Man using telephone

VoIP: voicing security concerns

Channelling voice calls over IP networks has brought many advantages to enterprise communications, but it also creates some security risks.

Though Voice over Internet Protocol (VoIP) services are available for both consumer and business markets, it is from the latter that most enthusiasm for it has come; for this reason, it is also where most of VoIP's security issues occur. While the commercial sector has, of course, invested heavily in protecting their data networks from other cyber threats, IP-based voice has been somewhat overlooked.

VoIP describes a set of services used to manage the delivery of voice transmissions over a broadband Internet connection instead of using time-division multiplexing (TDM) over a traditional public switched telephone network (PSTN). It works by transmitting analogue voice signals as digitised packets over the Internet allowing it to share the same connections as other digital technologies.

Unlike in the TDM world, where the telephony and data networks were separated, most VoIP networks have several potentially insecure interfaces with other data networks, observes Jeff Kahn, chief strategy officer at AudioCodes: 'Moving from TDM to VoIP means that voice is now simply another service running over the enterprise IP network, and is thus vulnerable to the same threats as other data services'.

Adam Boone, vice-president of product management at Sipera, agrees: 'The strengths of VoIP bring with them new security challenges and new compliance requirements that cannot be met by the existing security architecture.'

He adds: 'When companies use third-party applications to conduct business communications, it cannot be verified that privacy is maintained and corporate information is safe.'

Early VoIP suffered from shortcomings, partly caused by the fact that breaking down an analogue voice into packetised bits that are then sent forth over a public broadband network and reassembled at the other end in real-time is a highly demanding application.With data transmission, lost or dropped packets can be error-checked and re-sent so fast that we do not normally notice; with voice quality, degradations and other glitches jar on the ear. However, the VoIP's compelling proposition was that it is was very cheap compared to standard PSTN call rates.

Interoperability between VoIP and PSTN calling was another breakthrough in VoIP's favour. VoIP gateways allow individuals to make computer-to-telephone calls, telephone-to-computer calls and telephone-to-telephone calls at ease. The gateways provide a bridge between the PSTN and the IP network, allowing the individual to use analogue, digital and IP phones.

VoIP systems can also integrate with enterprise data systems so that, for instance, internal telephone lists can be used to find internal numbers, and voicemails can be shunted to desktop email systems, rather than 'closed' proprietary voicemail systems; but this flexibility and versatility has also served to commend VoIP communications to the online threat makers. As its popularity has grown, so also has interest in it by cyber-criminals.

Free calls for all?

Businesses favour VoIP because of the efficient use of network bandwidth, where voice and data transmissions join and efficiently fill up data channels to provide a secure bandwidth network. Businesses also want to reduce call costs between offices and outside the country by using VoIP to reduce toll charges. However, as mentioned, because VoIP runs via the public Internet, users become vulnerable and are prone to viruses and allow attackers to manipulate their software. 'The security requirements to protect VoIP are not the same as those used to protect other data applications,' says Boone. He believes that businesses now 'need a better understanding of what they are dealing with'.

VoIP security has now become integrated ICT's 'elephant in the room – companies need to be confident that their unified communications networks are secure and compliant,' warns chairman of VAD Wick Hill Ian Kilpatrick. 'This has led to the development of unified security solutions.'

Preparation is key

So what are the key concerns around VoIP security? As with any other aspect of protecting enterprise ICT security, it is essential for businesses to prepare their networks properly, first ensuring the QoS (quality of service), and second securing their network from potential attacks. The QoS must ensure the VoIP call has the same high standard of quality as a traditional call.

Also, in case of power failure, back-up systems are needed; this is useful for businesses as they can communicate during a power cut. Fraudsters are committed to hack into business networks as VoIP can generate large amounts of money.

