To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://www.silicon.com/research/specialreports/voipsecurity/0,3800013656,39166479,00.htm

The biggest VoIP security threats - and how to stop them
Analysis: Forewarned is forearmed...

By Anthony Plewes

Published: Thursday 22 March 2007

Worried your VoIP network is not secure? Anthony Plewes takes a look how to protect your business from three of the most serious threats to your IP telephony services.

Businesses of all sizes adopting IP telephony need to seriously consider its security implications. But while a number of threats exist, three stand out as the most dangerous, particularly to smaller organisations: denial of service, spit and fraud.

Dodging DoS

The most serious threat to VoIP is a distributed denial of service (DoS) attack. It can affect any internet-connected device and works by flooding networks with spurious traffic or server requests. The attack is generated by machines that have been compromised by a virus or other malware and the massive increase in traffic means the affected servers are unable to process any valid requests and the whole system grinds to a halt. (For more about DoS attacks, watch silicon.com's VoIP security webcast.)

Dave Rand, chief technology officer of anti-malware company Trend Micro, says: "So many internet-connected machines have been compromised that even small DoS attacks measure around 2Gbps with large ones in the 17Gbps range. We believe that 7 per cent of PCs on the internet are compromised and in EMEA alone 6.8 million machines have been used to send spam."

VoIP security webcast

Learn about the most dangerous threats, dos and don'ts and special advice for how SMEs can protect their VoIP networks. Watch it now.

Spammers nurture these networks of machines by keeping with a 'low and slow' approach so that users are simply not aware that their machines are compromised.

While few DoS attacks currently specifically target VoIP systems, the real-time nature of voice traffic means they have a massive impact. Users immediately detect a drop-off in service quality and ultimately their IP handsets stop working. DoS would be an extremely effective tool for hackers wanting to bring down an organisation's entire communications system.

Defending networks against DoS attacks is extremely difficult but enterprises can at least stop their machines from becoming part of the problem. Businesses should use antivirus software and it keep up-to-date, install a firewall and configure it to restrict traffic coming into and leaving the organisation, and use anti-spam tools to cut down on the volume of emailed malware.

Good network practice, such as changing login defaults and using firewalls, can help mitigate the impact of these attacks. In many cases hiring a consultant to do a VoIP-focused security audit will be money very well spent. Dan York, director of IP technology at PBX vendor Mitel, suggests companies use a separate VLAN for their voice traffic so that it can be prioritised in case of any DoS attack. Some routers can also throttle the inflow of traffic to stop the network from being completely flooded.

To cut down on their exposure to any attack, Tipping Point's Endler says that businesses need to look carefully at their VoIP infrastructure and make sure that all unnecessary applications are removed. A good example is the web servers that are built into IP handsets to make them easy to manage remotely. If these are not configured properly then companies may find these actually indexed by Google on the internet. Other applications to be removed include telnet and FTP.

Stopping spit

While the above network vulnerabilities present a very real and present danger to businesses deploying VoIP, media attention has lingered on the potential danger of spam over internet telephony, or spit. (For more about spit, watch silicon.com's VoIP security webcast.)

Spam has been a hot topic for several years and unsolicited commercial and malicious email spam now makes up the majority of email worldwide. In Europe in 2006, according to analysts Radicati, 16 billion spam messages were sent each day, representing 62 per cent of all European email messages - and this figure will increase to 37 billion spam emails a day by 2010.

The palpable fear is that VoIP will suffer the same fate. Certainly spammers wield enough power and would be enthusiastic adopters of a new voice channel to spread their message. If VoIP suffered the same fate as email, enterprise IP telephony would become unusable.

The problem with VoIP spam is that email anti-spam methods will not work. Ovum analyst Graham Titterington says: "A normal content filter won't work, although some pin their hopes on speech recognition. But more likely is that companies will use traffic analysis to identify where the spit is coming from and block traffic coming from compromised servers."

The potential threat posed by spit is driving vendors to develop alternative anti-spam solutions. NEC has announced a modular tool called VoIP Seal that uses a combination of methods to identify spit. When a call comes in, the system checks to see if the call is potentially a spam call by checking whether it comes from a suspect source.

If it is a suspect call, it is forwarded to an automated system that uses a 'Turing test' to identify whether a caller is a human or a machine. This involves playing an announcement and detecting whether the caller tries to speak over it, for example. Other approaches would be to only allow particular callers through by having the system determine the caller's identity but this could fall victim to spoofing.

Despite the potentially dire consequences there is not much evidence of any actual spit attacks. The main reason for this, according to Mitel's York, is that most IP telephony systems are still islands in the sea of PSTN (public switched telephone network). The vast majority of VoIP calls will pass through the PSTN at some stage because most IP telephony networks are not yet directly interconnected. Forewarned, however, is forearmed, and businesses will need to prepare to extend their anti-spam efforts into voice. (For more practical advice about securing your VoIP network, watch silicon.com's VoIP security webcast.)

Fighting fraud

One area where malware can pose a serious problem for VoIP users is fraud. The biggest concern for business is probably going to be premium-rate fraud, where a criminal hacks into the VoIP system and makes calls to a premium rate number.

This fraud is not new and PBXs have always been vulnerable to these hacks. The difference is that few people could hack into PBXs, compared to the hordes actively breaking into IP systems.

Mitel's York says: "Old problems such as these can be solved with traditional solutions such as call-accounting software. Most PBXs have the facility to analyse call records which will allow [businesses] to identify any anomalies quickly."

Though they are likely to be more of a menace to consumers than to businesses, fraud techniques honed in email phishing could be used in voice calls. There is the potential for massive fraud in the early days of voice phishing simply because users still trust telephone messages more than emails. There have already been some clever phishing attacks that use a combination of email and voice to lend credibility to the scam.

One example, detailed on the VoIPSA (VoIP Security Alliance) blog, is an email purporting to be from PayPal that asks users to call a number to verify their account details. There's nothing new about this fraud apart from the use of telephony. Unfortunately the fraudsters are able to make the automated service completely convincing by simply recording the real one. The only way that users can determine that it is fraudulent is by checking the number of they are calling with the real PayPal number.

While the security threats for VoIP are real, if businesses take the proper precautions they can be assured their voice communications will be safe. (Learn more about VoIP security in silicon.com's full webcast.)