By Egan Orion
28 August 2007
IT'S REPORTED that Session Initiation Protocol (SIP) devices can be
vulnerable to eavesdropping.
SIP is used by Voice over IP (VoIP) software and hardware to provide
digital phone service directly over the Internet, thus bypassing the
telcos' analog switched networks and related long-distance charges.
Skype is a VoIP service that uses SIP, for one example, and many ISPs
and third parties offer VoIP.
Telephones have long been used for eavesdropping, likely since the time
of Alexander Graham Bell. There were very few secrets in most small
towns, back when the telephone exchanges used wired plug-boards to
connect parties and telephone operators could listen in to phone
conversations at will. As telephone infrastructures were slowly built
out, many subscribers had "party lines" that were shared among several
households and let the nosey people listen in to their neighbors phone
While eavesdropping is quite impolite, when it's done for adversarial
purposes, it's called covert listening or more simply, bugging. (A page
about bugging techniques is here.)
Late last year it surfaced that the FBI has used cellphones as "roving
bugs", listening to conversations even when the targeted cellphones were
Now a post on the "full-disclosure" list has revealed that SIP devices
can be similarly vulnerable to covert listening. The Australian IT
security firm Snnet Beskerming has written a commentary about the
implications. It writes:
"The research that was published indicates that, for at least one
vendor, it is possible to automatically call a SIP device from that
vendor and have it silently accept the call, even if it is still on the
hook - instantly turning it into a classic bugged phone. Whereas
historic telephony bugs needed physical targeting of the line running to
a property or place of business, the presence of VoIP in the equation
allows bugging from anywhere in the world with equal ability. Now anyone
can do from their armchair what only spies and law enforcement used to
be able to do from inside the telephone switch / pit / distribution
board, though it's still illegal to do so."
It notes that the act of bugging a SIP device also operates as a Denial
of Service attack.
Although an exploit has been publicly reported against only one vendor's
SIP implementation, other vendor's software stacks might also be
vulnerable. Separate similar exploits that targeted Cisco SIP handsets
with a Denial of Service attack and a buffer overflow attack against
software from eCentrex have recently been publicly released, too.
So if you happen to use SIP enabled VoIP services, beware.
L'INQ Snnet Beskerming
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!