Wiretapping Just The Start of VoIP's Security Woes

DoS, DoQ, trojan devices inserted in-line all factor into security concerns for IP phone systems

Researchers said that on the whole, threats facing VoIP networks are similar to those confronting any other networked services -- denial of service attacks, software vulnerabilities, and other exploits with which most security professionals are already familiar.

"It's important that you make sure your VoIP phones and infrastructure are all patched and up-to-date," Cross said. "And tools like IPS technologies that we've used for years to protect operating systems and servers -- they can be deployed to protect VoIP systems as well."

However, unlike most data networks, enterprise VoIP networks don't always fall under the jurisdiction of corporate IT departments, which Cross sees as a potential point of concern.

"Often in organizations, the phone system is not run by the IT department -- it's often run by a facilities group that runs things like HVAC and other building services," he said. "And those guys don't necessarily have the kind of processes in place for managing software systems that IT departments have. It's just not something they've had to deal with in the past."

While VoIP networks are as susceptible to denial-of-service attacks as any other networked service, "denial-of-quality is also a concern," Cross said. That's due to the fact that even a small degradation in service quality can have the effect of knocking out VoIP calling.

"Because Voice over IP has very strict latency requirements, it's very easy for a small network flood attack to affect it," he said. "Whereas with SMTP or other services, you might not notice a degradation of services as quickly."

The problem multiplies if you're using a single network for voice and data, said Stamp. "If you've got a converged data and voice network, the sum of those parts has a greater business value than they do separately. If someone brings it down, you can't use your data network, and you can't pick up your phone to call anyone to help you bring it back up, either."

And like any other networked computer, VoIP systems are vulnerable to remote code execution attacks. In July, ISS discovered two such vulnerabilities in Cisco Systems' Cisco Call Manager that could have been used to cause a denial of service to VoIP users, or to potentially allow someone to gain unauthorized access by executing a program on the system, Cross said.

Nearly every enterprise VoIP system has what Cross called a "media gateway" at its center, running on top of either the Windows or Linux operating system.

"They are the heart of a VoIP network," Cross said. "They have all the voice mail stored on them, and the provisioning information... if someone were to gain control of one of them, they'd have complete control over the phone systems."

"A lot of those attacks are similar to the kinds of remote code execution attacks that we see against traditional operating systems," he added.

Also of concern is remote code execution against VoIP phones themselves, which Cisco, for instance, first warned about more than two years ago.

"If it's a VoIP phone, it's really a computer," Cross said. "If someone is able to exploit one of the services running on that computer, they could take control of it and turn on the microphone and push the audio somewhere, essentially using it as a listening device."

One particularly scary example Cross cited is a UT Starcom wireless handset, first reported in late 2005.

"It came out of the box with a telnet port on it," he said. "You could telnet into it, and the default password was fairly trivial to guess. It was as simple as telnetting to the phone and logging in, and you'd have complete control over the phone."