The BBC News is running an article highlighting one of the most basic vulnerabilities in the majority of current VoIP providers - the lack of encryption. Indeed, this is a problem since SIP passes an md5 hash of the password as clear text and therefore anyone watching the traffic can perform an offline attack and quickly recover the credentials. The attack has been described in countless blogs, articles and papers by now and some tools are very efficient in demonstrating this issue.
What caught my eye is the mention of VoIP credentials being sold on the underground 17$ a piece. So I emailed Mr Gladwin who was quoted in the article. This is a summary of our email conversations:
- There is no indication that stolen VoIP details were harvested because of the lack of encryption
- If anyone comes across underground forums / sites / resources which have prices please let me know. Unfortunately Dave Gladwin was not able to provide me with a reference (until now)
- There was no indication as to the size or volume of the VoIP credentials trading
Skype took the chance to remind us that this is not an issue for then (since they make use of a proprietary protocol which has encryption built-in).
I’m interested in learning which method is being used to steal credentials. Take your pick:
- Sniffing at WiFi internet cafe’s / hacked service providers etc and offline password attacks
- Active password attacks (such as those supported by SIPVicious svcrack). Such attacks have been previously used by Robert Moore and obviously others which were not caught ;-)
- Hacked VoIP service providers or end users
- Phishing attacks
My feeling is that active password attacks will give you the best results when the target is simply “the Internet”. But in the end, what matters is what’s being currently abused and how we can prevent and mitigate.
Update: Dave Gladwin updated the Newport Networks Blog to provide more details on the subject.
