If your business uses or is considering deploying out VoIP, you should be aware of the many ways your systems could be compromised. Orthus offers an overview of the new and old threats which could harm your IP telephony service.
After spending years being the nearly man of communications technology, voice over IP has really taken off as an enterprise applicable communications mechanism over the past couple of years. Small and medium-sized enterprises are proving keen on the technology, and the cost savings it offers. AMI predicts that most SMEs will choose to move to VoIP over the next five years.
In the headlong rush towards implementing VoIP it is essential that organisations still do not overlook the security implications of the technology. The bulk of VoIP calls currently being made are still not properly secured and this is leaving businesses open to attack.
As increasing numbers of organisations adopt VoIP, increasing numbers of criminally motivated will be enticed to capitalise on the weaknesses in the technology and its implementation. This primer looks at the major varieties of threats businesses of any size face when adopting VoIP.
Disruption through ‘normal’ data attacks
The beauty of converged networks is that voice over IP is ‘just’ another application protocol running on the data network. Unfortunately from a security viewpoint, this means that it will also be affected by all the attacks that cripple data networks, even if they are not deliberately targeting voice over IP.
The most significant specific threat to VoIP is denial of service (DoS) because this can bring a data network to its knees and shut down all applications running on it – including VoIP. This means your employees could be without phone service until the network is restored and operational.
The security bugs that plague data applications will also affect VoIP users. For instance, security company Core Security Technologies discovered a vulnerability in the popular VoIP application Asterisk PBX which allowed hackers to create buffer overflows for a denial of service attack. Any bugs in similar apps you are using could make your network vulnerable to malicious users.
Denial of Service attacks are not merely limited to the exploitation of buffer overflow states however, and attackers can comparatively easily exploit weaknesses in specific protocols such as DHCP (Dynamic Host Configuration Protocol) to exhaust individual resources and ensure your users cannot use your shiny new telephone system.
SIP vulnerabilities
The increasing adoption of session initiation protocol (SIP) for VoIP is expected to open up a whole new front in the security war. SIP is a relatively new protocol which offers little inherent security. Some of its characteristics also leave it vulnerable to hackers, such as using text for encoding and SIP extensions that can create security holes, and indeed a number of publicly available applications can be used by anyone to discover and exploit weaknesses in the protocol.
Examples of hacks for SIP include registration hijacking, which allows a hacker to intercept incoming calls and reroute them; message tampering, which allows a hacker to modify data packets travelling between SIP addresses; and session tear-down, which allows a hacker to terminate calls or carry out a VoIP-targeted DoS attack by flooding the system with shutdown requests. Extensions available within the SIP protocol itself also allow remote attackers to perform application specific attacks, for example the brute forcing of user voicemail boxes.
SPIT
This charmingly named threat is the voice incarnation of the bane of email systems and users- spam – and stands for ’spam over internet telephony’. Spammers are already targeting users of all IM systems with SPIM (spam over instant messaging) and the fact many accounts include demographic information such as user location or age helps them target users.
Until now there have not been a great many instances of VoIP spam but there is great potential for it to become a major problem, just as the abuse of fax machines before it were. SPIT could be generated in a similar way to email spam with botnets targeting millions of VoIP users from compromised machines.
The real-time nature of voice calls will make dealing with SPIT considerably more challenging than email spam. While emails may reside on a server for an extra hour to go through a spam filter, calls must be routed to the recipient instantly.
An innovative solutions havebeen demonstrated includinga technology that defends against SPIT using a range of techniques including a Turing test. The technology claims to be able to correctly identify 99 per cent of SPIT by looking at communications patterns and stopping the call before it is connected to the user.
Vishing
Just as in the email world, tipping dodgy stock and selling V1agRa is only part of SPIT, it can also be used to commit serious fraud. Vishing uses telephony to glean information such as account details directly from users.
One of the first reported cases affected the phishers’ favourite target PayPal. The scam was a true multi-channel attack. Victims first received an email purporting to come from PayPal which asked them to verify their credit card details on a phone line. Those who called the number were then asked to enter their credit card number using the telephone. Once the credit card number had been entered, the fraudsters were free to siphon money from their victim’s account.
Scams like this are not just a danger for voice over IP users but the much lower cost of making VoIP calls will make them much more popular than they would be with standard phone systems. Because users still trust the telephone more than the web, criminals are able to make themselves very convincing by spoofing the correct telephone numbers. And through spamming techniques they can call thousands of people for very little outlay.
VoIP hacking
Like any IP system, a VoIP network is at serious risk of being hacked by a commited external hacker. This can affect anyone who uses VoIP – from the home user through enterprises to service providers. A US fraud case heard how hackers broke into VoIP service providers’ systems using the common ‘brute force’ hack to identify holes in their networks.
