In a recent report issued by CompTIA, the Computer Technology Industry Association, 50% of small and medium sized businesses (SMBs) had very little trust in the security offered by VoIP vendors, or for that matter, voice over IP security in general.
It is true, having your voice and data running on the same infrastructure leaves your telecommunications particularly vulnerable to all the security threats inherent in an IP network. Viruses, Trojan Horses, and worms can all wreak havoc on a network, and having your voice network go down for even the shortest time is intolerable for most business.
That said, security has come a long way, and most attacks can be stopped at the gateway by a good network administrator. While attacks on VoIP networks in particular are by no means widespread, the possibilities are there, if not imminent, and pose a very real threat to the very time sensitive requirements of voice over IP.
The following is a compilation of just some of the security threats facing a voice over IP network, as well as some security measures that could be taken to prevent such attacks.
SPIT – The new Spam for VoIP
Most anybody that receives email is familiar with the term Spam. Who among us has not received dozens of unsolicited emails, clogging up our mailboxes and causing us to waste our valuable time? Laws have been made to reduce the clutter in our mailboxes, and major offenders have been fined heavily, in some cases put in jail.
Spam is basically the broadcasting of advertisements, announcements, or other unwanted messages, over a network or networks, ending up in the mail boxes of anyone that has an email address on that network. At worst, spam is frustrating for the recipient, and can also cause network problems utilizing a good majority of bandwidth that is meant for other things. As email applications are connectionless and not sensitive to time delay, eventually the recipient will receive their emails intact, albeit a few minutes later than it would normally take.
Spam over Internet telephony, otherwise known as SPIT, can have far greater consequences than email spam. Spitters that target VoIP gateways can use up the available bandwidth, severely disrupting Quality of Service and causing a major degradation in voice quality.
The open nature of VoIP phone calls makes it easy for spitters to broadcast audio commercials just as email advertisements are broadcast. On closed networks like Vonage or Skype, or even your companies LAN, it is a little more difficult as the spitter would have to hack into the network in order to implement the broadcast. It can, however, be done.
The ability to broadcast audio messages over a VoIP network is not, in itself, necessarily a bad thing. Companies should be able to get out important messages quickly, and on a broader scope, emergency services could easily communicate mandatory evacuations, or warn of impending disasters in the event of catastrophe.
While Spit is certainly a technical possibility, to date, we have not seen a lot of it. In 2004, the peer to peer VoIP network Skype got hacked into, and users were inundated with unsolicited audio messages. Shortly thereafter, Skype had found and closed the loophole in the network. One other legal recourse is to get on the national Do Not Call list, to prevent solicitors from bombarding your voice mail box
Eavesdropping
Probably one of the scariest vulnerabilities of VoIP is the ability of an outsider to eavesdrop on a private conversation. This concept is nothing new to IP data networks, and generally requires a packet analyzer to intercept IP packets, and in the case of VoIP, saving the data as an audio file. Hackers then have the ability to learn user ids and passwords, or worse, to gain knowledge of confidential business information.
While it is true that eavesdropping occurs on traditional telephone lines as well as cellular networks, for someone to tap into your home phone line pretty much requires a physical presence outside your house. In the case of an IP network, a hacker requires only a laptop, some readily available software, and the knowledge of how to hack into your network.
Security analysts have long used encryption techniques to protect the confidentiality of data traveling through an IP network, and the same concept holds true for voice packets. The challenge with voice is to encrypt strongly and quickly, to protect confidentiality and as not to slow down the packet flow.
Nevertheless, if someone really wants to listen in on your calls, no type of telecommunication is 100% secure.
Phishing the Waters of Voice over IP
Another variation of an email attack, Phishing is designed to trick a user into revealing sensitive data such as user names, passwords, bank accounts, credit cards, and even social security numbers. In the case of VoIP, the attack could come as a voice mail message urging you to call a designated number and provide your user information. Even if the call is automated, touch tones can be easily deciphered. Depending on what information they get, hackers can use it to access bank accounts, or to steal identities.
While you can program a PBX to restrict call backs to known phishers, as more users become familiar with the pitfalls of the Internet, it becomes common knowledge to never give out sensitive information to automated media, be it via data or voice.
SIP Registration Hijacking
The Session Initiation Protocol (SIP) is becoming widely accepted as the method for setting up VoIP phone calls. The process involves a Registrar (in some cases the company PBX itself), which maintains a database of all users subscribed to the network, and basically maps their telephone number to an IP address.
Registration hijacking occurs when the packet header of either party is intercepted by a hacker, who substitutes his IP address for that of the legitimate one. Attacks can take the form of fraudulent toll free calls, denial of service attacks that can render the user’s device useless, or a simple diversion of communication.
