VoIP Insecurity
Voice over Internet Protocol (VoIP) has caught on like wildfire across the globe. From the replacement of the old fashioned analog phones in our homes with services such as Vonage or Xfinity to the software-based VoIP solutions, such as Google, Yahoo, and Microsoft instant messaging applications being refitted with VoIP capability, to Skype the soft phone people are using worldwide. VoiP is everywhere – but is it secure? The answer is no.
Before we get into the details of VoIP insecurities, I wanted to cover the basic information security risks that all of us face either at home or in our corporate or government organization. These can be broadly categorized into the following three types:
- Confidentiality
- Integrity
- Availability
You can remember these categories with the mnemonic “CIA” (but please don’t confuse this with theCIA, i.e., cia.gov).
Because VoIP is based on a ‘packet network’, we should look for those holes or vulnerabilities these types of networks are prone to harbor. Packet networks depend for their successful operation on a large number of configurable parameters: IP and MAC (physical) addresses of voice terminals (phones, etc.), addresses of routers and firewalls, and VoIP-specific software such as PBXs, “call managers,” and other programs used to place and route calls. Many of these network parameters are established dynamically every time a network component is restarted, or when a VoIP telephone is restarted or added to the network. Because there are so many places in a network with dynamically configurable parameters, intruders have a wide array of potentially vulnerable points to attack.
Vulnerabilities described below are generic and may not apply to all systems; however, investigations by the National Institute for Standards (NIST) and other organizations have found these vulnerabilities in a number of VoIP systems. This list is not exhaustive; systems may have security weaknesses that are not included in the list. With each potential vulnerability mentioned there are some recommended steps to eliminate or reduce the risk of compromise.
Hacking VoIP
Some of the techniques used to hack VoIP include:
- Exploitable software flaws (CVE®s)
- Denial of Service
- Man-in-the-Middle
Like other software systems, VoIP systems have been found to have vulnerabilities due to buffer overflows and improper packet header handling. These flaws typically occur because the software is not validating critical information properly. For example, a short integer may be used as a table index without checking whether the parameter passed to the function exceeds 32,767, resulting in invalid memory accesses or crashing of the system.
Attacks exploiting vulnerabilities in the switch software or protocols may lead to deterioration in service or even denial of service or denial of some functionality of the switch. For example: if unauthorized access can be established to any branch of the communication channel (such as a CCS link or a TCP/IP link), it may be possible to flood the link with bogus messages, causing severe deterioration (possibly denial) of service. A voice over IP system is likely to have even more vulnerabilities when it is connected to the Internet.
One of the famous Man-in-the-Middle attacks for VoIP is to run a TCP/IP “sniffer” such as wireshark (formerly known as ethertrace), grab as many packets as you can on your corporate LAN or the VLAN you use for VoIP and take that TCP/IP dump file home. Then, run it through the Voice over Misconfigured Internet Telephony (VOMIT) utility to output a wav file of prior conversations that took place at the office, earlier that day.
In addition to all these issues, how do you know someone isn’t unplugging your VoIP phone and plugging in a rogue laptop or wireless device at off hours, or while you are home sleeping comfortably, while they attack your corporate network?
Securing Your VoIP
Properly securing your Voice over IP system is a complex process because VoIP is the integration of data and voice into a single network. Your network may be subject to daily attacks by hackers, viruses, and worms – things you never had to worry abut with your old fashion phone system.
There are nine steps that the NIST recommends you take to secure your VoIP network:
- Develop appropriate network architecture for voice and data communications.
- Examine the risk around deploying VoIP for voice communications.
- Take special precautions for ensuring Emergency 911 (E-911) services.
- Deploy physical controls are especially important in VoIP security.
- Consider additional power backup requirements to ensure continued VoIP availability during power outages
- Find, evaluate, and deploy VoIP-ready firewalls.
- Avoid using ‘softphone’ solutions, as they are harder to manage and secure.
- If mobile devices are part of your VoIP deployment, make sure they are secured using WPA and not WEP.
- Review regulatory requirements regarding privacy and record retention.
Summary
VoIP security requires adapting traditional network security measures for a high speed, dynamic environment. Make sure your VoIP server (gateway) is a hardened system with no known CVE®s that are easily exploitable. Also, look into Host-based Intrusion Prevention (HIPS) if you are using a soft phone such as SKYPE and make sure you are running a Network Access Control (NAC) solution to be aware of a disconnected VoIP phone or an attempt to gain access with a rogue or untrusted device by a malicious insider.
Technologies like the Black Box Veri-NAC Network Access Control and Vulnerability Management from Black Box Network Services provide cost-effective solutions to what can be a pretty large security hole in the network. Learn more about Veri-NAC at www.blackbox.com/go/Veri-NAC.
For more information about VoIP, refer to the following resources:
- “Security Considerations for Voice Over IP Systems,” NIST http://csrc.nist.gov
- The CVE Standard – Funded by the U.S. Department of Homeland Security and Operated by MITRE Corporation. Visit http://nvd.nist.gov and http://cve.mitre.org. CVE and the CVE logo are registered trademarks of The MITRE Corporation. Use of the Common Vulnerabilities and Exposures List and the associated references from MITRE are subject to the Terms of Use. For more information, please visit http://cve.mitre.org or email cve@mitre.org
About the Author
Gary S. Miliefsky is a Security Consultant to Black Box Corporation, a 20+ year information security veteran and computer scientist. He is a member of ISC2.org, CISSP® and Advisory Board of the Center for the Study of CounterTerrorism and Cyber Crime at Norwich University. Miliefsky is a Founding Member of the US Department of Homeland Security (http://www.DHS.gov), serves on the advisory board of MITRE on the CVE Program (http://CVE.mitre.org) and is a founding Board member of the National Information Security Group (http://www.NAISG.org).
