There is a commonly held view that the PSTN, because hard-wired and regulated, was somehow harder to hack, and that we are in a Brave New World of voice vulnerability.
Not so. Dave Senf, Canadian director of security and software research at IDC, points out that these aren’t new issues. “You could always break into the PSTN. It used to be called ‘phone phreaking.’ You could get into an 800 line to make a call anywhere in the world.” Man-in-the-middle attacks also aren’t new: it was called wiretapping.
“In fact, sniffing for packets and piecing calls back together may be harder than old-style hacking of the PSTN,” Senf says.
Turns out wearing a black hat may be more of a challenge than hanging off a pole fiddling with some alligator clips. Problem is, there are a lot of black hats out there.
Dan York, best practices chair for the Voice Over IP Security Alliance (VOIPSA) and Mitel’s director of IP technology, says people remain unaware of the extent of potential VoIP security issues. This is in part because they think of all voice as being regulated as it is on the PSTN. “It’s a Wild West in SIP trunking, even with dramatic failures like VoIP service provider SunRocket,” York says. “You can still take a IP-PBX, do a SIP trunk to a service provider, and have cheaper PSTN access.”
Having a SIP trunk to your own provider is one thing, but now fly-by-night companies are buying a few servers, getting a deal on an Internet pipe, and presenting themselves as VoIP providers. These operations have voice traveling across the public Internet and are not even thinking about security.
“The bigger concern for business is to pick a vendor that supports SIP trunking with IP-PBX. You want a service provider to get you to the PSTN,” says York. Dominic Chorafakis, director of product management at BorderWare in Mississauga, Ont., has seen a shift at the enterprise level, from industry trying to educate to having enterprises be more proactive.
“At the enterprise level, people are better informed. They know what the issues are and they’re looking for solutions. This is certainly true with the most common attacks, such as brute force and those involving access to VoIP systems to steal minutes,” says Chorafakis. Maybe so, but the average C-level executive, and even CIO, might not be able to come up with this partial list of potential concerns: registration attacks, BYE and CANCEL attacks, identity spoofing, call transfers, call relay, and malformed message attacks.
And although stealing minutes may be a big concern now, man-in-the-middle attacks remain worrisome, as they can go unnoticed. A few years ago, Greece’s prime minister had his cell phone hacked thanks to a 6,500-line rootkit embedded in a switch. Transaction logs were disabled, and the ruse was only uncovered thanks to an upgrade attempt by the spies. It went on for two years, and their identities remain unknown.
Nicolas Fischbach, senior manager for network engineering and security at COLT Telecom in Zurich, Switzerland, and a recent course leader in VoIP security at CanSecWest in Vancouver, says the whole story has not been told. “There have been big VoIP DOS attacks. It’s just that no one wants to talk about it,” Fischbach says. “And with more users online, and more enterprises with exposure to the public Internet, DOS will become more common.” He agrees that encryption can do a lot of the work, but may then provide other challenges.
“The problem will be when the carriers get advanced encryption. You can sniff on the pass, but it will be garbage if you don’t have the SSL keys.” Bogdan Materna, chief technology officer and vice-president engineering of VoIPShield in Ottawa, believes that half the battle is education. Enterprises must be proactive, and end-users must be educated on common sense, policy-based approaches. Then the technology kicks in.
“You should deploy a VoIP network access control (VNAC) system, and if you have further concerns you can then go for a SPIT (spam over Internet telephony) device,” Materna says. VoIP spam is potentially a huge concern. Iit’s easy to delete hundreds of e-mail messages, but with VoIP you might have to listen to the messages, and the storage burden could be immense. Given the long list of scenarios, how big is the risk to enterprise or consumer VoIP networks? “We don’t know, and the analysts don’t know,” says Chorafakis. “In fact, they’re asking us.”
“A lot of the issue can be dealt with by encryption,” says York. “It’s not a cure-all, because it won’t stop a DOS attack. Nonetheless, service providers are now beginning to talk about secure SIP trunking.”