Once Voice over IP (VoIP) and IP telephony are introduced into the enterprise, new and unique security issues arise. In the previous tip, "VoIP security -- problems inherited from data networking," the data network security issues that affect VoIP were discussed. On top of those data security issues, VoIP is plagued by other problems that will expand the definition of information security.
What makes VoIP security different?
TDM analog and digital phones are dumb. The PBX contains all of the intelligence and is essentially a closed system. This is not true for VoIP. The call server is more easily accessed and gateways and IP phones are software based rather than hard-wired. The softphone is no more secure than any other PC application. VoIP has opened voice devices to more security problems and attacks than encountered in TDM-based environments.
Security personnel have to broaden their perspective in response to VoIP's security problems. There will be security issues with the server. Many of the new threats will relate to the phones and gateways. The attack or threat may appear to be the same as that found in data security, but the results will be different. Many of the threats will be generated behind the firewall by internal employees, individuals who are on site temporarily, and contractors. Some threats are not really attacks but are caused by negligence or abuse.
The threats can be variations of those found in data networks or can be specific to VoIP. Here are some of the security threats found in IP-based telephone networks:
- Signaling tampering
- Fuzzing is a tool used by developers to locate problems. It can also be used to attack a signaling protocol implementation. Fuzzing discovers vulnerabilities by creating packets that push a protocol to its breaking point. SIP can be attacked this way. This can create denial of service (DoS), endless loops, logic errors, buffer overflow, configuration errors, access validation flaws and information leaks.
- A PC can be loaded with server software and behave as the real call server by spoofing other devices. The rogue call server is then in control, supporting the signaling protocol.
- Flood-based DoS can be caused by a PC on the network sending many "register" packets that can tie up the phone operation.
- Another DoS can be created by sending many "invite" packets that cause the phone to ring. (The user picks up the phone, and no one is there; he then hangs up, and the phone rings again.)
- In session teardown, an attacker sends "bye" packets that cause the phones to hang up.
- Directory tampering
- Registration manipulation can erase, add or hijack a phone's registration.
- Calls can be redirected to another phone without the caller's knowledge.
- Feature and function tampering
- These can be enabled and disabled without authorization from the administrator.
- Incoming and outgoing calls can be blocked by the setting arranged in the call server.
- Applications in the call server can be blocked or enabled improperly.
- This is SPAM over Internet Telephony. SPIT can rob the network of bandwidth, interfere with QoS and overload voicemail systems. It also takes longer to eliminate SPIT from a voicemail box when the caller is unknown and the listener must hear the call to determine whether it is legitimate.
- RTP attacks
- RTP attacks can inject sounds into a phone conversation. The speaker does not know of the injected sounds and the listener thinks the sounds are coming from the speaker, not a third device injecting other sounds. (What if someone is on a conference call or calls home to say he is working late, but the listener hears restaurant or bar sounds instead?)
- Check-sync messages
- These can be sent to the endpoints, causing repeated reboots that do not allow the phones to work properly.
- Caller ID spoofing
- Caller ID is now carried in a data packet that can be generated falsely. This can have an adverse effect because attackers can pretend to be valid executive or special phones, IVR or call centers. The caller ID simulation cannot be detected by an unknowing caller or called party.
- This is easier to perform with IP-based calls than TDM-based calls. Any protocol analyzer can pick and record the calls without being observed by the callers. There are software packages for PCs that will convert digitized voice from standard CODECs into WAV files.
- The speakerphone function can be turned on remotely, with the caller on mute so that there is no sound coming from the phone. This has happened with some IP phones in executives' offices. Their offices can be listened to without their knowledge.
- PCs and laptops that have microphones attached or integrated into them can be enabled as listening devices without the user's knowledge. There is a rootkit available for this purpose.
In the next two tips, the tools and methods for testing your VoIP/IPT vulnerability will be explored. The last tip will discuss the countermeasures available to protect against and mitigate these threats.
About the author:
Gary Audin has more than 40 years of computer, communications and security experience. He has planned, designed, specified, implemented and operated data, LAN and telephone networks. These have included local area, national and international networks, as well as VoIP and IP convergent networks, in the U.S., Canada, Europe, Australia and Asia.