Security threats and vulnerabilities in current Voice over Internet Protocol (VoIP) enterprise deployments would make great fodder for a Hollywood thriller. A riveting screenplay would include voice service misuse and fraud, malicious clients, unauthorized access, phreaking, sniffing, spoofing, call tracking and session hijacking. Plot twists might include SPIT (SPam over Internet Telephony), government E911 regulations, law enforcement wiretapping, denial of service attacks, covert channels, network failures and massive power and phone system outages.
Recent events such as Caller ID spoofing to 911 emergency response services may be a sign that fiction is quickly becoming reality. Practical approaches to secure a VoIP deployment can improve the security story for your organization.
Outlining the Plot
Telecom and IT industry experts agree that VoIP systems involve a complex array of security, management and protocol compatibility issues. As common knowledge of VoIP hacking techniques spreads, enterprises are struggling to respond to this growing risk. “VoIP requires a major shift in how we look at things” says Rodney Thayer, senior fellow of security research for The Security Consortium (www.thesecurityconsortium.net). Thayer performs independent product testing and security evaluations of network devices for vendors and enterprises to ensure the effectiveness of their network infrastructure controls. He also teaches tutorials on VoIP security at the Black Hat conference.
To make intelligent decisions and manage risk effectively, organizations must develop a clear conceptual understanding and integrated management framework for VoIP. This starts by thinking of voice communications as “data packets” that are transported on a potentially vulnerable, shared data network. The data packets for voice are equally susceptible to attack and are especially sensitive to network latency issues. In contrast to conventional phone systems, the telephony systems and infrastructure used to support VoIP are exposed to the broad range of threats that can impact data networks.
Identifying the Crisis
Soft phones are the software applications that offer voice functionality from a PC. Running telephones from general-purpose computers, instead of from dedicated hardware introduces new potential threats, ranging from fraud and misuse, to confidentiality and privacy risks, to denial of service issues. Without effective preventative controls, enterprise users may intentionally or unwittingly violate acceptable use policies or ignore the permission model for an organization’s voice communication system.
Toll fraud could result in huge, unauthorized charges for an enterprise. Confidentiality and privacy breaches are a threat that may create significant liability for organizations that fail to implement effective VoIP security controls.
Without sufficient access controls, unauthorized parties can listen to archived voicemails or improperly access calling records. SPIT becomes a major concern when unwanted calls can leave a company’s network for unauthorized purposes.
Phone phishing incidents may also increase as more companies adopt VoIP. This brand of attack combines a spoofed e-mail with a phone-based scam to steal sensitive information from uninformed users.
Those engaged in social engineering have new tools to spoof caller ID using home-grown approaches or Web-based commercial services that charge only a nominal fee. Some services also offer voice changer features that can alter a person’s voice from male to female, calling from anywhere — in real time. Viruses, malware or botnet agents residing on a personal computer can also exploit telephony services. Soft phones can act as a bridge that enable more attackers to impact production data networks and potentially leverage many more company resources — including critical databases and applications. Exploited soft phones can be converted into attack platforms, making networks more vulnerable to distributed denial-of-service (DDoS) attacks and major network outages.
“The impact regarding physical security should not be overlooked,” says James Connor, principal of N2N Secure, a company that specializes in convergence of physical and logical security. “Remember that every IP device exists somewhere in the physical world.”
And the risk and impact to business operations can be far-reaching: “We see the risk of VoIP evolving along with the opportunities,” Connor says. “It is important to collaborate with all departments to gain the proper insights into what and who will be affected as a result of a breach, such as the possible impact to security control or operation centers.”
Finding a Resolution: Eight Ways to Protect VoIP
With the right approach, enterprises can transform a VoIP security tragedy into the feel-good film of 2008. There are eight central elements to mitigate the vulnerability.
1. Establish security policy and supporting business processes: Organizations should apply the same controls used to protect data networks for VoIP security. For example, avoid configuring routers with default passwords and implement a resilient logging infrastructure to support collection of key VoIP metrics and distribution of event notifications. Unexpected network traffic can impact the availability of other approved services on the network, so organizations should create a business process to control the use of VoIP technology in the enterprise.
Dealing with the endpoints that serve as soft phone platforms is equally critical. User responsibility is essential to maintain control at the application level. Users and administrators must have sufficient training to define and comply with policies. In addition, organizations should consider establishing rigorous authentication practices and applying data classifications across new integrated data types for unified communications such as VoIP.
2. Create an integrated architecture: A coordinated approach to network management and architecture will become increasingly critical. “Make sure you have infrastructure that is aware that it is defending voice and data networks from each other,” Thayer says. “Think about whether you need more firewalls.”
There are two broad approaches to architecting a VoIP system. In the first case, VoIP is used for both internal and external transmission of voice data. In the second case, an organization will use VoIP for internal communications and still use a traditional PBX for external communications. The latter approach can be more expensive, but may reduce exposure to some of network-based threats.
Internally, VoIP systems may be configured for voice data to traverse existing data networks or to leverage a separate network or virtual local area network (VLAN). Thayer explains that it may not be realistic to plan to put VoIP on a totally separate network. Rather, he suggests to “look at it as a separate part of the existing network, like separation of end-users’ and servers’ farms,” he says. “Plan on having things interact — data will be creeping back and forth between voice and data network segments whether you like it or not.”
