 |
 |
    |
Vonage VoIP phone adapter vulnerable to server impersonation
OverviewThe Vonage service used for phone conversations is vulnerable to an attacker sending SIP INVITE messages directly to Vonage customers. ImpactVonage customers can receive phone calls directly from an attacker. This leaves the Vonage customer subject to spam, social engineering vulnerabilities, and scams. Description
Vonage phone service is a popular commercial voice over IP telephone service. It uses IETF Session Initiation Protocol (IETF SIP) to initiate voice conversations between two users. When the Vonage customer receives a phone call, the SIP message provides information about the person calling. However, the Vonage Motorola phone adapter does not authenticate the INVITE received from the server. Consequently, an attacker or spammer can send a SIP message directly to a Vonage customer, with from IP address spoofed to be the server’s IP address leaving Vonage customers vulnerable to a variety of unsuspected attacks. Solution
The client should authenticate SIP requests received from the server IP address. For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com |
UC Security Defined
Sipera Systems, the leader in real-time Unified
Communications (UC) security, is the choice of enterprises
and service providers around the world to support their
mission-critical UC deployments.
Sipera offers groundbreaking, production-proven solutions
that secure voice, video, messaging, collaboration, and
other real-time communications in converged IP networks,
boosting compliance with information security requirements.
Backed by the industry-leading research of the VIPER lab,
Sipera's solutions provide comprehensive threat protection,
policy enforcement, access control, and encryption in a
single flexible appliance.