It is true , having your voice and data running on the same infrastructure leaves your telecommunications particularly vulnerable to all the security threats inherent in an IP network . Viruses , Trojan Horses , and worms can all wreak havoc on a network , and having your voice network go down for even the shortest time is intolerable for most business .
That said , security has come a long way , and most attacks can be stopped at the gateway by a good network administrator . While attacks on VoIP networks in particular are by no means widespread , the possibilities are there , if not imminent , and pose a very real threat to the very time sensitive requirements of voice over IP .
The following is a compilation of just some of the security threats facing a voice over IP network , as well as some security measures that could be taken to prevent such attacks .
SPIT - The new Spam for VoIP
Most anybody that receives email is familiar with the term Spam . Who among us has not received dozens of unsolicited emails , clogging up our mailboxes and causing us to waste our valuable time ? Laws have been made to reduce the clutter in our mailboxes , and major offenders have been fined heavily , in some cases put in jail .
Spam is basically the broadcasting of advertisements , announcements , or other unwanted messages , over a network or networks , ending up in the mail boxes of anyone that has an email address on that network . At worst , spam is frustrating for the recipient , and can also cause network problems utilizing a good majority of bandwidth that is meant for other things . As email applications are connectionless and not sensitive to time delay , eventually the recipient will receive their emails intact , albeit a few minutes later than it would normally take .
Spam over Internet telephony , otherwise known as SPIT , can have far greater consequences than email spam . Spitters that target VoIP gateways can use up the available bandwidth , severely disrupting Quality of Service and causing a major degradation in voice quality .
The open nature of VoIP phone calls makes it easy for spitters to broadcast audio commercials just as email advertisements are broadcast . On closed networks like Vonage or Skype , or even your companies LAN , it is a little more difficult as the spitter would have to hack into the network in order to implement the broadcast . It can , however , be done .
The ability to broadcast audio messages over a VoIP network is not , in itself , necessarily a bad thing . Companies should be able to get out important messages quickly , and on a broader scope , emergency services could easily communicate mandatory evacuations , or warn of impending disasters in the event of catastrophe .
While Spit is certainly a technical possibility , to date , we have not seen a lot of it . In 2004 , the peer to peer VoIP network Skype got hacked into , and users were inundated with unsolicited audio messages . Shortly thereafter , Skype had found and closed the loophole in the network . One other legal recourse is to get on the national Do Not Call list , to prevent solicitors from bombarding your voice mail box
Eavesdropping
Probably one of the scariest vulnerabilities of VoIP is the ability of an outsider to eavesdrop on a private conversation . This concept is nothing new to IP data networks , and generally requires a packet analyzer to intercept IP packets , and in the case of VoIP , saving the data as an audio file . Hackers then have the ability to learn user ids and passwords , or worse , to gain knowledge of confidential business information .
While it is true that eavesdropping occurs on traditional telephone lines as well as cellular networks , for someone to tap into your home phone line pretty much requires a physical presence outside your house . In the case of an IP network , a hacker requires only a laptop , some readily available software , and the knowledge of how to hack into your network .
Security analysts have long used encryption techniques to protect the confidentiality of data traveling through an IP network , and the same concept holds true for voice packets . The challenge with voice is to encrypt strongly and quickly , to protect confidentiality and as not to slow down the packet flow .
Nevertheless , if someone really wants to listen in on your calls , no type of telecommunication is 100% secure .
Phishing the Waters of Voice over IP
Another variation of an email attack , Phishing is designed to trick a user into revealing sensitive data such as user names , passwords , bank accounts , credit cards , and even social security numbers . In the case of VoIP , the attack could come as a voice mail message urging you to call a designated number and provide your user information . Even if the call is automated , touch tones can be easily deciphered . Depending on what information they get , hackers can use it to access bank accounts , or to steal identities .
While you can program a PBX to restrict call backs to known phishers , as more users become familiar with the pitfalls of the Internet , it becomes common knowledge to never give out sensitive information to automated media , be it via data or voice .
SIP Registration Hijacking
The Session Initiation Protocol ( SIP ) is becoming widely accepted as the method for setting up VoIP phone calls . The process involves a Registrar ( in some cases the company PBX itself ) , which maintains a database of all users subscribed to the network , and basically maps their telephone number to an IP address .
Registration hijacking occurs when the packet header of either party is intercepted by a hacker , who substitutes his IP address for that of the legitimate one . Attacks can take the form of fraudulent toll free calls , denial of service attacks that can render the user's device useless , or a simple diversion of communication .
Spoofing
Another hack that is well known in data networks is spoofing Also known as a man in the middle attack , spoofing requires hacking into a network and intercepting packets being sent between two parties . Once the IP address or phone number of the trusted host is discovered , hackers can use this attack to misdirect communications , modify data , or in the case of Caller ID Spoofing , transfer cash from a stolen credit card number .
SIP registration hijacking is a form of spoofing . Both of these spoofs , as well as other hacks such as eavesdropping , can be prevented by employing encryption techniques at the call set up phase . Today , the up and coming mechanism to achieve this is to send SIP messages over an encrypted Transport Layer Security channel . Putting these two protocols together forms the acronym SIPS .
There is no doubt that IP networks can be , and are , hacked into . Since a converged network consists of data and voice , VoIP is as vulnerable as any application to these disruptions , but with a downtime tolerance of no more than 5 minutes a year , such interruptions are considered intolerable for voice applications .
As of today , most of these security threats are not wide spread , and are presented here as a what could happen in the future scenario . Industry experts agree that as voice over Internet telephony becomes more wide spread , malicious hacking attempts are bound to follow .
These and other VoIP security threats can be prevented by a vigilant network staff , using all the known security precautions typical of an IP network . No VoIP solution is secure out of the box , and must be locked down by using common sense approaches , including but not limited to changing default passwords , closing down unused ports and services , utilizing firewalls and VPNs for network communications , and diligent intrusion detection.
No comments:
Post a Comment