Networking

VoIP threats: Beyond eavesdropping


When it comes to phone calls, privacy is the most common security concern. Recently, we discussed how hackers can eavesdrop on VoIP calls to discover the content of participants' conversations. But eavesdropping isn't the only -- or, in some cases, even the most serious -- security risk you face when using VoIP.

In addition to intercepting the media protocol packets that contain the actual audio, VoIP attackers can target call-signaling protocols or the underlying networking (i.e., TCP/IP) protocols to cause poor call quality or even crash your VoIP devices and network. Here's a brief look at some of these types of attacks, what makes VoIP vulnerable to them, and how you can protect against them.

Denial-of-service (DoS) attacks

At the network and transport layers, a VoIP network is vulnerable to the same sorts of DoS attacks that attackers have perfected against data networks. A typical method for bringing down the network or a targeted IP-based device (whether it's a computer or a VoIP hard phone) is to flood it with a huge number of packets -- to the point where it's unable to handle the volume and shuts down (or at least performance degrades considerably).

Flooding and logic attacks

A TCP SYN (synchronization) flood exploits how the TCP connection process (the three-way handshake) works. SYN packets, requesting to open a new connection, are sent (usually from a spoofed IP address) in such large numbers and so frequently that it overloads the target system, fills up the connection queue table, and ignores legitimate new connection requests.

The handshake process never completes because the spoofed IP addresses don't return ACK (acknowledgement) packets; thus, the requests stay in the connection queue until they time out. You can mitigate this problem by adjusting the queue length and timeout configurations and by using firewalls that support stateful inspection and/or an intrusion detection system (IDS) to monitor for these attacks.

More specific to VoIP, attackers can use the same type of flooding technique to overload a VoIP device with VoIP protocol packets, such as SIP INVITE or REGISTER packets. Because these attacks occur at a higher level of the networking stack, fewer packets are required to cause problems.

In addition, it's not only SIP that's vulnerable. The Inter-Asterisk eXchange (IAX2) protocol has also been vulnerable to flooding of call requests.

Another way to disrupt network communications is through a logic attack. Unlike a flooding attack that uses the sheer volume of packets to disrupt service, in a logic attack the attacker uses packets that are out of sequence, malformed, or otherwise invalid.

As with flood attacks, logic attacks can focus on the network protocols (TCP/IP) or the higher layer VoIP protocols. For example, a logic attack could exploit SIP-signaling protocols by sending packets with invalid or incomplete fields. There are tools available at hacker sites, such as InviteFlood and IAXFlood, that attackers can use without needing to have extensive technical skills.

Protecting against flooding and logic attacks that use VoIP protocols requires a firewall or proxy that's SIP-aware and capable of detecting invalid SIP messages. In addition, you can use "fuzzing," or functional protocol testing, to detect protocol weaknesses; then, you can take measures to correct them.

Injected messages

Another way for hackers to attack VoIP calls is by injecting spoofed messages into the signaling channel of a call. Fake call teardown DoS attacks are one means of doing this. By using a "call teardown" message -- for example, a SIP BYE message or IAX HANGUP message -- the attacker can cause the call to terminate at whatever point he or she wants.

To protect against injected messages, encrypt protocols so no one can monitor the signaling channel, and authenticate all packets. Once again, hackers don't have to know how to do this themselves -- they can download tools such as sip-kill.

Call hijacking

Call-hijacking attacks differ from eavesdropping in that they redirect the entire call to a different party, who can then participate in the conversation, pretending to be the legitimate called party. This is possible by modifying the VoIP registrar's database to replace the legitimate called party's IP address with that of the attacker. This causes the VoIP proxy to send calls intended for the original called party to the attacker instead.

Once again, encryption of the call-signaling packets can prevent this type of attack, but SIP messages are clear-text messages. SIP doesn't require authentication, making default SIP implementations vulnerable to these types of "man-in-the-middle" attack.

Using encryption, such as SIP over Transport Layer Security (TLS), or using IPSec on the VoIP network to encrypt packets as they travel across the network can protect against hijacking and related attacks. Another VoIP encryption option is Phil Zimmerman's Zfone, which uses the Z Real-Time Transport Protocol (ZRTP) to encrypt VoIP packets.

Caller ID spoofing

Another way for hackers to attack VoIP users is by spoofing caller ID information to make it appear that their calls originate from elsewhere (the same basic concept as e-mail return address spoofing). If the VoIP system uses caller ID information to authenticate callers, the hacker will appear to be an authenticated caller. Because knowledgeable attackers can easily spoof caller ID information, your system should never rely on caller ID information for authentication purposes.

Summary

When it comes to protecting VoIP from attackers, the most important element is encryption, encryption, encryption. But don't stop with encrypting the media channel -- the call-signaling channel needs protection as well. There are vendor-specific solutions for encrypting the signaling protocol itself, or you can use IPSec or TLS to encrypt the traffic at the network or transport layer.

There's no perfect, standard solution yet, but the first step toward defending your VoIP network is to be aware of the problem. By implementing VoIP-aware network devices and using encryption technologies, you can avoid many of the DoS, hijacking, and spoofing attacks to which VoIP is vulnerable.

Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.

Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

2 comments
dnvechoes
dnvechoes

I'm getting targeted by an internet prankster who is using a VOIP to have me call other people. This weekend he had my call intercept phone the police. What can I do to stop this guy? How hard will he be to find? There has to be a way to keep his calls from getting through. Any ideas? This is all beyond me.

navaranganr
navaranganr

its widely belived that VoIP had been facing huge security concern. In DoS attacks, this article mentioned that it could be protected by the IDS. I wonder if we prevent DoS like this how can we protect Distributed DoS. If an attacker targets from more places can we prevent the attackes via IDS?