Bugging VoIP SIP Phones

From Sunnet Beskerming -

Recently findings suggests that it is a relatively simple matter to remotely eavesdrop on a broad range of SIP-enabled devices. For readers who aren't aware of what SIP-enabled devices are, SIP (Session Initiation Protocol) is a protocol that is used by a lot of VoIP software and associated telephone handsets to establish, modify, and control a VoIP connection between two parties.

The research that was published indicates that, for at least one vendor, it is possible to automatically call a SIP device from that vendor and have it silently accept the call, even if it is still on the hook - instantly turning it into a classic bugged phone. Whereas historic telephony bugs needed physical targeting of the line running to a property or place of business, the presence of VoIP in the equation allows bugging from anywhere in the world with equal ability. Now anyone can do from their armchair what only spies and law enforcement used to be able to do from inside the telephone switch / pit / distribution board, though it's still illegal to do so.

As well as bugging the phone, the action effectively acts as a Denial of Service against the device (after all, it is already engaged in a call).

Having found the bug via fuzzing, the discovering researchers believe that there may be a number of vendors that have created their own SIP networking code, with equivalent bugs contained within.

While the vendor concerned is expected to release appropriate patches soon, the disclosure is likely to turn attention on other SIP device providers.

This may already be happening, with two separate exploits released publicly in the last couple of days targeting Cisco SIP handsets, with the result of a Denial of Service condition against the phones. VoIP client software from eCentrex has also been targeted with public exploit code, except this time it allows for control over vulnerable devices as a result of a remote buffer overflow condition.

Concerned users and administrators who have SIP enabled software or hardware should be aware of their potential limitations and have appropriate mitigation strategies in place, especially if they are used in sensitive areas (military use, national secrets, trade secrets, etc).