Spoofing
Another hack that is well known in data networks is spoofing Also known as a man in the middle attack, spoofing requires hacking into a network and intercepting packets being sent between two parties. Once the IP address or phone number of the trusted host is discovered, hackers can use this attack to misdirect communications, modify data, or in the case of Caller ID Spoofing, transfer cash from a stolen credit card number.
SIP registration hijacking is a form of spoofing. Both of these spoofs, as well as other hacks such as eavesdropping, can be prevented by employing encryption techniques at the call set up phase. Today, the up and coming mechanism to achieve this is to send SIP messages over an encrypted Transport Layer Security channel. Putting these two protocols together forms the acronym SIPS.
There is no doubt that IP networks can be, and are, hacked into. Since a converged network consists of data and voice, VoIP is as vulnerable as any application to these disruptions, but with a downtime tolerance of no more than 5 minutes a year, such interruptions are considered intolerable for voice applications.
As of today, most of these security threats are not wide spread, and are presented here as a what could happen in the future scenario. Industry experts agree that as voice over Internet telephony becomes more wide spread, malicious hacking attempts are bound to follow.
These and other VoIP security threats can be prevented by a vigilant network staff, using all the known security precautions typical of an IP network. No VoIP solution is secure out of the box, and must be locked down by using common sense approaches, including but not limited to changing default passwords, closing down unused ports and services, utilizing firewalls and VPNs for network communications, and diligent intrusion detection.
Author: Michael Talbert
Article Source: EzineArticles.com
Provided by: US Dollar credit card
- Save Our Community Broadband Wireless Spectrum
- Support Community Voices Heard, by William Cerf
- Social Media and Marketing Guru
Related Posts -
Voice Over IP Phone Systems When you are speaking about Voice Over IP Phone systems, you need to know what a VoIP is and what it does before you can deal with the systems and phones that use this particular protocol. VoIP is short for Voice over Internet Protocol. This is a very general...... - A Beginners Guide on Voice over IP Termination When the Internet was introduced some time back, some of the researchers had predicted that it will eventually lead to convergence of communication. This prediction has come true with the emergence of VoIP. Voice over IP termination as it is known among the technical world, sends the voice in......
- Why Invest in Voip Technology? The answer is, as usual, it depends. Voip is evolutionary, not revolutionary, technology. If you are moving into a facility where you need to completely build out your infrastructure, then installing a voice over ip device makes sense. It can be very competitive with traditional POTS switched networks. Some......
- Voice Over IP - Communicate Effectively The expensive telephony services of yesteryears have given way to cheap long distance calls that are routed over the Internet. Also known as Voice over IP, or IP telephony, this intelligent way of communicating is making a lot of sense to a wide cross-section of people from across the......
- VoIP PBX - An Attractive Platform For Voice and Data Integration VoIP PBX solutions lead to the convergence of voice and data systems. This is a new revolution and is being utilised in workplaces. Enterprises are utilising this to make a transition to solutions that enable them to leverage their data networks for purposes of voice communications. The network managers......
Related Websites -
eBook Fishing in California The Complete Guide to California Fishing Download Your 32 Page FREE eBook Are you planning a vacation to California? Looking for a better way to fish the more than 1000 lakes throughout this state? You'll find everything you need to know inside The Complete Guide to California Fishing! We've...... -
Email Spam Trojan Changes Slightly My recent post email-spam-trojans-hiding-on-websites-as-msnbc-breaking-news-items led with the effect and infection method for the Win32/Agent.ETH trojan. Well now they've changed their attack a bit but the Trojan is the same... :-? Now the emails have the following identifiers: From: Top News Agency Subject: Weekly top news The sequence of events shown...... -
Shopping Professionally pt 2 One of the best ways that you can save money is to shop professionally, which is learning how to develop skills and talents in shopping that allow you to shop smarter and save more money than ever before. When you learn how to work with a tight budget, you can...... -
Google to launch its own Nexus One phone next year, maybe (Updates) [/caption] Google staff are trying out a new unbranded phone that could be launched next year and sold directly to consumers, rather than being sold by network operators. The Google Phone or Gphone has been rumoured for a long time, and while many of us have doubted its existence until...... -
Android App Alert: Mobile Defense Hits the Market Android App Alert: Mobile Defense Hits the Market JR Raphael, PC World // < ![CDATA[ // < ![CDATA[ timestamp(1260915780000,'longDateTime') // ]]>Dec 15, 2009 4:23 pm The Android explosion is well underway -- and now, the platform's app market is starting to reflect the growth. The Android Market has just reached......
Related posts:
Social comments and analytics for this post…
This post was mentioned on Twitter by goalliant: I just post VoIP Security Threats Explained on http://ping.fm/eTY1V...