Security of VOIP phone Calls?

[Jimdefruit]

To the IT manager who's seen it all before, making telephone calls over the Internet may seem an inherently risky business. To many, sending voice calls over today's attack-prone Internet raises one important issue - that of security. So before you take that irreversible leap into the ether, Paul Curran assesses the threats posed by VoIP.

Many of the security concerns affecting VoIP resemble those affecting any IP network, while some are unique to voice communications. Like any other IP service, applications and services based on SIP and its associated media protocols are vulnerable to attacks and intrusions:

Denial of Service (DoS) is an attack designed to disable or disrupt VoIP service delivery by overwhelming the network and bringing it down by sending malformed packets or by exhausting resources that flood the service until it can no longer process legitimate requests.

"VoIP networks are known to be particularly susceptible to DoS and Distributed DoS attacks," says Butler Group Senior Analyst, Andy Kellett. "The convergence of voice and data networks means that successful virus-based attacks could be used to bring down the entire business with both voice and data channels potentially being paralysed by a single attack model.

"As a converged voice and data channel, VoIP has the capability to receive and execute code, making it attractive to the hacker community. The potential exists to overwhelm under-protected systems with Web-style HTTP commands, or indeed to execute code that can then be either used to launch DoS attacks on the organisation's own systems or against external servers."

Kellett says this can also be used for financial gain by forcing the voice elements of a VoIP system to execute high volume calls to premium rate numbers. Indeed he says any one of these methods can be used to disable or undermine the whole of an organisation's communications capabilities.

Theft of Service: The legal term describing the use of services without lawfully compensating the provider. This is an attack to which current VoIP networks are highly vulnerable.

Eavesdropping: Since most VoIP traffic is transmitted unencrypted, it is susceptible to eavesdropping by an attacker using a common packet sniffer to capture the packets. It can provide attackers with the user identities, PINs, and SIP phone numbers required for identity theft.

Spoofing: An attack in which one person or program successfully impersonates another. An example is the 'man in the middle' attack whereby the attacker spoofs Jim into believing he's John, and spoofs John into believing he's Jim, thereby gaining access to all messages.

Call Integrity: Attackers can corrupt conversations by intercepting Real-time Transmission Protocol (RTP) packets, altering the contents by injecting speech, noise or delay into the call and forwarding the modified packets to the original recipient. Depending on the particular software used to generate the speech, the attacker can create speech patterns that closely resemble the sender's voice.

Viruses: A virus or worm introduced to a network can crash the VoIP servers/gateways. VoIP phones can fall victim to viruses, such as so-called 'Phone Flu', designed to disrupt service by rebooting or clearing the phone's configuration information. They can also steal or compromise account information.

"The convergence of voice and data networks means that successful virus-based attacks can bring down an entire business, potentially paralysing both voice and data channels via a single attack model. The extensive use of VoIP across the business introduces a vastly more open range of points of vulnerability. What's more, if a WiFi network is added into the communications mix, there is the further potential for malicious elements to use vulnerable systems to find and open ports on the network and steal data. Using the same approach, there is also the risk of viruses, Trojans and spyware being introduced.

"As a consequence, viral-based activity within VoIP networks can potentially be used to do more than just damage data and files or steal information. From the operational side, it can disrupt normal telephony services by causing systems reboots or disabling the system by attacking and clearing out systems files, logs, and call registers. Furthermore, if the approach is linked to a SPAM-style attack, it can potentially disrupt calls or instigate randomly dialled calls to users on the systems directory, a form of disruption made easy by the availability of common directory files that are often seen as innocent, unimportant, and not requiring protection in the overall security picture.

[BGonaSTICK]

Interesting stuff.

Not really any less secure than analogue telephony IMO, and I'm sure encryption will roll out PDQ.

The most significant thing for me is the single point of failure created between voice and data - a huge concern for business.

Viral attacks and DOS attacks are something we're just going to have to get used to in every area of modern living :