Last week we took a look at SPIT and the potential problems it represents. Today we’re going to take a quick look at a few more VoIP threats, and then look at some ways to stave off troubles.
Vishing you were here
Vishing is the telephone equivalent of phishing; that is, conning people into
giving up personal and financial information by pretending to be a legitimate
business, or fooling them into thinking they’ll profit somehow. E-mail phishing
is why you get all those e-mails that claim you need to log in to your PayPal
account right away (or Ebay, or any number of banks and online storefronts)
to correct a serious problem, whether you actually have an account with them
or not. But the URLs in the e-mails are fake, and it’s trivially easy to copy
a genuine Web page and insert fake URLs. Spoofed URLs are ridiculously easy.
For example, both of these will take you to Voipplanet.com:
The goal is to lure the unsuspecting recipient to the bogus site and acquire their login credentials, personal data, and financial data. The word “phishing” means simply “fishing”; the spelling is probably a play on phreaking, which is cracking the PSTN (public switched telephone network) for free long distance and other recreations.
So vishing is not very exotic from a technical perspective, because it’s just
another form of social engineering, and it’s been going on as long as there
have been telephones. But VoIP offers some powerful tools to make vishing a
more attractive endeavor over VoIP than the old-fashioned PSTN. It’s a lot easier
to hide your back trail over the data networks (thanks to the the World Wide
Botnet), it’s easy to spoof Caller ID: Automated calling tools are cheap and
easy, and it’s dirt cheap to call anywhere. You’d think the bottleneck would
be having to have humans to carry on the conversations, but even this can be
automated convincingly with bots. No need for humans at all. It’s analogous
to paper junk mail vs. e-mail spam; paper mail is expensive and cumbersome.
Who cares if you only hook one fish for every million calls when it’s all automated,
and it costs you next to nothing? Of course as we discussed last week, it costs
everyone else plenty.
An old scam on the PSTN is to sucker people into calling what appear to be toll-free
numbers, but are actually very expensive toll calls. As VoIP becomes more widespread
we’re going to see more opportunities for even sneakier call hijacking, because
it’s going to be just like the data network—network
devices with well-known default vendor passwords and other weaknesses will all
but beg to be compromised, just like this example from the VOIPSA.org
…if the victim visits our evil proof-of-concept webpage,
his/her browser sends a HTTP request to the BT Home Hub’s web
interface. After this, the Home Hub starts a VoIP/telephone connection
to the recipient’s phone number specified in the exploit page. This is
what the attack looks like: the victim’s VoIP telephone starts ringing
and shows an external call message on the LCD screen along with the
recipient’s phone number. However, what’s interesting is that from the
point of view of the victim, it looks like he/she is receiving a phone
call from the number shown on the screen, but in fact he/she is
calling that number!
As long as Microsoft continues to deliver tightly integrated software suites
that all but roll out the welcome mat to malware, and then tightly integrate
it into every nook and cranny of the system, spammers and fraudsters will happily
continue to exploit it. So the release of Microsoft Office Communications Server
2007 (OCS 2007) makes me nervous. Is this shiny new Unified Communications (UC)
package going to translate into Unified Malware delivery, and even more warm
welcomes into the World Wide Botnet? I sure hope not, but given Microsoft’s
security track record, I’m letting other admins go first.
What to do
Joe Roper, one of the brains behind PBX in a Flash, has some good advice on protecting yourself. He recommends putting your PBX and phones on a separate network segment. This makes it easier to troubleshoot, and adds a layer of protection. He also draws a distinction between VoIP and Voice over Internet. Using a local iPBX that interfaces with the PSTN is pretty much the same as using the traditional phone system, in terms of security risks. But connecting your iPBX to the Internet exposes you to an additional set of risks, such as the Phreaking the BT Home Hub example, and all the usual Internet nasties such as eavesdropping and external attacks on your server. Mr. Roper also says:
“We do have more tools to encrypt VoIP—e.g. using a VPN circuit, it seems
that laying VoIP through a VPN tunnel makes little or no difference to the
latency, and there are some studies out there to suggest that the latency is
“The other area of concern is fraud, and fraudulent use of the telephone—this can be divided into areas.
“1. Fraud in company, dialing relatives in Outer Japonia at huge expense or
dialing the Sticky Vicky Hotline, fortunately with PiaF and similar
systems, the admin has view of all calls made, and can restrict access on
“2. People breaking into the system, possibly via the IVR menus and making
calls at the owner’s expense…Fortunately, a switched
on Admin should be able to spot this very quickly…”
As usual, it comes down to the hardworking network administrator being on the ball: watching for problems, and being careful with configurations, and yes, even obvious, but often-overlooked, stuff like changing default passwords.
But we also need more powerful tools, such as ways to authenticate callers.
This alone would prevent 95 percent of mischiefs. But how can this be done without
making VoIP too cumbersome to be worth the bother? We’ll take a look at this