Wednesday, March 4, 2009
SIP Security - User Interfaces
As SIP-enabled phones capable of receiving calls from callers with SIP URIs as identifiers, much thought needs to be given to how these identifiers (assuming they are verified) are rendered to end users.
It is common for a phone to render the "Display Name" in a SIP request on the phone's UI. This value is set by the caller themselves, an in the case where a caller is an attacker, can manipulate it to make the UI display a value of it's choice, for example:
From: "manager@hsbc.co.uk" <sip:attacker@evil.example.com>;tag=xxx
Every single SIP device I tested displayed this as manager@hsbc.co.uk on the screen.
Even more thought needs to be taken when allowing Call-Info. A picture of a padlock could be sent with Call-Info to render a picture of a padlock on the screen, lulling the user into thinking the call is secure.
Some people suggest instead you render the URI of the identity, but how do UIs render this?
From: <sip:manager%40hsbc.co.uk%00@evil.example.com>;tag=xxx
You guessed it, on the phone on my desk, I get:
Ahem.
Identity in SIP is more than just technical solutions. User Interfaces need to be carefully considered.
3 Comments:
That second example looks particularly evil. I hope it's been reported to the phone's manufacturer! =)
yes, although I need my own bug tracker for keeping track of all the bugs I have open with some of the SIP vendors :-)
It is a bit disappointing to see the same old problems being reimplemented when handling newer protocols.
Post a Comment
Links to this post:
Create a Link
<< Home