The attacks can vary from an individual making a free long distance call for themselves, to organised criminals who weaken and manipulate VoIP calls to make international calls at someone else's cost, known as toll fraud attacks. 'Toll fraud costs businesses tens of millions of dollars a year, when these fraudsters take control over an enterprise phone system and make calls they are often expensive international calls,' says Adam Boone of Sipera.

According to the State of Security Report 2011 from SecureLogix, threats range from relatively minor abuse to full-scale toll fraud, where losses in excess of $100,000 are feasible.

The cost of telecom fraud

The Communications Fraud Control Association Telecom Fraud Survey reckons that the annual global telecom fraud losses amount to around $54.4-$60bn.

'Major long distance abuse/toll fraud occurs when an attacker obtains access to a service such as Direct Inward Services Access (DISA) and sells this access to external Consumers,' the report's authors explain. 'A user dials into an IP PBX or voice mail system and provides a password that gives access to an outbound dial tone, often with unrestricted calling access. Attackers identify this service and password through automated testing – which VoIP makes much easier – social engineering, or an insider. Once access is found, access/passwords are provided to consumers, who abuse enterprise service until the attack is detected.'

Research and education body the SANS Institute claims to offer the largest source for information security training, and in April 2011 it launched a European course on VoIP security designed to show analysis of infrastructures, signalling, and media attacks. Students learn how to protect against attacks from VoIP signalling, media eavesdropping, caller ID impersonation, call manipulation and media injection.

'VoIP is a rapidly growing area due to the huge cost saving potential but organisations often fail to consider the security impact,' says SANs information security and computer forensic expert, Paul Henry. 'As long as data and voice coexist on the same networks, criminals can find weaknesses in one area to gain access in another.'

VoIP security implications

Henry believes that only 10 per cent of organisations deploying VoIP look at the security implications: 'The automated billing mechanisms of VoIP services make these prized targets for criminals who often have difficulty selling stolen data'.

Criminals find weaknesses in one area to gain access in another. Henry explains that while many organisations might encrypt their data traffic across the public networks, only a few encrypt VoIP traffic sent across the Internet, and the assumption that VoIP traffic is difficult to intercept is an indication the lack of knowledge businesses have.

Firewalls should install an added layer of protection, but, says Kahn, standard firewalls operating at OSI Layer 3 do not provide sufficient protection for advanced applications such as VoIP: 'The SIP protocol, for instance, the most commonly-used protocol for controlling VoIP calls, carries vital data in its messages which cannot be analysed by a standard firewall, but which is critical for determining whether the call in question is a legitimate one or not'. To intercept this data and act accordingly, Kahn argues, a specialist device is needed which acts at the network's Application Layer.

Redscan CTO Simon Heron also thinks there is a lack of awareness of the facts that VoIP content is as open to attack as other traffic – and also of equal interest to cyber crooks. 'Companies need to understand the security issues behind VoIP, they need some sort of monitoring in place to keep track of any unusual activity,' he says. 'A good way of doing this is logging calls and creating stronger passwords.'

Industry consensus has identified five prime areas of concern in regard to VOIP security. They are: toll fraud, privacy, voice phishing, denial of service and voice spam.

1 Toll fraud and re-charging

According to industry group The French National Research Agency (ANR) VAMPIRE Project, toll fraud and billing avoidance top the list of threats involving improper usage of VoIP services.

Its 2009 report on known VoIP/SIP vulnerabilities says that the integration of several capabilities in VoIP products, for example a Web server used for the management interface, canlead to vulnerabilities being imported to the VoIP environment that would not otherwise apply.

In the specific example of an integrated Web server, directory traversal bugs or similar problems (such as lack of proper authentication in the Web interface) can allow hackers to read arbitrary files or other information from the device, the report concludes.