“Switches and the rest of your network infrastructure should be as up to date as possible to have bandwidth management, network management and logging capabilities,” Thayer adds. He also suggests building a layered defense by planning to integrate security infrastructure into VoIP deployments: “You want internal firewalls, IDS, IPS, and log analysis in place. Double links and network redundancy may also be worthwhile.”
A diligent approach to architecture will also consider compatibility requirements for various network and endpoint devices with security and telephony protocols such as H.323 and the Session Initiation Protocol (SIP).
3. Maintain and update software: Since VoIP systems can introduce security vulnerabilities to the entire network, organizations should diligently patch and update VoIP installations. Beyond this, VoIP systems rely on the security of underlying platforms; therefore, desktop and server operating systems and the security software supporting these systems must be maintained regularly. Also, validate that staff assigned to maintain VoIP infrastructure have the appropriate skill sets to be successful.
4. Consider criticality, monitoring, metrics and fraud detection: Organizations should make conscious decisions regarding the mission criticality of voice communications relative to other network traffic. Key performance indicators related to VoIP security include:
• Network failures (i.e. like dropped calls);
• User complaints about call quality;
• Customer satisfaction levels with phone experience;
• Achievement of Quality of Service (QoS) objectives;
• Successful detect and correction of abuse and fraud;
• Percentage of network consumed by telephony; and
• Voice bandwidth and data bandwidth budget consumption.
5. Participate in a community to remain aware of new threats and solutions: InfraGard is a public/private partnership and community of professionals and government representatives dedicated to information sharing and protecting critical U.S. infrastructure. Members of this non-profit group meet on a quarterly basis to discuss concerns about new threats to critical infrastructure sectors such as telecommunications. More details are available at http://www.sfbay-infragard.org or http://www.infragard.net. Some InfraGard members participate in the Government Emergency Telecommunications Service (GETS) which offers priority calling over traditional phone lines during disasters. More details on GETS are available at http://www.gets.ncs.gov.
6. Consider Managed Services: With a rich market of vendors, many organizations are choosing hosted VoIP services. Thayer suggests security diligence here by asking a prospective hosted VoIP service all of the questions you would ask an Internet Service Provider, including:
• How do you handle bandwidth management?
• How robust is your infrastructure?
• Do you use a trouble ticket system to manage customer issues?
• Do you offer 24/7 support?
• How would we troubleshoot an availability or security problem?
He also recommends inquiring about extra features such as customized music on hold, line hunting and supporting multiple sites (including people working from home on same the same call groups). Such features may be useful to enhance a security or disaster recovery program.
7. Disaster Recovery: VoIP can become a valuable tool in disaster recovery scenarios. By eliminating a traditional, proprietary Private Branch eXchange (PBX) system, redirecting voice communications during a disaster may be achieved more quickly and easily.
Conversely, VoIP installations introduce new risk because they rely on a local power supply rather than the phone company’s central office. So, local power supplies and interfacing equipment should be addressed when planning for physical security, emergency response and business continuity requirements. All elements of integration and compatibility with alarm systems should be scrutinized. For example, alarm systems that rely on a phone line may be easily defeated unless VoIP infrastructure is physically secured.
8. Physical Security: Don’t forget physical security. Put equipment in locked rooms and make sure that the users and devices that have access to the network are authenticated and approve. Simply controlling physical access to network Ethernet ports can greatly reduce the risk of a being phreaked.
Predictions for 2008 and Beyond
In the next year or two, Thayer expects public knowledge on how to build phone exploits to become much more prevalent, specifically with attackers targeting widely adopted products such as Cisco and Skype soft phones. He also predicts significant growth in Denial of Service attacks and believes it is not clear that current efforts toward VoIP security standards will be productive. One exception may be ZRTP, an encryption key negotiation and transport protocol recently proposed to the Internet Engineering Task Force (IETF).
Caller ID spoofing is also likely to get much more pervasive. If enacted into law, the Truth in Caller ID Act of 2007 will generally make it unlawful for any person in the United States to use caller identification (ID) services to transmit misleading or inaccurate caller ID information. Thayer also offers pragmatic advice on Caller ID spoofing vulnerabilities: “The fact that we can spoof means that we should get rid of the whole thing. These techniques were secure in the past, but that has changed, now we must rethink the whole issue.”
Converged technologies will take center stage in 2008. VoIP, along with Voice 2.0 applications and mash ups that bring together wireless networks, mobile phones, RTC (real time collaboration), LBS (location based services), IVR (interactive voice response), speech recognition and video sharing functionality are already adding new dimensions to enterprise risk management. Security practitioners will need to stay current with security, management, and authentication controls for these new services.
Jeff Klaben, CISSP, CISA, CISM is Chief Information Security Officer for a Fortune 1000 biotechnology firm serving the life sciences industry. He also serves as National Ethics Committee Chairman and elected Chairman of the San Francisco Bay Area InfraGard Members Alliance, a public-private partnership and 501 (c)(3) non-profit focused on sharing information to protect critical U.S. Infrastructure. Mr. Klaben can be contacted at: firstname.lastname@example.org