Security barriers to VoIP and how to handle them


VOIP is susceptible to the same types of attacks that threaten other network applications, but there are some potential new ones that focus directly on VOIP. David Endler, chairman and founder of the VOIP Security Alliance and director of security research for TippingPoint, spoke with Network World Senior Editor Tim Greene about VOIP security issues and what you can do to protect your assets.

What new VOIP threats do you see out there?

We saw the first voice phishing attack. It looks much like the traditional e-mail phishing attack except that, instead of tricking or inducing your victim to click on a spoofed link to take them to a Web site, you’re actually tricking them to dial a phone number that takes them to a spoofed automated attendant.

If I can trick you into calling a number that you think is Bank of America, and I can mock up a VOIP system fairly easily with free tools, then I can ask you to enter in your account info and your PIN number and even some other verification like your Social Security number or your billing ZIP Code. Then the hacker can go in and reconstruct those tones after the fact and use them to access your account.

These aren’t new scams, it’s just voice over IP makes it a lot easier to perpetrate them in a widespread manner.

What can be done to combat voice phishing?

What you could do if you have a constant feed of these voice-phishing numbers is program them into your PBX as restricted numbers. So that way your users wouldn’t necessarily be able to call these numbers back despite falling for the e-mail come-on.

Another thing is user education.

What other new threats have you seen?

The rest of them are more mischievous or not necessarily as financially motivated. Things like redirecting someone’s incoming calls to yourself might become a problem. It requires some knowledge of what you are doing.

Registration hijacking is the way you would do that. The way these phones work is when I take my VOIP phone and plug in, the PBX knows that I am where I am basically by my IP address, and all incoming calls to me go to my office phone.

But if I go on the road and I take my phone or I use the softphone on my laptop, I’ll want incoming calls to go there. Wherever I am, the phone will register. Registration hijacking is tricking the PBX into thinking that someone has moved and then having all their calls directed to the wrong IP address.

What can you do about that?

There are a lot of best practices there. Enabling encryption and authentication on the VOIP side helps. That way you can’t necessarily spoof messages to the PBX as easily.

What other VOIP attacks are out there?

There’s something called an invite flood, which is more for a [Session Initiation Protocol]-based network, making someone’s phone ring off the hook. It’s like a flooding attack that’s on the application side. You obviously don’t know which phone calls are legitimate and which calls are bogus.

What is the benefit of encrypting VOIP?

For instance, if you’re not using encryption in your voice conversation, then it’s possible for an attacker to actually add background noise to your conversation. It may not sound that bad, but you can potentially do some mischievous things there. For instance, if you’re a disgruntled call-center support worker and you wanted to add some expletives to the background of your co-worker’s phone call, if you wanted to add some inappropriate sounds when the CEO is calling home to his wife — these are the types of things we are talking about.

What are best practices for securing VOIP?

VOIP security is much more than the security of your VOIP applications and your hardware. It also involves the security of your underlying platforms and also your network dependencies.

For instance, Cisco Call Manager — the latest version runs on Linux. The older versions ran on Windows. If you don’t keep up-to-date with your operating system patches released by your vendor, then those VOIP applications are going to be just as vulnerable as the vulnerabilities were in the applications themselves. Do general network attacks affect VOIP more than other applications?

There are measures you can take to mitigate against denial-of-service attacks or distributed denial-of-service attacks. Within an enterprise without VOIP, you may not feel the pain as much, because an e-mail that you sent might arrive a few hours later but the recipient will still get them. Voice over IP is not as forgiving. It has very strict QoS requirements, so a distributed DoS attack can cripple your VOIP network so that calls coming in are unintelligible or you think your phone system isn’t even useable.

What other precautions should businesses take to protect VOIP?

You want to change your default passwords on the infrastructure that you’re buying. You can do a lot of great things from the security side with voice over IP, but if you don’t change your default password, a lot of that is moot.

How steep is the learning curve for securing VOIP?

We looked at Cisco, we looked at Avaya , we looked at Asterisk, and we looked at some of the softphone technologies that have the potential to permeate into the enterprise — things like Skype, MSN. What we found is, all of these systems are securable, but they do take some knowledge to get them to that point. None of them come installed by default out of the box in a secure manner. It really does take someone who knows what they’re doing. That’s the good news; it is possible to have a secure VOIP deployment if you follow best practices and you work with someone who either knows what they’re doing — like a consultant — or you have the resources in-house to do that type of research.

Disable services that aren’t really required. Many of these VOIP phones have Web servers on them. It’s not just Web servers, but things like Telnet, things like FTP. A lot of these phones are almost like minicomputers. As an example, you really need to apply best practices that you would with any other technology. Disable features that aren’t needed, like the administrative interface to those devices. Restrict it so it can only be accessed from specific IP addresses.