoS attacks. And more will for sure follow.