They may sound like fictitious Halloween characters, but for VoIP users, zombies and fuzzing are as real as they...
Network intruders are leaping the fence from data networks over to the Voice over IP (VoIP) side, where they can easily take advantage of open source code for IP Telephony. There are similarities to the types of attacks already under way in the data world, but now they are being adapted to the VoIP world.
Is it time to start pulling our hair out and running for the hills?
Probably not. Security has already gained a lot of attention, and products are quickly becoming available that are dedicated specifically to VoIP. So while users should be proactive about preventing attacks, it's not yet time to panic, analysts, users and security vendors agree.
"What it has to come back to is the protocol.… A lot of the early VoIP systems were based on proprietary protocols that were vendor-specific. Vendors kept the details of those protocols to themselves," said Brendan Ziolo, director of marketing for Sipera, which makes the Sipera IPCS 310 system for comprehensive IP Communications Security. "Hackers didn't have the information they needed to launch an attack because the networks were very complicated then. They were closed in, and only legitimate traffic ran on the network."
To populate its security tool with the latest anti-attack measures, Sipera sends out a team of "ethical hackers" to test networks, find and define threats, and catalog IP Telephony attacks. The company has already logged about 20,000.
"We have people that go out and look for possible attacks," Ziolo said, "so if we find one that takes one day and 10 bucks [to unleash], we know somebody is going to do it. Ten days and a million bucks, probably not."
In contrast to the secure, proprietary networks of yesteryear, today's VoIP products are based on the de facto, open standard Session Initiation Protocol (SIP). This Internet Engineering Task Force (IETF) standard is used for initiating an interactive user session that involves multimedia elements such as video, voice, chat, gaming and virtual reality.
On the upside, an open protocol promotes interoperability among disparate products, and SIP has nailed that task. The more open a protocol, however, the more easily hackers are able to gain access to the information they need to crack a network. The same information is available to everyone.
Take fuzzing, for example. Fuzzing is actually a legitimate method of testing software systems for bugs and is accomplished by providing an application with semi-valid input to see what the receiving call center's reaction will be. Appropriate fixes, if needed, can then be implemented by the call center.
Malicious users employ this same methodology to exploit vulnerabilities in a target system, however. They do this by sending messages with content that, in most cases, is good enough for the target to assume that it's valid. In reality, the message is sufficiently "broken" or "fuzzed" that when the target system attempts to parse or process it, various failures result instead. These can include application delays, information leaks, or even catastrophic system crashes.
For their part, Zombies infect or hijack your computer or network using malicious code. This code hides inside the computer/network and can send spam, steal company secrets, and enable other serious crimes, sometimes without the knowledge of the owner. These computers are called zombies because they have been secretly taken over and actually do the dirty work of the hacker.
An example of a virus or worm that turned a machine into a zombie was CodeRed, a virus that surfaced a few years ago but did not launch its denial-of-service attack for 20 days.
While CodeRed attacked data networks, the same thing could occur on a VoIP network. In this case, the virus would enter the system via softclients installed on a laptop and mobile phones, which are basically mini computers that share information directly with the network via email and file swapping.
VoIP networks are also particularly vulnerable because of the real-time nature of phone communication and because of the premium that businesses put on 24/7 telephone uptime.
The good news is that security is top of mind among users and systems integrators handling other organizations' networks, and it's not holding back deployments.
According to a recent study by Infonetics Research Inc. concerning how important certain criteria are for choosing PBX features, security rated 61%, just below reliability and scalability. The study, User Plans for VoIP, was published in May and interviewed 240 companies in North America.
"We conduct a lot of end-user research and [have] found that VoIP security is not impeding the move to VoIP necessarily," said Matthias Machowinski, Infonetics' directing analyst, enterprise voice and data. "They are talking more about general business challenges such as whether it's necessary or [whether] they have the money. There are not a lot of security implications. I haven't seen that as a huge barrier."
When asked whether they had deployed or were planning to deploy VoIP, survey subjects replied that the highest barrier was cost, at 27%, compared with the No. 10 barrier, security, which was at only 16%.
According to Machowinski, existing and future VoIP users should be very aware -- but not scared -- of security issues.
"You always have to [strike] the balance between educating and not scaring when talking about security," he said.
Systems integrator Engage is very aware of potential security problems.
"Security is at the top of our list at Engage with respect to any technology, but especially communications," Engage director Todd Sharp said. "I do not believe that small and medium companies are taking security seriously enough, and furthermore I believe that they are losing productivity due to inefficiency, downtime and employee distractions as a result."
For the past five years, Sharp has been involved at the periphery with international security-based SANS, the organization that develops the FBI's top cyberthreat list each month.
Describing a recent incident in which Engage chanced to notice that a customer's network was built in such a way that it was left unprotected, Sharp said, "As such, it behooves all organizations of all sizes to take security seriously … particularly with communications, which by nature do not remain on their internal networks, where theoretically the packets should be the most protected."
In the case of that user, an Engage engineer went into the field on a non-telephony-related project only to find that the customer's new, cutting-edge VoIP PBX was deployed by its then-PBX vendor outside the firewall – the secured perimeter – on an unpatched server with an outdated operating system.
Security attacks on VoIP networks are possible and something to be proactive about, but they are not yet ubiquitous.
"People should pay attention to the potential," Infonetic's Machowinski said. "Imagine if your phone rings off the hook because some sort of robot gained access and dialed your number over and over."