An Invitation to Death from SIPVicious

It’s Halloween season. Not a fan, never have been. It seems to me the fancy dress and makeup are even more extreme than ever before and I’m not just talking about the Catholic priest or Jimmy Saville costumes; throats slit, disfigured faces, blood gushing from knife wounds, zombies, half living/half skeleton corpses are what I was confronted with the other night…….an invitation to death.

SIP attack

Or to be more precise, An INVITE of Death. The constant stream of ‘threats’ to my door is a bit like those faced by companies every day from the Internet; what’s legitimate traffic, who do I let in, who do I let in but only allow access to certain services, who’s a threat, who’s a friend, and so on.

Most companies are familiar with traditional cyber-attacks and have some level of protection in place, albeit an appliance-based firewall or local user AV (Anti Virus) and web filtering. However, an area of compromise not widely discussed is that of SIP attacks (Session Initiation Protocol). The term An INVITE of Death was coined in 2009 when a network vulnerability allowed a hacker to crash a VoIP server by sending a single, malicious SIP packet.

This is just the tip of the iceberg.

There are several SIP attack methods you should be aware of, but for brevity, as this is a blog, I’ve chosen just three examples. So if you don’t want to be scared anymore, lock the door, turn on all the lights and grab a friend, or a cushion, or a teddy.

SIP attack on IP Phone network

One of the most common IP (Internet Protocol) threats is spoofing, where hackers create IP packets with your IP address to imitate your device and make illicit calls from your phone. With almost everyone using mobile phones nowadays, the cost of making these calls (which still use the traditional mobile phone networks) can be enormous.

I wonder how many finance managers (or I.T. managers for that matter) realise that calls made from Thomas’ Ext. 1234 last quarter were up by 50%, even though he was away on holiday. Or that Lauren’s bill for calls from her Ext.1235 was up by 25%, even though she left two months ago!

Once the hacker has successfully spoofed you, they can then flood your phone system (call flooding). When you pick up the call, the hacker hangs up. Imagine the financial cost to your business (not to mention the operational confusion and damage to reputation) if your phone system was blocked from making and receiving support calls, or customers trying to place orders.

A growing concern, especially within the public and finance sectors, is eavesdropping or corporate espionage where hackers employ Voice Over Misconfigured Internet Telephones (VOMIT). This is basically software that makes recordings of IP phone conversations, and whilst some companies deploy data encryption it may not be adequate enough especially if your encryption keys are also intercepted. Conversations between doctors, bank traders (although that might not be a bad thing), or even politicians can all be recorded. Using software tools which are freely available online, it’s surprising and worryingly easy to do – as this video will demonstrate:

For the techies reading my blog, there are other ‘self-help’ videos online where you can view how easy it is to initiate SIP attacks.

Here are a couple of examples including the infamous SIPVicious:

For all the worried senior management out there, activereach does provide penetration testing programs and program suites that allow us to test your network and SIP servers; identifying all the vulnerabilities in your configurations and policies. We’ll even help you plug these holes and carry out scheduled tests to give you peace of mind that your policies are evolving just as fast as the new attack methods.

More information can be found on our Penetration Testing web page.

Hope I didn’t scare you too much but it’s for your own good. I have to go now, someone’s knockin’ at the door, somebody’s ringin’ the bell. Someone with wings maybe….