Voice over IP (VoIP) is being more widely considered today as organizations seek to replace old PBX systems with new VoIP-enabled PBXs that support feature-rich services like real-time presence, instant messaging, video conferencing and mobility.
When inside an organization, VoIP leverages the network infrastructure to operate and provide services to its users. However, when moving beyond the LAN boundary, VoIP leverages the Internet -- an unsecure public network.
By design, VoIP is an application, which means its packets are transported over the Internet the same way as general Internet traffic. Using the Internet as a transport medium means VoIP packets are exposed to a hostile and untrusted environment and are in reach of unwanted hackers waiting to seize the opportunity and break into VoIP systems.
This is where VoIP encryption comes into play.
Security analysts and engineers suggest that organizations should encrypt VoIP traffic not only when it traverses the Internet, but also on the LAN and on the wide area network (WAN)/virtual private network (VPN).
Despite an increasing number of Session Initiation Protocol attacks, call frauds and session hijacking, VoIP vendors do not enable SIP encryption by default on most installation wizards. Organizations are often set up from the ground up without SIP encryption enabled, leaving them exposed to hackers who can capture SIP packets using a network analyzer and uncover sensitive information from SIP devices such as IP phones and SIP desktop applications.
The screenshot below shows my network analyzer having captured and decoded a SIP session with one of my SIP providers:
Information such as username, password, called number and VoIP provider can be extracted from unencrypted VoIP sessions.
In addition, SIP signaling often uses User Datagram Protocol (UDP) as the transport protocol (shown above) -- a "fire and forget" protocol that does not require a three-way handshake before data is transferred between hosts.
Unencrypted VoIP services can be easily exposed, making them ideal targets for hackers. Different attack patterns are used depending on the target, waiting to compromise the VoIP service and cause major disruptions. One example is TelePacific Communications, whose systems were taken offline in 2011 for several days after a continuous Internet flood (distributed denial-of-service attack) of invalid VoIP registration requests, causing thousands of dollars in damages.
Encryption can be enabled and configured between different points, depending on your setup and equipment. For organizations with multiple sites and PSTN gateways, it is recommended to encrypt all possible call legs at the head office and remote offices, including voice gateways. By doing so, all packets traversing the LAN and WAN/VPN are encrypted. When Wi-Fi networks are available with an accessible SIP service, encryption is mandatory.
In case of an external VoIP provider, traffic between your organization's IP PBX and the VoIP provider must also be encrypted, as it is usually transported over the Internet.
When configuring VoIP encryption, there are two main options available:
SIP signaling uses UDP to set up a VoIP call. During this call setup, critical information is passed from the client to the server, including username, password, calling and called party number. TLS is used here to encrypt SIP signaling payload. TLS normally requires a secure certificate so each side can identify itself, but most people usually use self-generated certificates.
SRTP is used to deliver the audio and video over an IP network. SRTP is the encrypted version of RTP. RTP and SRTP still use UDP as the transport protocol.
To maximize the VoIP encryption methods, it is recommended to use TLS in conjunction with SRTP on all VoIP equipment. This setup ensures both SIP signaling and voice/video sessions are properly encrypted and safe from prying eyes.
Depending on the VoIP equipment, it might not be possible to enable encryption if not supported by the firmware. This is often a problem with older SIP IP phones, and therefore it's good to update device firmware to the latest version, even when encryption is supported with the current loaded firmware.
Unfortunately, companies often follow industry trends rather than proactively adopt best security practices. As a result, companies with a recently upgraded IP PBX are unlikely to have VoIP encryption enabled or configured. Federal agencies, Army services, police and other similar services are an exemption to this rule.
Most SIP providers, on the other hand, have their infrastructure ready to support encrypted VoIP services -- they are just waiting on their customers to request them.
The driving force that's slowly changing this situation is the attacks, hijack attempts and call-fraud scenarios that are costing companies a lot of money, making IT departments and management change the way they see VoIP and security.
If your company is running an IP PBX with SIP-enabled IP phones and utilizes SIP trunks with providers, now is a good time to begin considering VoIP encryption.
18 Jun 2015