'SIP components integrated with firewalls may also interact in undesirable way,' warns the report. Some of the most serious non-implementation type of vulnerabilities are those where the specification permits exploitable behaviour. For example, certain vendors permit the actual URI (uniform resource identifier) in a SIP INVITE call and the URI used in the Digest Authentication to differ; while arguably allowed by the spec, this enables toll fraud via credential reuse. Once the hacker gains access to the VoIP infrastructure, either through a server or unreliable software, their objective is to dial premium rate numbers, which result in expensive bills. This is a low-risk crime as primary rate numbers in Latvia, North Korea and Ethiopia are used, meaning there is little chance of legal action against them.

'This is a worldwide problem. The most common security issue is toll fraud and the Australians have experienced this heavily,' adds Simon Heron, CTO at Redscan. 'To prevent these issues, we need some sort of monitoring in place. We can see usage from bills, but the problem is many businesses don't keep an eye on it or even notice.'

In 2010 30 members of an organised criminal gang were arrested in Budapest and London over allegedly stealing '11m through VoIP toll fraud. They used thousands of stolen VoIP account details to make one and a half million calls to premium rate numbers which paid the gang a percentage of inflated call charges.

2 Privacy concerns

Privacy is an important social expectation, but the issue of confidentiality is questioned when businesses use VoIP. It may also be an issue in regard to workplace acceptance ofVoIP, even though traditional telephone communications have long been associated with tapping and eavesdropping.

There is a lingering perception that internal IS and IT personnel are more likely to listen in to staff telephone calls on a VoIP system than they were on old-fashioned switchboard PSTN systems, where it was equally possible, but fewer staff has access (switchboard operators, say).

Most companies allow a certain amount of personal calls to be made using work phones; VoIP systems can also more easily garner data on call usage that can some staff may be uncomfortable about.

It is true that when unencrypted (or encrypted) data travels across the Internet, it is possible for a hacker to find the relevant data stream and attempt to reconstruct and listen to confidential conversations.

'It is very easy for an attacker to 'jump' from one application on the network to another, and so voice traffic can be intercepted, disrupted or even be replaced with fraudulent content,' says Adam Boone, vice-president of product management at Sipera.

Motivations for doing this can be hard to ascertain, but the concern is that in the business context, competitors, employees, criminals, technology hobbyists and the just plain nosy can earwig a business's outgoing and incoming VoIP calls – be they of a professional or personal nature.

In addition to the possibility of hackers and other unauthorised persons stealing vital information by monitoring voice traffic, they can also masquerade as another VoIP caller. This is done by the hacker injecting a fake caller ID into an ordinary VoIP call allowing the receiver to believe it is coming from a trusted source.

The receiver is hoodwinked into disclosing personal information like bank details, primary and secondary authentication, national insurance numbers,and other forms of personal ID that can result in identity theft. Victims may be targeted multiple times over a period of days and coaxed into divulging one piece of information at a time, to allay giving rise to suspicion.

In the early days ofVoIP this was thought to be a particular problem, as VoIP was supposed to delimit people's distinctive vocal characteristics and make them sound less differentiated.

Sipera's Boone says: 'Many companies handle sensitive or protected data, such as hospitals, banks, schools or any company that handles credit cards, the privacy and monitoring laws and rules might be violated if the newVoIP systems do not have their own security architecture and controls.'

3 Voice phishing, or 'vishing'

Vishing – voice-phishing – uses social engineering over the telephone system, most often using features facilitated by VoIP, to access private and personal information for credit card and identify theft.

One of the first reported cases was PayPal in 2006. Users of PayPal received emails asking them to verify their bank account details on a phone line, where they then had to key in their details from which the attackers raided their bank accounts.

Many people trust telephone lines more than they trust the Web, and criminals are taking advantage of this. Cyber threats analyst Dancho Danchev explained how it works in a recent blog post: 'Victims typically receive a pre-recorded Skype call telling them they are infected with malware and need to visit a specific site: 'Hey, I am working from home on my BlueCoat laptop. It has the cloud client on it. I have Skype on this machine. I get a Skype call from a place I didn't recognise. I answer the call and it is a recorded message. It says I have a fatal virus that needs to be fixed. That I am on Windows 7. (I am not.) The recorded message tells me to go to' Can you find anything in our logs about what just happened? Thoughts?' The specific site here is an online shop pushing rogue AV products and malware cleanup services.'

