New Tools Released!

We posted several new tools on the “Hacking Exposed” website, www.hackingvoip.com. We also provided updates and better README files for some of the existing tools. Here is a quick summary of the new tools:

• rtpinsertsound/rtpmixsound – these tools take the contents of a .wav or tcpdump format file and insert or mix in the sound. These tools require access (sniffing of the VoIP traffic but not necessarily MITM) to the RTP stream, so they can properly craft sequence numbers, timestamps, etc. rtpinsertsound, with the right timing, can be used to add words or phrases to a conversation. rtpmixsound can be used to merge in background audio, like noise, sounds from a “gentlemans club”, curse words, etc., etc. These tools have been tested in a variety of vendor environments and work in pretty much any environment, where encryption isn’t used.
• redirectpoison – this tool works in a SIP signaling environment, to monitor for an INVITE request and respond with a SIP redirect response, causing the issuing system to direct a new INVITE to another location. This tool requires access to the SIP signaling, but does not require a MITM (Man-in-the-middle attack). We tested this tool with the Asterisk and SER SIP proxies, along with a variety of SIP phones.
• spitter – this tool works in conjunction with Asterisk, to set up a voice SPAM/SPIT generation platform. Once Asterisk is set up, spitter is used to schedule any number of calls, using your choice of audio files.

The tools come with README files, so they should be pretty easy to use. Please let us know what you think.

eWeek Podcast – VOIP: How Secure?

Dave recently was interviewed in a podcast with eWEEK senior writer Matt Hines about VoIP Security. Some of the questions that were asked and answered included:

Enterprise are obviously adopting VoIP at a very fast rate, are the threats ramping up quickly as well?

What do you see as the most significant threats to VoIP security right now?

Phishing continues to menace online business applications of all types, how is the threat of VoIP phishing coming together?

Some people feel that the issue of security in regards to IP telephony are being over-hyped, do you feel that people are making too much of an issue of the problem?

What can you tell us about your work with the VoIP security alliance, what sort of work is being done by the group right now?

Top Voices in IP Communications

The October issue of Internet Telephony Magazine includes a feature article on the “Top 100 Voices of IP Communications”. Dave was honored as one of the editor’s selections for his contributions to VoIP security.

Recent Presentations Roundup

In the last month, we’ve been keeping busy evangelizing VoIP Security at various conferences and press events. Mark was most recently at IPComm in Nashville, Tennesee where he presented on SIP Vulnerabilities (3.8MB pdf) as well as VoIP Hacking Defenses (3.7MB pdf). Mark also recently spoke on a panel at VoiceCon Fall about Conducting a VoIP Security Assessment (1.5MB pdf). Dave also recently spoke on a panel at the NetEvents European Summit on VoIP Security (see pic).

We also just found out that our presentation on Exploiting VoIP Networks was accepted at the 2007 RSA Conference in San Francisco. Drop us a line if you’re planning on attending! Also, our book should be out by then so I imagine we’ll have a few copies to give out at our talk.