VoIP service providers use a prefix on the IP packets to identify their own calls, so the hackers sent millions of fake test calls to find out which prefixes were admitted to the network. Once they had determined the prefix they were able to send calls through those service providers’ networks, and sell these minutes on through two front companies.
Eavesdropping
Hackers can eavesdrop on media streams and intercept VoIP packets to obtain sensitive information by reassembling the packets into speech. One way for hackers to do this is through a man-in-the-middle attack, where a third party spoofs the MAC addresses of the two speaking parties, to force the IP packets to flow through the hackers’ system. It may also be possible for external attackers to reroute the signalling information of a call, and in doing so, happily listen in to supposedly confidential conversations.
While eavesdropping on telephone conversations is not just a risk for VoIP conversations, the nature of IP networks makes access to the phone conversations much easier. Eavesdroppers will no longer need to physically put a tap into a phone line; or gain access to a telephone switch, they can simply get access from a laptop loaded with the right tools connected to the internet. Other compromises are also possible with VoIP, such as intercepting a genuine call to a bank and rerouting it to a bogus bank teller.
Nothing new under the sun
VoIP is growing in popularity and practicality, and has a range of novel attack vectors and applications specifically focused towards its exploitation, however as the adage goes, there is nothing new under the sun. Because the VoIP protocol is implemented in association with conventional networks it is vulnerable to familiar attacks. Many VoIP devices employ web servers to allow for remote administration, and these are subject to the same threats that are present in any other Internet based application.
If organisations do not have sensible policies and procedures in place regarding for example voicemail box passwords, this deficit may well be exploited by attackers, just as an authentication string of ‘password’ fails to provide much in the way of assurance.
Although extensive, all of the threats detailed in this primer can be prevented by proper security procedures, technology and commitment.For further advice and assistance with securing your VoIP network, and mechanisms for reducing the risks you may face, contact Orthus for a free, frank, and confidential conversation.
Author: Sean Bennett
Article Source: EzineArticles.com
Provided by: Beading Necklace
Related Posts -
VegaStream - VoIP & Emergency Services VoIP and Geographic LocationThe emergency services have come to rely on certain features of the traditional telephone system to enable them to do their jobs and to safeguard against misuse of the general publics privilege to call them night or day. The key feature is the Caller Line Indication...... - VegaStream - VoIP & Emergency Services VoIP and Geographic LocationThe emergency services have come to rely on certain features of the traditional telephone system to enable them to do their jobs and to safeguard against misuse of the general publics privilege to call them night or day. The key feature is the Caller Line Indication......
- VegaStream - VoIP & Emergency Services VoIP and Geographic LocationThe emergency services have come to rely on certain features of the traditional telephone system to enable them to do their jobs and to safeguard against misuse of the general public's privilege to call them night or day. The key feature is the Caller Line Indication......
- VegaStream - VoIP & Emergency Services VoIP and Geographic LocationThe emergency services have come to rely on certain features of the traditional telephone system to enable them to do their jobs and to safeguard against misuse of the general public's privilege to call them night or day. The key feature is the Caller Line Indication......
- VegaStream - VoIP & Emergency Services VoIP and Geographic LocationThe emergency services have come to rely on certain features of the traditional telephone system to enable them to do their jobs and to safeguard against misuse of the general public's privilege to call them night or day. The key feature is the Caller Line Indication......
Related Websites - Treasure Isle Marina Treasure Isle Marina is Located in: Treasure Island, CA Phone: 415.981.2416 Website: http://www.treasure-isle.com/ Slips: 107 About the Marina: The marina is located in Clipper Cove, and is considered to be one of the most beautiful harbors in the bay area. As soon as the renovations on the marina and the......
-
Home Network Security [/caption] Home Computer security 1. What is computer security? Computer security is the process of preventing and detecting unauthorized use of your computer. Prevention measures help you to stop unauthorized users (also known as "intruders") from accessing any part of your computer system. Detection helps you to determine whether or...... - AT&T Set To Raise Home Telephone Prices; Time To Switch To VOIP? I am curious as to why AT&T would think it was a good idea to raise home phone prices in California when you can get VOIP from dozens of companies, or use Skype for mere pennies, or just use your cell phone for all your calling needs. Does it make......
- Making Sure Your Wireless Home Network Is Secure As more and more people make the switch from wireless networks to secure networks in their homes, there are a whole new range of security issues to be aware of...
- Web Hosting Terminology Below are some of the terminology that you should familiarize yourself with before choosing your next web hosting provider. ASP: ASP (Active Server Pages) is Microsoft's first server-side script engine for dynamically-generated web pages. ASP.NET processes all code on the server. After the code has been processed, the server returns......
Related posts:
Social comments and analytics for this post…
This post was mentioned on Twitter by goalliant: I just post Vishing, SPITING, Eavesdropping – Security Threats to VoIP Primer on http://ping.fm/YMAu8...