Synopsis: Interview with Shawn Merdinger about WiFi phone vulnerabilities, VoIP security, comments, news, VOIPSEC review

Welcome to Blue Box: The VoIP Security Podcast show #13, a 35-minute podcast  from Dan York and Jonathan Zar around news and commentary in the world of VoIP security. This show primarily features an 29-minute interview with Shawn Merdinger, an independent security researcher focused on the security of WiFi SIP handsets.

Download the show here (MP3, 33MB) or subscribe to the RSS feed to download the show automatically.

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Show Content:

• 00:20 – Intro to the show, contact information and how to provide comments.  Welcome to all the new listeners.  Mention of Frappr map for the show.  Please join the map!
• Upcoming interviews:
• Jan 30 – Rick Robinson and Jerry Ryan at Avaya about their teleworker set (mentioned in show #8)
• Feb 6 – Nick Frost, author of Information Security Forum report mentioned in #8
• Feb 20– Per Cederqvist of Ingate systems on to talk about ‘sdescriptions’ key exchange
• Upcoming events – Dan will be attending O’Reilly’s Emerging Telephony Conference in San Francisco January 24-26. If you are also planning to be there, please drop us an e-mail.  Jonathan will now be attending Internet Telephony happening at the same time in Florida.  If you are also interested in sending in a report, check out the details on the show blog.
• 02:05 – Feature interview with Shawn Merdinger,  a security researcher now employed by the Tipping Point division of 3Com.  He was previously a security researcher at Cisco and as an independent security researcher started an investigation into the security of WiFi handsets.

  On the weekend of January 13-15, he attended Shmoocon 2006, a hacker conference in Washington, DC, and presented a talk entitled “VoIP WiFi Phone Handset Security Analysis: We’ve met the enemy…and they built our stuff?!?” (his Shmoocon presentation is available for download here)  Following that, on Monday, January 16, 2006, he released advisories to the ‘full-disclosure’ mailing list outlining the vulnerabilities that he found in six SIP WiFi handsets:

  • ACT P202S VoIP wireless phone multiple undocumented ports/services
  • Senao SI-7800H VoIP wireless phone wdbrpc debug service UDP/17185
  • Clipcomm CPW-100E VoIP wireless handset phone open debug service TCP/60023
  • MPM HP-180W VoIP wireless desktop phone undocumented port UDP/9090
  • ZyXel P2000W (Version 2) VoIP wireless phone undocumented port UDP/9090
  • Clipcomm CP-100E VoIP wireless desktop phone open debug service TCP/60023

  We spoke with Shawn at length in a wide-ranging interview that covered topics such as:

  • Background – why did he start the project?

  • Vendor notification program

  • Future plans for further testing?  Methodology?
  • A POP e-mail client on a SIP phone?
  • Test methodology?  Access to manuals?
  • Implications for users of WiFi phones
  • Reactions from affected vendors
  • Summary of vulnerabilities
  • Timeframe for next release?
  • Advice to companies for working with independent security researchers
  • Business opportunities around helping companies work with security researchers
  • Applying this research to the VoIPSA Threat Taxonomy
  • What people and companies can do to help in his research
  • 30:38 – End of interview

  It was quite an enjoyable interview and we commend Shawn for the responsible manner in which he is interacting with vendors and his efforts to educate others about doing the same.  If you would like to assist Shawn in his efforts, by for instance providing WiFi phones for testing, Shawn can be reached at shawnmer@io.com.

• 30:43 – News section: Vulnerabilties:
  • Cisco Call Manager Privilege Elevation
  • Cisco Call Manager DoS
• 31:27 – News section: Articles:
  • Skype Journal: BW: Skype caves in to Chinese censors
  • Business Week: The Great Firewall of China
  • ZDNet Blog: George Ou: Skype 2.0 looks like a virus
  • ZDNet Blog: Russell Shaw: Why pay $2,995 for VoIP security advice? I have a better idea (about Jeremy Casteel’s term paper)
• 32:28 – Vikram, our listener who listens to us in the traffic jams of Bombay, cued us in to this new release of Asterisk: Asterisk releases 1.2.2 which refers to new functionality delivered in conjunction with Ranch Networks  (As it happens, Dan will be interviewing Asterisk co-founder Mark Spencer and someone from Ranch Networks out at ETel and we will have that interview as a show.)
• 33:50 – Wrapup of the show:  upcoming shows, notes about contributing, information about how to provide comments.
• 35:43 – End of show

Comments, suggestions and feedback are welcome either as replies to this post  or via e-mail to blueboxpodcast@gmail.com.  Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows.  You may also call the listener comment line at +1-206-338-6654 to leave a comment there.

Download the show here (MP3, 33MB) or subscribe to the RSS feed to download the show automatically.

Thank you for listening and please do let us know what you think of the show.