Black Hats break into VoIP systems

Asterisk and H.323 went down in myriad ways at a gathering of hackers in Las Vegas recently. Himanshu Dwivedi and Zane Lackey of iSec Partners in San Francisco demonstrated several ways to compromise the two VoIP protocols in their presentation at Black Hat USA, the hacker conference held in Sin City Aug. 1-2.

iSec's presentation materials stated that, "Despite the fact that H.323 is the most dominant VoIP session-setup protocol used in enterprise environments, it has not been given adequate attention in terms of security." The session covered various H.323 vulnerabilities--authentication weaknesses, replay attacks, endpoint spoofing, etc., as well as a tool for security testing, which was released at the conference. Similar faultlines and fixes were demoed for IAX, the protocol used in Asterisk, a popular open source PBX system.

The need to tighten VoIP security is only going to intensify, with consumer adoption pushing the 10 million mark. There's also the Pentagon VoIP installation and the one planned for the Social Security Administration to consider. Black Hat DC next February should be a busy one.

For more:
- Dwivedi and Lackey's materials are available here
- Network World provides in-depth coverage of the session here

Related Articles:
Nortel to build the world's largest VoIP system Report