VoIP Vulnerabilities Get Star Billing in Report
Maybe you can't always stop the attack, but knowing where to look for it is a good beginning.
Sipera VIPER Lab just released its predictions for the Top Five VoIP Threats in 2008. The lab is operated by Sipera Systems, a VoIP/UC security solutions provider.
A common theme among the top threats is openness and the perils thereof. In stepping out into the IP world, VIPER predicts, enterprise users will expose themselves to a new range of threats.
Take for instance denial of service (DoS) attacks, which top the list of likely perils. As enterprises deploy SIP Trunks and unified communications (UC) for the mobile workspace, such attacks will become increasingly common, the researchers say.
It is in the nature of SIP's open architecture to be highly flexible, but not inherently secure, said Sachin Joglekar, Sipera VIPER Lab research lead. "The very nature of opening things up, the fact that you are going beyond the enterprise perimeter, it means by definition that you are far more open and exposed."
The move to SIP thus opens a new window to allow in some old malice. "With enterprises opening SIP lines to their service providers, it creates a similar model to the web servers that allowed Amazon and the others to be attacked in those denial of service attacks," Joglekar said.
Dodge that bullet and you'll still be facing threat #2: The exploitation of HTTP or other third-party data services running on VoIP end points.
With nearly all VoIP phones running a web interface along with other various data services, eavesdropping becomes an increasingly distinct possibility. It has been shown that by sending an HTTP request to a phone, an attacker can turn that phone into a speaker and pick up everything being said in a room. Simply put, "the data services that are running on the VoIP phones are not as secure as they should be," Joglekar
The House of Gates holds pride of place as #3 on the list of serious risks foreseen for the coming year. The problem is that hackers are already profoundly familiar with Microsoft products and are ready and willing to test that knowledge against recently released Microsoft Office Communications Server (OCS).
Of course that won't matter much if OCS fails to gain traction any time soon, a distinct possibility according to some pundits. But the VIPER team certainly isn't ready to count Microsoft out. In fact, Sipera's chief marketing officer Eric Winsborrow said the company is seeing steadily rising interest in OCS, especially among clients who might want to implement some aspects of the Microsoft offerings alongside their other applications.
Working along to #4, VIPER says hackers will turn increasingly to IP PBXs as a means to attempt vishing attacks (voice + phishing). By using VoIP as the means of contact, baddies can trim the costs of their dirty work significantly. The IP PBX is inexpensive and open-source tools even more so. Plus the IP PBX makes it simple to falsify caller-ID data.
"Why was e-mail spam so much easier than voice spam up to now? Because you just had to write a few scripts and off you go," Joglekar said. "Well, now you can do that just as easily with voice."
Finally, VIPER predicts a step rise in attacks against service providers, with black hats taking advantage of readily available, anonymous $20 SIM cards. The researchers describe the rise of UMA (Unlicensed Mobile Accessone of the early fixed/mobile convergence solutions) as an evolution that gives subscribers direct access to mobile core networks over IP, thus paving the way for various attacks.
"We can literally take our SIM card out of the cell phone put it in a laptop, then access the network as if we were a phone," Winsborrow said. With that power, "there are a lot of smart attacks you can do."
Here's one. "You can call up the service and somehow imitate other phones, and then say those phones are no longer available, that they are no longer registered," Winsborrow said. "Now that is annoying. But think about doing it to thousands or hundreds of thousands of phones."
Seen in those terms, annoying doesn't even scratch the surface.
Still, the VIPER folks don't want the spread of enterprise VoIP to stop dead in its track in the face of these diverse threats.
Enterprise VoIP "should happen. This is what communications should be," Winsborrow said. "The only advice is, as enterprises start to do this, as they start to take advantage of what unified communications was supposed to be and what VoIP was supposed to be, they need to go in with a heightened sense of awareness."