Unlike circuit-switched telephone networks, VoIP is software based and introduces vulnerabilities like any other software package. Learn what the weaknesses are, and what to do about them.
Public Switched Telephone Network (PSTN) technology is one of the most secure and reliable technologies in existence. VoIP technology, its eventual replacement, has some very big shoes to fill. And, when it comes to digital security, VoIP appears to be coming up short.
Differences that affect security
Multiple standards: Unlike data traffic, VoIP currently has two standards, H.323 and Session Initiation Protocol (SIP), that are vying for the top spot (shades of Betamax versus VHS). Deciding which protocol to use is dependent on company needs. More importantly, it must be noted that each protocol requires a different security methodology.
Security devices affect Quality of Service (QoS): If VoIP traffic is expected to traverse the same perimeter security equipment as data traffic, there is a good chance the induced delay from firewalls, IDS/IPS, and antimalware devices (which has little effect on data traffic) would significantly reduce the QoS on VoIP traffic, unless network admins selected perimeter security equipment with VoIP traffic in mind.
Now let's look at why VoIP needs help security-wise.
Security issues affecting VoIP
Several issues affect data networks and VoIP networks equally. That is probably why many IT professionals assume what works for the data LAN will work for VoIP.
Denial of Service (DoS): Though data and VoIP traffic have differences, the largest attack vector, denying availability, affects both traffic types equally. The difference being VoIP has an additional DoS attack vector: Spoofing the "Cancel Message."
The above slide (courtesy of Jianqiang Xin and SANS Institute) depicts the process. In his research paper, Xin explained, "The attackers use cancellation of pending call set up signals including sending a CANCEL, GOODBYE, or PORT UNREACHABLE message. Doing so prevents the phone from completing the call, or hanging up."
A different approach, but still an effective DoS attack.
Eavesdropping: Attackers can use Man in the Middle exploits to eavesdrop on data networks and VoIP networks alike. VoIP networks also appear to be more susceptible than PSTNs when it comes to eavesdropping. In his paper, Xin said, "Conventional telephone eavesdropping requires either physical access to tap a line, or penetration of a switch. With VoIP, opportunities for eavesdroppers increase dramatically because of the large number of nodes in the path between the connected nodes."
Xin added there are numerous free tools that convert VoIP traffic to audio files, such as VoMIT.
Integrity threats: This exploit category has attackers assuming the identity of the caller. Spoofing Caller ID is the bad guy exploit of choice and works on PSTN and VoIP systems. Unfortunately, Caller-ID spoofing is easy to pull off and costly to victims. Lance James, chief scientist at Secure Science Corp, in this Schneier blog post mentioned that attackers get their hands on stolen credit cards, figure out the victim's caller-ID, and contact establishments like Western Union pretending to be the victim--ultimately transferring the victim's money to some safe-haven bank account.
Registration hijacking: This exploit happens when attackers replace victim's registration information with their registration code. The attack causes all incoming calls for the victim to be sent to the attacker's address.
Proxy impersonation: Proxy impersonation attacks trick victims into communicating with a rogue proxy set up by the attacker. Once an attacker impersonates a proxy, he has complete control of the call.
Suggested preventative measures
Xin ended the SANS research paper by including several best-practice guidelines that will help prevent nefarious types from exploiting a company's defenses via a VoIP weakness.
- Design the network with data and VoIP traffic in mind: Good practice has network admins placing VoIP and data traffic on separate VLANs. An additional benefit of doing so allows administrators to apply different QoS parameters to data and VoIP VLANS, optimizing traffic flow through each.
- Use VoIP-Ready Equipment: This applies to all networking devices that will see VoIP traffic, in particular perimeter devices using "Deep Packet Inspection." Otherwise, it will be difficult to insure security and QoS at the same time.
- Avoid Using Softphones: Avoid using VoIP computer programs. Adding computer vulnerabilities to the list of security concerns just makes it easier for the bad guys.
- Patch Systems Regularly and Use Appropriate Antivirus Software: Avoiding softphones is one thing. It is still imperative that VoIP firmware and server applications be kept up to date.
- Use Encryption: Even simple encryption protocols offer a substantial improvement in security. Transport layer security is the preferred method.
While researching for this article, I came across an interesting "For Dummies" website, where Kevin Beaver's post How to Detect and Guard against VoIP Security Vulnerabilities that offered additional advice on how to find VoIP vulnerabilities and links to several programs that scan for weaknesses.
VoIP telephony is here to stay. Its convenience and capabilities assure that. Even though Xin's paper is several years old, all of the material and suggestions are just as pertinent today as when the paper was first written.