VoIP system users can be targeted in attacks

Jason Ostrom of VoIP Hopper on Saturday plans to release his next-generation VoIP sniffer at Toorcon in San Diego to help raise awareness of the type of vulnerabilities businesses face as they adopt unified communications (UC) technology.

He told CNET News that the tool, UCSniff, has two settings. One is a learning mode, sniffing all the IP traffic then mapping telephone extensions to specific addresses. By default, it is capturing all the calls and saving them to wave files.

The other setting is a bit more creepy: targeting conversations. After learning the IP addresses of the phone system, someone using UCSniff can listen to all the VoIP, or voice over Internet Protocol, conversations made by a specific user, say the CEO. That's user mode. A second mode, conversation mode, allows someone to monitor calls made exclusively between two extensions, say only when the CEO calls the CFO.

"So it's like dynamic ARP poisoning," Ostrom explained, referring to Address Resolution Protocol spoofing. "The tool, on the fly, figures out how to do the ARP poisoning for you so you're not intercepting the traffic of phones that you do not want to intercept."

Ostrom, who now works for Sipera Systems, said the flaw, if any, is within the structure of the system and not specific to any platform, such as that of Cisco Systems. Two other, related tools are also set to be released by Ostrom on Saturday. Combined, the tools can allow one to create a man-in-the-middle attack on VoIP networks in an enterprise.

Some of the pieces are already available on the Internet, he said. However, UCSniff "brings together what is lacking, what is needed to be the most effective and secure VoIP security assessment tool available."

Ostrom's talk will be followed with a discussion of best practices for enterprises. "You can apply security controls to mitigate this vulnerability within your infrastructure and in how you design your network," he said.