Security vulnerabilities continue to plague the VoIP environment, with even the biggest vendors putting out devices that can be easily compromised.
In fact, the situation appears to be getting worse as VoIP becomes more deeply entrenched in the commercial landscape, rather than better.
In a new white paper, VoIP Vulnerabilities McAfee Labs found almost 60 vulnerabilities in voice over Internet products, compared to just under 20 vulnerabilities in 2006. Of the top three vendors, vulnerabilities in Cisco equipment exceeded Nortel and Avaya weaknesses by approximately five to one.
Despite widespread adoption of VoIP, the security situation today resembles that of the earliest days of personal computing, when security was in its infancy, said Kevin Watkins. a security researcher at McAfee Labs and author of the white paper.
“It’s like the security vulnerabilities on the PCs 10 or 15 years ago. It’s basic security stuff, the things they teach you on day one of writing security code,” he said.
The report outlines a number of common security risks. Foremost among these is toll fraud. In these attacks, an intruder gains access to a VoIP call manager or gateway and makes unauthorized calls. Attackers take advantage of weak usernames and passwords, open gateways and other application-level attacks.
Of all likely attacks, this is the one that poses the greatest threat, Watkins said. “We have yet to see a worm that actually propagates by VoIP phones, but we have seen toll fraud, and the loss of value a company can have from that is pretty high,” he said. “If you do have a VoIP deployment that is insecure and does have holes, people will go through your infrastructure to grab free calls and to resell those calls. That is a real danger.”
The report cites toll fraud as one of the most frequent attacks against VoIP deployments. It describes a case in Perth, Australia, where attackers made 11,000 calls, and another instance in which malicious users ran up 120 million VoIP minutes, bilking $1.2 million from Verizon and AT&T.
Watkins cites a number of other potential vulnerabilities, including eavesdropping, in which attackers take a network traffic dump of a Cisco IP phone conversation and convert it to a file that can be played on ordinary sound players.
In replay attacks, invaders replay a legitimate session—usually captured by sniffing the network traffic—for uses such as registration hijacking. Attackers can use this information to spoof calls that may have come from a third party. “The SIP employs the register command to tell the call-management software where a user is located, based on the IP address. An attacker can replay this request and substitute another IP address, thereby redirecting all calls to the attacker,” the report explains.
VoIP also is vulnerable to denial of service attacks. Readily available tools can send a flurry of SIP invite requests to an IP phone, thus overwhelming its capacity.
As a service on the IP network, VoIP is vulnerable to the same network-manipulation attacks as other network services, such as vishing (def.)and spam. In the former, attackers may masquerade as financial institutions asking for personal information such as credit card and social security numbers. Spam in a VoIP environment can rapidly consume resources, the report notes.
Looking ahead to the coming year, Watkins suggested the remedy for these vulnerabilities will have to come on the vendor side. He said the big players need to establish a baseline for what constitutes acceptable levels of security in their products.
“When they configure their VoIP security infrastructure, it needs to be set up the right way on day one, using encryption, setting up VLANs, making sure the latest security patches are actually being pushed to the phones,” he said.
As VoIP continues to establish itself in the marketplace in the coming year—and virtually all predictions say that it will—security analysts no doubt will be looking to Cisco et al to be ready with assurances that today’s security gaps are being plugged.