back to article Asterisk RTP bug worse than first thought: Think intercepted streams

One of the Asterisk bugs published last week is worse than first thought: Enable Security warns it exposes the popular IP telephony system to stream injection and interception without an attacker holding a man-in-the-middle position. A reader (@kapejod, who collaborated with @sandrogauci on the work) alerted The Register to …

  1. Voland's right hand Silver badge

    You should not be using RTP outside your own LAN in the first place

    Plain RTP has no security to speak of. Trying to introduce it via a retrofit is a lost cause.

    If you are running telephony outside your own network you should start looking at sRTP, zRTP or packing the traffic into a VPN.

    1. Anonymous Coward
      Anonymous Coward

      Re: You should not be using RTP outside your own LAN in the first place

      Ruuting through a VPN won't help much because they'll just target at the VPN end or wherever else the stream MUST be visible. The problem is that the vulnerability is in the protocol itself: a ubiquitous protocol built into a lot of stuff that's very expensive to replace (thus you can't use anything else without breaking things which means lost time and money). Worse, this kind of hardware doesn't have any government backing if something goes wrong (unlike say airliners where countries can issue edicts that can ground planes).

      1. Soruk

        Re: You should not be using RTP outside your own LAN in the first place

        A VPN will help if it's a private VPN with the endpoint on your network.

        1. Charles 9

          Re: You should not be using RTP outside your own LAN in the first place

          But where does the RTP go from there? It's not like RTP regularly stays on a LAN. It's normally meant to go out to the greater Internet, and that's where they can get you.

  2. David Roberts

    Alternatives?

    If Asterisk is insecure what are the alternatives?

    Any other software out there?

    1. Adam 52 Silver badge

      Re: Alternatives?

      The authors suggest that other VoIP software is likely vulnerable too.

      Of course you could use a sensible protocol for voice and not try to coax it over (cheap) IP, but that ship has long sailed.

    2. DaLo

      Re: Alternatives?

      Every piece of modern software is insecure - the only difference is the vulnerabilities haven't been found yet.

      1. Anonymous Coward
        Anonymous Coward

        Re: Alternatives?

        If every piece of modern software is insecure, than it follows that everything made by man is insecure, too; it's simply the human condition.

    3. handleoclast

      Re: Alternatives?

      FreeSwitch is thought, by some*, to be better than Asterisk.

      It will have most of the same problems because it's partially a problem with how the protocol is defined. SRTP is your friend.

      *The FreeSwitch developers.

      1. Charles 9

        Re: Alternatives?

        Not if the other end DOESN'T support SRTP (part of the problem stated in the article) and you MUST talk to that other end.

  3. J. R. Hartley

    Oh dear

  4. John Smith 19 Gold badge
    Unhappy

    "Secure Real Time Protocol (SRTP),"

    So how common is the use of SRTP or did everyone close their eyes about Snowden?

    And then this

    "The official Asterisk fix also does not properly validate very short RTCP packets"

    So yet another protocol whose implementation should probably have been an FSM but was botched up.

    And it's only Monday.

  5. Anonymous Coward
    Anonymous Coward

    I have only offered voip over VPN, but my colleges overseas

    have been more proactive and offered a greater level of access oh and got a bill for £1700 after their system was used for calls.

    I really should try and keep up, the trouble is I consider all web facing services as potential hack points and only use them if the business benefit, outweighs the risk, old fashioned way of thinking I know.

    1. Charles 9

      Re: I have only offered voip over VPN, but my colleges overseas

      But it isn't going to help much if web facing services are the ONLY way through and major money is on the line.

  6. Bronek Kozicki
    Flame

    Ha ha ha

    I bet that IPv6 opponents will continue to insist that NAT improves security.

    (ducks)

    1. Charles 9

      Re: Ha ha ha

      (Incoming ballistic trajectory)

      They'd have a point. The attack is OUTSIDE the LAN, on the greater Internet. It's not like they're using RTP to get INTO the LAN, which is why they're against having any kind of knowable structure available, not realizing the ISP can always route past the router onto your LAN in any event, as your connection rides on theirs.

      1. Alan Brown Silver badge

        Re: Ha ha ha

        "They'd have a point. "

        Perhaps, if IPv6 boxes didn't usually automatically firewall the internal lan in the same way that IPv4 NAT boxes do by accident rather than design (and ipv4 NAT boxes don't protect against internal systems being Pwned via whatever reason, then making outbound connections to find new victims)

        Of course if you want to connect anything to the Internet without some form of firewall out front then you're a braver person than I am. If you're sensible you firewall outbound connections as well as inbound. That's the difference between putting up a filter and ensuring you're not contributing to the pollution in the first place.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ha ha ha

          No real sense in firewalling outbound connections because things can't work otherwise, and smart malware targets devices that MUST go outbound to work (like client computers) and disguise their traffic to mimic the stuff we do everyday. If you're going to filter BOTH directions you might as well go Luddite and unplug.

  7. ecofeco Silver badge

    It's all shitware these days init

    We should stop saying software and call it shitware until otherwise proven.

  8. Andrew Punch
    FAIL

    I pointed out the insecurity of RTP 20 years ago

    I was working for Avaya at the time and did a POC interception tool using winpcap.

    I would expect SRTP to be ubiquitous by now but obviously not

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like