Security threats and vulnerabilities in current Voice over Internet Protocol (VoIP) enterprise deployments would make great fodder for a Hollywood thriller. A riveting screenplay would include voice service misuse and fraud, malicious clients, unauthorized access, phreaking, sniffing, spoofing, call tracking and session hijacking. Plot twists might include SPIT (SPam over Internet Telephony), government E911 regulations, law enforcement wiretapping, denial of service attacks, covert channels, network failures and massive power and phone system outages.
Recent events such as Caller ID spoofing to 911 emergency response services may be a sign that fiction is quickly becoming reality. Practical approaches to secure a VoIP deployment can improve the security story for your organization.
Outlining the Plot
Telecom and IT industry experts agree that VoIP systems involve a complex array of security, management and protocol compatibility issues. As common knowledge of VoIP hacking techniques spreads, enterprises are struggling to respond to this growing risk. “VoIP requires a major shift in how we look at things” says Rodney Thayer, senior fellow of security research for The Security Consortium (www.thesecurityconsortium.net). Thayer performs independent product testing and security evaluations of network devices for vendors and enterprises to ensure the effectiveness of their network infrastructure controls. He also teaches tutorials on VoIP security at the Black Hat conference.
To make intelligent decisions and manage risk effectively, organizations must develop a clear conceptual understanding and integrated management framework for VoIP. This starts by thinking of voice communications as “data packets” that are transported on a potentially vulnerable, shared data network. The data packets for voice are equally susceptible to attack and are especially sensitive to network latency issues. In contrast to conventional phone systems, the telephony systems and infrastructure used to support VoIP are exposed to the broad range of threats that can impact data networks.
Identifying the Crisis
Soft phones are the software applications that offer voice functionality from a PC. Running telephones from general-purpose computers, instead of from dedicated hardware introduces new potential threats, ranging from fraud and misuse, to confidentiality and privacy risks, to denial of service issues. Without effective preventative controls, enterprise users may intentionally or unwittingly violate acceptable use policies or ignore the permission model for an organization’s voice communication system.
Toll fraud could result in huge, unauthorized charges for an enterprise. Confidentiality and privacy breaches are a threat that may create significant liability for organizations that fail to implement effective VoIP security controls.
Without sufficient access controls, unauthorized parties can listen to archived voicemails or improperly access calling records. SPIT becomes a major concern when unwanted calls can leave a company’s network for unauthorized purposes.
Phone phishing incidents may also increase as more companies adopt VoIP. This brand of attack combines a spoofed e-mail with a phone-based scam to steal sensitive information from uninformed users.
Those engaged in social engineering have new tools to spoof caller ID using home-grown approaches or Web-based commercial services that charge only a nominal fee. Some services also offer voice changer features that can alter a person’s voice from male to female, calling from anywhere — in real time. Viruses, malware or botnet agents residing on a personal computer can also exploit telephony services. Soft phones can act as a bridge that enable more attackers to impact production data networks and potentially leverage many more company resources — including critical databases and applications. Exploited soft phones can be converted into attack platforms, making networks more vulnerable to distributed denial-of-service (DDoS) attacks and major network outages.
“The impact regarding physical security should not be overlooked,” says James Connor, principal of N2N Secure, a company that specializes in convergence of physical and logical security. “Remember that every IP device exists somewhere in the physical world.”
And the risk and impact to business operations can be far-reaching: “We see the risk of VoIP evolving along with the opportunities,” Connor says. “It is important to collaborate with all departments to gain the proper insights into what and who will be affected as a result of a breach, such as the possible impact to security control or operation centers.”