VoIP threats to watch out for

If your business uses or is considering rolling out VoIP, you should be aware of the many ways your systems could be compromised. Anthony Plewes offers an overview of the new and old threats which could harm your IP telephony service.

After spending years being the nearly man of communications technology, voice over IP has really taken off over the past couple of years.

Small and medium-sized enterprises are proving keen on the tech. According to market researchers AMI Partners, worldwide SME spending on VoIP solutions topped $3bn in 2006, up 26 per cent over 2005. AMI predicts that most SMEs will choose to move to VoIP over the next five years.

However, in the headlong rush to VoIP it is essential that organisations do not overlook the security implications of the technology. The bulk of VoIP calls currently being made are still not properly secured and this is leaving businesses open to attack.

As increasing numbers of users adopt VoIP, more hackers and criminals will be enticed to capitalise on the weaknesses in the technology. This primer looks at the major threats businesses of any size face when adopting VoIP.

Disruption through 'normal' data attacks

The beauty of converged networks is that voice over IP is 'just' another application running on the data network. Unfortunately from a security viewpoint, this means that it will also be affected by all the attacks that cripple data networks, even if they are not deliberately targeting voice over IP.

The most significant specific threat to VoIP is denial of service (DoS) because this can bring a data network to its knees and shut down all applications running on it - including VoIP. This means your employees could be without phone service until the network is back up.

The security bugs that plague data applications will also affect VoIP users. For instance, security company Core Security Technologies discovered a vulnerability in the popular VoIP application Asterisk PBX which allowed hackers to create buffer overflows for a denial of service attack. Any bugs in similar apps you are using could make your network vulnerable to malicious users.

SIP vulnerabilities

The increasing adoption of session initiation protocol (SIP) for VoIP is expected to open up a whole new front in the security war. SIP is a relatively new protocol which offers little inherent security. Some of its characteristics also leave it vulnerable to hackers, such as using text for encoding and SIP extensions that can create security holes.

Examples of hacks for SIP include registration hijacking, which allows a hacker to intercept incoming calls and reroute them; message tampering, which allows a hacker to modify data packets travelling between SIP addresses; and session tear-down, which allows a hacker to terminate calls or carry out a VoIP-targeted DoS attack by flooding the system with shutdown requests.

Spit

This charmingly named threat is the voice incarnation of the bane of email - spam - and stands for 'spam over internet telephony'. Spammers are already targeting users of all IM systems with spim (spam over instant messaging) and the fact many accounts include demographic information such as user location or age helps them target users.

Up to now there have not been a great many instances of VoIP spam but there is great potential for it to become a major problem. Spit could be generated in a similar way to email spam with botnets targeting millions of VoIP users from compromised machines.

The real-time nature of voice calls will make dealing with spit much more challenging than email spam. While emails can sit on a server for an extra hour to go through a spam filter, calls must be routed to the recipient instantly.

An innovative solution has been recently demonstrated by Japanese tech company NEC. A technology it has dubbed VoIP Seal defends against spit using a range of techniques including a Turing test. The technology claims to be able to correctly identify 99 per cent of spit by looking at communications patterns and stopping the call before it is connected to the user.

Vishing

Just as in the email world, tipping dodgy stock and flogging Viagra is only part of spit, it can also be used to commit serious fraud. Vishing uses telephony to glean information such as account details directly from users.

One of the first reported cases affected the phishers' favourite target PayPal. The scam was a true multi-channel attack. Victims first received an email purporting to come from PayPal which asked them to verify their credit card details on a phone line. Those who called the number were then asked to enter their credit card number using the telephone. Once the credit card number had been entered, the fraudsters were free to siphon money from their victim's account.

Scams like this are not just a danger for voice over IP users but the much lower cost of making VoIP calls will make them much more popular than they would be with standard phone systems. Because users still trust the telephone more than the web, criminals are able to make themselves very convincing by spoofing the correct telephone numbers. And through spamming techniques they can call thousands of people for very little outlay.

VoIP hacking

Like any IP system, a VoIP network is at serious risk of being hacked. This can affect anyone who uses VoIP - from the home user through enterprises to service providers. A US fraud case in 2006 heard how hackers broke into VoIP service providers' systems using the common 'brute force' hack to identify holes in their networks.

VoIP service providers use a prefix on the IP packets to identify their own calls, so the hackers sent millions of fake test calls to find out which prefixes were admitted to the network. Once they had determined the prefix they were able to send calls through those service providers' networks, and sell these minutes on through two front companies.

Eavesdropping

Hackers can eavesdrop on media streams and intercept VoIP packets to obtain sensitive information by reassembling the packets into speech.

One way for hackers to do this is through a man-in-the-middle attack, where a third party spoofs the MAC addresses of the two speaking parties, to force the IP packets to flow through the hackers' system.

While eavesdropping on telephone conversations is not just a risk for VoIP conversations, the nature of IP networks makes access to the phone conversations much easier. Eavesdroppers will no longer need to physically put a tap into a phone line, they can simply get access from a laptop loaded with the right tools connected to the internet. Other compromises are also possible with VoIP, such as intercepting a genuine call to a bank and rerouting it to a bogus bank teller.

Although extensive, all of these threats can be prevented by proper security procedures and technology. Stay tuned to silicon.com's VoIP security special report for further advice on how to combat the most prevalent threats.