Sipera demos VoIP security attacks

Researchers at Sipera Systems have shown how hackers can delete or steal data from a laptop running an enterprise VoIP softphone.

Sipera is demonstrating the dangers of VoIP-based attacks on corporate networks at the Black Hat USA 2007 Conference at Caesars Palace, Las Vegas.

According to Sipera, smartphones, to which a VoIP client can be downloaded, are particularly vulnerable to malicious attacks, such as denial-of-service attacks and bots, because of their limited memory and capacity.

VoIP softphones and smartphones that run VoIP clients have to support an open protocol such as [session initiation protocol]. This is vulnerable to attack because a SIP message, which is used for call set-up or initiation, can be sent to the phone directly.

This means that every phone acts as a server since it is always available to receive calls. Anybody can send a request to the phone, including for malicious purposes such as toll fraud.

VoIP can also be used to steal data from a laptop. A SIP message can be sent to a softphone running on a laptop, and it then takes control of that laptop and has the ability to copy or delete files.

Traditional firewalls and authentication security processes do not protect against this kind of attack.

Sipera is developing technology that will monitor incoming traffic in real time and deal with suspicious content or anomalies.