It has been reported that security researchers have gone public about a set of five vulnerabilities in telecoms stack software FreeSwitch. The quintet of flaws – all discovered by a team from German telecoms security consultancy Enable Security – lead to denial of service, authentication problems and information leakage for systems running FreeSwich.
<p>Abuse of SIP is not something new. In fact SIP products, both end-user devices and the infrastructure that enables SIP phone calls, have been subject to a wide range of attacks since their adoption and growth in popularity.</p>
<p>Like any software product, IP telephony in general is subject to the same problems with software bugs as any other software stack. The added complexity of these systems adds to this, as there are often many different protocols being layered upon each other – there are simply so many parts of this beast to attack, from web to end-user-device, to supporting infrastructure. SIP products have traditionally been poor on providing robust security controls. Hacking phone infrastructure is still popular, as the end result can be interesting – from eavesdropping on calls to being able to place arbitrary phone calls on someone else\’s dime.</p>