" using a response value which is normally a MD5 Hash consisting of Username, Password, nonce, HTTP Request Method and Request URI.

This prevents the describend attacks."

Since the hash does not bind to any of the registration information, this offers no protection at all against a MITM attack. The attacker can divert your request to his own machine by ARP spoofing, modify just the relevant lines, and send it one to the real registrar. He couldn't care less about the digest, he doesn't need to touch it all. All the digest achieves is making it harder for the attacker to create completely fake packets when you are not calling. And for the purpose of taking over your control channel he doesn't ever want to do that, so the digest is useless.

Further, if this password is a human entered one, note that this simple protocol is also vulnerable to an off-line dictionary attack.

"Eavesdropping ... BUT: Any other service using IP is also "vulnerable"! This is NOT a VoIP-Problem"

Right, but we are not comparing the vulnerability of VoIP to other weak network protocols, we are comparing VoIP to PSTN phone calls. VoIP is MUCH easier to eavesdrop than traditional phone calls, and the point of the article a lot of people don't seem to realise that.

"secure your LAN-environment e.g. using VLANs to seperate, "

Then you are effectively saying "sure my VoIP product has no security, but that will be fixed by someone else securing the network". The problem with this approach is that you don't know if "someone else" will do his job properly. As an end-user of the softphone, in fact, I have no idea if "someone else" has fixed all that up and no way to do anything about it if he hasn't. VoIP is an example of a protocol for which it is almost never satisfactory that it be unsecured. Consequently, strong security should be built into the protocol. Further, since real-time cryptographically secured VoIP systems existed as long ago as 1995, and managed to do perfectly usable transcontinental calls over 48 kbps dial-ups with modem latencies, there is really no excuse for the pathetic claims that it is too hard.

"choice between sniffing IP Traffic between ... CEO and his/her secretary"

You're trying to trivialise the problem by giving a trite example. The fact is that in many organisations, and for many home users, VoIP is well on its way to replacing PSTN calls. For these users, it assumes a wide variety of mission critical roles, from closing contracts, through to sending alerts from the IDS that someone is probing the file server, to phoning the police or ambulance for help. It is critical infrastructure FAR more important than file servers. It can literally be a matter of life and death.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/infocus/1862/514#514