Researchers at the Black Hat security conference here released the tools on Wednesday. The programs are meant to test the security of increasingly popular voice over Internet Protocol telephony systems, Dave Endler, director of security research at TippingPoint, said in an interview. TippingPoint is part of 3Com, which sells VoIP products.
Each of the tools can be used to launch VoIP system attacks, such as overloading phones or VoIP exchanges with ambiguous traffic, flooding phones with calls, forcing hang-ups, rebooting phones, and reassigning the devices to other users or nobody at all, Endler said.
"If you want all the CEO's calls to show up at your desk, that's what you would use," he said. Enterprises look at VoIP systems because of their rich features, promise of lower costs, and use of the same infrastructure as computer networks.
The tools were designed to help administrators determine the vulnerability of their telephony systems, Endler said.
"Obviously, releasing any security tools is a double-edged sword in that you can't restrict who has access," he said.
All of the tools target systems that use the Session Initiation Protocol, or SIP. While SIP is increasingly used in VoIP systems, it isn't widely used yet, Endler said. Instead, products from vendors such as Cisco Systems, Avaya and Nortel Networks all use proprietary protocols.
"The majority of VoIP systems out there are not SIP enabled," Endler said. "Most of them are pushing forward with SIP adoption." Endler and co-presenter Mark Collier of SecureLogix hope their work will help VoIP systems be more secure when SIP makes it into the major leagues, Endler said.
"VoIP security is still in its infancy," he said.
The release of the tools will have little effect on VoIP users today, agreed Dan York, director of IP technology at VoIP vendor Mitel. "But we're all moving to SIP," he said. The new protocol is in demand because industrywide adoption would mean phones from one vendor would work with a VoIP exchange from another, which isn't true today.
York said the tools serve a purpose. "SIP is coming into play and they give us the tools to test the systems and make them more secure," he said.
