13/03/2009 - INVITE of Death, SIP Digest attack ring VoIP security alarms
Two recently released VoIP vulnerability reports have stirred up security thinking once again. But you have to love the name "INVITE of Death."
The aforementioned INVITE takes advantage of using a malformed call request (INVITE) to trigger a service failure in the OpenSBC Server, an open source session border controller. INVITE of Death crashes the OpenSBC server, resulting in denial of service for calls. The fix is relatively straight forward - strip out leading and trailing colons in a couple of places - but it does highlight the need to keep track of version updates with critical code.
SIP Digest authentication relay attack, on the other hand, takes advantage of protocol design features and has now been documented in an IETF draft. The attack relies on making a call to a target device and then sending a designed sequence of valid messages to trick the target device into authenticating a second call made by the attacker. An attacker could use the technique to make calls through a commercial service provider at the victim's expense.
For more:
- ITProPortal talks about the latest VoIP security threats. Post.
Related articles
VoIP security firms stand to gain from SIP deployments - FierceVoIP
The latest book for VoIP Security - FierceVoIP
