Skip to main content
Sandro Gauci

Sandro Gauci, Enable Security

VoIP and identity fraud on the BBC

Published on May 15, 2008 in

The BBC News is running an article highlighting one of the most basic vulnerabilities in the majority of current VoIP providers - the lack of encryption. Indeed, this is a problem since SIP passes an md5 hash of the password as clear text and therefore anyone watching the traffic can perform an offline attack and quickly recover the credentials. The attack has been described in countless blogs, articles and papers by now and some tools are very efficient in demonstrating this issue.

What caught my eye is the mention of VoIP credentials being sold on the underground 17$ a piece. So I emailed Mr Gladwin who was quoted in the article. This is a summary of our email conversations:

  • There is no indication that stolen VoIP details were harvested because of the lack of encryption
  • If anyone comes across underground forums / sites / resources which have prices please let me know. Unfortunately Dave Gladwin was not able to provide me with a reference (until now)
  • There was no indication as to the size or volume of the VoIP credentials trading

Skype took the chance to remind us that this is not an issue for then (since they make use of a proprietary protocol which has encryption built-in).

I’m interested in learning which method is being used to steal credentials. Take your pick:

  • Sniffing at WiFi internet cafe’s / hacked service providers etc and offline password attacks
  • Active password attacks (such as those supported by SIPVicious svcrack). Such attacks have been previously used by Robert Moore and obviously others which were not caught ;-)
  • Hacked VoIP service providers or end users
  • Phishing attacks

My feeling is that active password attacks will give you the best results when the target is simply “the Internet”. But in the end, what matters is what’s being currently abused and how we can prevent and mitigate.

Update: Dave Gladwin updated the Newport Networks Blog to provide more details on the subject.

Sandro Gauci

Sandro Gauci

CEO, Chief Mischief Officer at Enable Security

Sandro Gauci leads the operations and research at Enable Security. He is the original developer of SIPVicious OSS, the SIP security testing toolset. His role is to focus on the vision of the company, design offensive security tools and engage in security research and testing. Therefore, he is the proud owner of the title of Chief Mischief Officer at Enable Security.

He offers public office hours and is reachable here.