VoIP Wiretapping Widespread, Warns Security Firm

Firm points to lax security on company phones, new tools for hackers that simplify breaches

Security specialist Scanit says it has come across several popular installations being used in corporate environments without security in place to prevent VoIP wiretapping.

"Throughout the Middle East, the installations we have seen have not had strong security controls in place," Scanit engineer Sheran Gunasekera explains. "Primarily, the reason for this has been the fact that the system integrator or implementer had not paid much attention to the security of the entire setup."

It is possible, Scanit says, for an internal employee of the organisation, to intercept voice conversations and re-route calls outside of the firm's network. According to Sheran, a high percentage of installations he has audited had no encryption on the voice stream. There can be several reasons that a corporation or service provider will run an unsecured implementation, he explains.

"The most common reason in large companies is because no-one understood how to secure the system. Staff lacked adequate skills and understanding of the security aspects of the implementation itself. They relied on the vendor or system integrator to set the whole system up."

In turn, the vendor's focus was on functionality of the system rather than security, Sheran says, and so a working system with no security was deployed.

So, how does a hacker find and exploit unprotected web calls?

"When a user first starts up his VoIP, it looks for a SIP Registrar - comparable to a traditional telephone exchange - to register and identify itself on the internet, by way of an IP Address, and to show the user is now contactable," Sheran explains. "If a SIP Registrar is set up with no consideration given to security, it is possible for a malicious user to imitate a legitimate registration request.

The Registrar itself will assume that this is a legitimate registration request because all the fields will be filled out correctly.

"The only difference is the fact that the destination IP address has changed."It is comparable to changing your mailing address when your name and other details stay the same, he says. "If no steps are taken to verify the new address provided, then your mail will be delivered to this new address, which could be owned by someone else."

There are several safeguards to prevent this, like using encryption and strong authentication for requests with the SIP Registrar. The owner of the VoIP deployment (normally the corporation or service provider) will run one or many SIP registrars and it is the sole responsibility of the party that owns the VoIP implementation to ensure that it is secure, Sheran says.

"If it is a corporation, then the corporate IT security teams will have to ensure this. Security becomes a more serious issue when VoIP service providers are involved. This is because the service is sold to end-users."

There is a greater potential for abuse due to the varied user-base that the VoIP implementation is exposed to.

In order to intercept Real-time Transport Protocol streams (or RTP, a standardised packet format for delivering audio over the web), a hacker needs to be physically connected to the network where other users make and receive VoIP calls. RTP streams are usually encoded with a specific codec. Popular tools like WireShark are able to detect when an RTP stream is traversing a network.

Sometimes if the Voice traffic is not segregated from the data, it is sufficient to run a "sniffer" like WireShark in order to capture the RTP streams. A program called Cain & Abel even allows direct saving to a .WAV file for playback. An attacker can capture any sound that travels over a VoIP conversation. This may be an entered PIN, confidential information relating to either financial or personal matters can be captured and listened to. Information such as confidential financial transactions with regard to mergers or acquisitions or personal information that can be used to blackmail people is also included.

This content continues onto the next page...