Players and Codecs Come Under Hacker Scrutiny
Several sessions at Black Hat 2007 showed the need to continue to develop lean code and close potential vulnerabilities in media players that might be exploited by hackers. Many of the articles on StreamingMedia.com focus on the need for encryption of the actual content, including digital rights management (DRM), so that the content piracy is minimized. But little mainstream coverage has been given to the vulnerabilities of players—and the codecs themselves—and what that might mean for redirection or disruption of content.
The annual gathering of "white hat," "grey hat," and "black hat" hackers and security consultants at the Defcon and Black Hat 2007 events in Las Vegas last week was probably best known in the mainstream press for the "outing" of an undercover reporter with a hidden camera from NBC’s Dateline program. But several key presentations explained vulnerabilities in media software that warrant mention in some detail.
Three of these presentations were given by representatives from iSEC Partners, a security consulting firm that provides penetration testing, secure systems development, security education, and software design verification. The company serves primarily Fortune 500 companies and has a history of finding breaches in particular software programs that often result in the creation of patches by the software company.
The presentations ranged from exploits in the RTP protocol, which is used for voice- and video-over-IP calls, to discussions on the exploits of SIP, H.323, and IAX, the latter a popular VoIP protocol. One presentation demonstrated the ability to find a VoIP call that is ongoing and choose either to hang up the call—via an exploit of the HANGUP command that is required for the system to successfully end a call—or to insert other audio into the call in a disruptive manner.
The presentation of most immediate interest to sSreamingMedia.com readers, though, was the aptly named "Exposing Vulnerabilities in Media Software" presented by iSEC’s David Thiel. The session focused on what Thiel describes as a "large attack surface," an opportunity that has grown dramatically enough to interest hackers who might exploit the vulnerabilities with malicious intent.
Rather than just discussing the vulnerabilities, which Thiel did at length, he also demonstrated several exploits by use of a fuzzer. In security penetration terms, fuzzing is a method of discovering faults in software by providing unexpected input and monitoring for exceptions. In essence, a fuzzer would throw garbage or junk information into the mix and see whether any vulnerabilities exist that would generate information such as passwords in clear text (non-encrypted information) or even what coding libraries have been used, so that known exploits of a particular code library (like C, Python, or other programming languages) could then be exploited.