Guys ,In a recent report issued by CompTIA , the Computer Technology
Industry Association , 50% of small and medium sized businesses had very
little trust in the security offered by VoIP vendors , or for that
matter , voice over IP security in general .
It is true ,
having your voice and data running on the same infrastructure leaves
your telecommunications particularly vulnerable to all the security
threats inherent in an IP network . Viruses , Trojan Horses , and worms
can all wreak havoc on a network , and having your voice network go down
for even the shortest time is intolerable for most business .
That said , security has come a long way , and most attacks can be
stopped at the gateway by a good network administrator . While attacks
on VoIP networks in particular are by no means widespread , the
possibilities are there , if not imminent , and pose a very real threat
to the very time sensitive requirements of voice over IP .
The
following is a compilation of just some of the security threats facing a
voice over IP network , as well as some security measures that could be
taken to prevent such attacks .
SPIT - The new Spam for VoIP
Most anybody that receives email is familiar with the term Spam . Who
among us has not received dozens of unsolicited emails , clogging up our
mailboxes and causing us to waste our valuable time ? Laws have been
made to reduce the clutter in our mailboxes , and major offenders have
been fined heavily , in some cases put in jail .
Spam is
basically the broadcasting of advertisements , announcements , or other
unwanted messages , over a network or networks , ending up in the mail
boxes of anyone that has an email address on that network . At worst ,
spam is frustrating for the recipient , and can also cause network
problems utilizing a good majority of bandwidth that is meant for other
things . As email applications are connectionless and not sensitive to
time delay , eventually the recipient will receive their emails intact ,
albeit a few minutes later than it would normally take .
Spam
over Internet telephony , otherwise known as SPIT , can have far
greater consequences than email spam . Spitters that target VoIP
gateways can use up the available bandwidth , severely disrupting
Quality of Service and causing a major degradation in voice quality .
The open nature of VoIP phone calls makes it easy for spitters to
broadcast audio commercials just as email advertisements are broadcast .
On closed networks like Vonage or Skype , or even your companies LAN ,
it is a little more difficult as the spitter would have to hack into the
network in order to implement the broadcast . It can , however , be
done .
The ability to broadcast audio messages over a VoIP
network is not , in itself , necessarily a bad thing . Companies should
be able to get out important messages quickly , and on a broader scope ,
emergency services could easily communicate mandatory evacuations , or
warn of impending disasters in the event of catastrophe .
While Spit is certainly a technical possibility , to date , we have not
seen a lot of it . In 2004 , the peer to peer VoIP network Skype got
hacked into , and users were inundated with unsolicited audio messages .
Shortly thereafter , Skype had found and closed the loophole in the
network . One other legal recourse is to get on the national Do Not Call
list , to prevent solicitors from bombarding your voice mail box
Eavesdropping
Probably one of the scariest vulnerabilities of VoIP is the ability of
an outsider to eavesdrop on a private conversation . This concept is
nothing new to IP data networks , and generally requires a packet
analyzer to intercept IP packets , and in the case of VoIP , saving the
data as an audio file . Hackers then have the ability to learn user ids
and passwords , or worse , to gain knowledge of confidential business
information .
While it is true that eavesdropping occurs on
traditional telephone lines as well as cellular networks , for someone
to tap into your home phone line pretty much requires a physical
presence outside your house . In the case of an IP network , a hacker
requires only a laptop , some readily available software , and the
knowledge of how to hack into your network .
Security analysts
have long used encryption techniques to protect the confidentiality of
data traveling through an IP network , and the same concept holds true
for voice packets . The challenge with voice is to encrypt strongly and
quickly , to protect confidentiality and as not to slow down the packet
flow .
Nevertheless , if someone really wants to listen in on your calls , no type of telecommunication is 100% secure .
Phishing the Waters of Voice over IP
Another variation of an email attack , Phishing is designed to trick a
user into revealing sensitive data such as user names , passwords , bank
accounts , credit cards , and even social security numbers . In the
case of VoIP , the attack could come as a voice mail message urging you
to call a designated number and provide your user information . Even if
the call is automated , touch tones can be easily deciphered . Depending
on what information they get , hackers can use it to access bank
accounts , or to steal identities .
While you can program a
PBX to restrict call backs to known phishers , as more users become
familiar with the pitfalls of the Internet , it becomes common knowledge
to never give out sensitive information to automated media , be it via
data or voice .
SIP Registration Hijacking
The
Session Initiation Protocol ( SIP ) is becoming widely accepted as the
method for setting up VoIP phone calls . The process involves a
Registrar ( in some cases the company PBX itself ) , which maintains a
database of all users subscribed to the network , and basically maps
their telephone number to an IP address .
Registration
hijacking occurs when the packet header of either party is intercepted
by a hacker , who substitutes his IP address for that of the legitimate
one . Attacks can take the form of fraudulent toll free calls , denial
of service attacks that can render the user's device useless , or a
simple diversion of communication .
Spoofing
Another
hack that is well known in data networks is spoofing Also known as a
man in the middle attack , spoofing requires hacking into a network and
intercepting packets being sent between two parties . Once the IP
address or phone number of the trusted host is discovered , hackers can
use this attack to misdirect communications , modify data , or in the
case of Caller ID Spoofing , transfer cash from a stolen credit card
number .
SIP registration hijacking is a form of spoofing .
Both of these spoofs , as well as other hacks such as eavesdropping ,
can be prevented by employing encryption techniques at the call set up
phase . Today , the up and coming mechanism to achieve this is to send
SIP messages over an encrypted Transport Layer Security channel .
Putting these two protocols together forms the acronym SIPS .
There is no doubt that IP networks can be , and are , hacked into .
Since a converged network consists of data and voice , VoIP is as
vulnerable as any application to these disruptions , but with a downtime
tolerance of no more than 5 minutes a year , such interruptions are
considered intolerable for voice applications .
As of today ,
most of these security threats are not wide spread , and are presented
here as a what could happen in the future scenario . Industry experts
agree that as voice over Internet telephony becomes more wide spread ,
malicious hacking attempts are bound to follow .
These and
other VoIP security threats can be prevented by a vigilant network staff
, using all the known security precautions typical of an IP network .
No VoIP solution is secure out of the box , and must be locked down by
using common sense approaches , including but not limited to changing
default passwords , closing down unused ports and services , utilizing
firewalls and VPNs for network communications , and diligent intrusion
detection.