Georgia Tech College of Computing researchers reckon to have found a way to tag fraudulent calls with a digital 'fingerprint' that will help separate legitimate calls from scams with a system called PinDr0p that analyses and assembles those call artifacts to create a fingerprint – the first step in determining 'call provenance'. PinDr0p exploits artifacts left on call audio by the voice networks themselves.

VoIP calls, for instance, tend to experience packet loss – split-second interruptions in audio that are too small for the human ear to detect. 'Phone calls often pass through multiple VoIP, cellular and PTSN networks, and call data is either not transferred or transferred without verification across the networks,' says Patrick Traynor, assistant professor of computer science.

PinDr0p uses algorithms to detect and analyse call artifacts, then determines a call's provenance – the path it takes to get to a recipient's phone – with 'at least 90 per cent accuracy and, given enough comparative information, even 100 per cent accuracy', Traynor claims.

4 Denial of service attacks

Denial of Service (DoS) threats have become a secondary but still debilitating weapon in the cyber criminals' attack arsenal. Bringing down an organisation's website, Web access, email or voice communications – even for a relatively brief time period – can cause damaging interruptions to commercial operations and incur damage to reputation and brand value.

Quality of Service (QoS) is fundamental to VoIP users as it must meet minimum quality expectations in order to prove its worth; security issues can cause the service to deteriorate. If a hacker 'floods' a VoIP server with unwanted requests this (DoS) attack immediately brings the system down.

When the systems are flooded, the receiver is distracted and cannot be contacted. This is long enough for the hacker to steal passwords and money from bank accounts.

DoS attacks can completely shut down all applications and businesses would be without a phone service until the network is back up, this can cause real disruption to all departments affected.

In some sectors, this outage might include customer contact centres, an activity by which companies in some sectors are judged by customers. Attacks can use this knowledge to threaten vulnerable organisations, and even use it as part of extortion threats .

And, of course, IT managers and administrators are hobbled by the same lack of communications so are limited in their ability to keep in touch with staff and inform them of what is going on. VoIP DoS threats have been somewhat mitigated by the proliferation of mobile phone in recent years.

5 Of spam and spamming

Spam over Internet Telephony, or 'Spit', has become more of a nuisance as VoIP usage increases, as it enables DoS attacks and takes valuable bandwidth, thus impairing service quality.

If Spit calls go straight to voicemail they can push inboxes to their capacity limits, thus pushing out legitimate messages, and introduce an unwelcome overhead to data levels where voicemails are converted to email-attached messages.

It also provides a new route for telemarketers, pranksters, fraudsters and unscrupulous direct sales activities. The fact that VoIP calls incur so little costs encourages far more activity than was the case across traditional call-charged networks.

'Junk calls have long been part of any phone user's experience, but cheap auto-dialling software and VoIP makes these calls easier and cheaper for spammers to use,' says Redscan's Simon Heron. 'Networks can be easily tapped, unless they are encrypted they are very insecure, allowing criminals to come in and out whenever they want.'

Sending commercial marketing messages using VoIP offers more potential that email spamming because the service is fast and cheap and enables large volumes of unsolicited calls to go through.

According to Graham Titterington, principal analyst at market-watcher Ovum, VoIP is attractive to spammers because it gives the caller anonymity. 'Many people have multiple VoIP numbers, increasing this sense of anonymity,' says Titterington.

'One spam technique sends a single packet to a legitimate user to confirm his address, and then uses this address on the spam stream. Encryption of messages can help to protect messages from replication, as well as protecting the confidentiality of their contents.

'However, many VoIP services do not encrypt the routing information in the packet headers because, in old IPv4 networks, this slows the network address translation needed. This makes it possible for spammers to spoof the address of the message sender.'

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles