A simple call? Think again, you might be at risk

The proliferation of Voice over Internet Protocol or VoIP – as it’s more widely known – has shrunk the world to a global village, enabling users to reach out to their loved ones, colleagues, business partners and friends in a cost-effective and easy-to-use manner.

However, this proliferation is accompanied by security threats as cyber criminals continue to develop more sophisticated means of violating our privacy and exploiting our information vulnerabilities.

The reality is that the bulk of VoIP calls are not properly secured which leave both general users and businesses, large or small, open to attack.
Plus, as users continue to adopt VoIP, so too will cyber criminals refine their attacks into a masterful art without us even realising it.

As users we, have to be aware of threats that lie beyond our IP phones; ensuring that when an attack does occur we can readily indentify and remedy it accordingly.

Run-of-the-mill attacks
The beauty of converged networks is that VoIP is ‘just’ another application running on the data network. Unfortunately, from a security viewpoint, this means that it will also be affected by the same attacks that cripple data networks, even if it is not deliberately targeted.

Today, the most significant threat to VoIP is denial of service (DoS) as this can bring an entire network to its knees and shut down all applications running on it, which includes voice.

Furthermore, the security bugs that plague data applications affect VoIP users. Security solutions company, Core Security Technologies, for example, indentified a vulnerability in the popular VoIP application Asterisk PBX which essentially allowed hackers to create buffer overflows for a DoS attack. Operating system (OS) vulnerabilities also impact the VoIP PBX systems running on it.

SIP vulnerabilities

The increasing adoption of session initiation protocol (SIP) for VoIP is expected to open up a whole new front in the security war. SIP is a relatively new protocol which offers little inherent security. Some of its characteristics also leave it vulnerable to hackers such as the use of text for encoding as well as SIP extensions that can create security holes.

Primary SIP security attacks include registration hijacking, which allows a hacker to intercept incoming calls and reroute them; message tampering that sees hackers modifying data packets travelling between SIP addresses; and session tear-down, which enables the attacker to terminate calls or carry out a VoIP-targeted DoS attack by flooding the system with shutdown requests.

This charmingly named threat is the voice incarnation of the bane of e-mail
– spam – and stands for ‘spam over internet telephony’.

Already, spammers are targeting users IM (Instant Messaging) system users with spim (spam over instant messaging) and as many VoIP accounts include demographic information such as user location and/or age it enables them to target specific users.

Up to now there have not been many instances of Spit but it has the potential to become a major problem. Spit could be generated in a similar way to e-mail spam with botnets targeting millions of VoIP users from compromised machines.

The real-time nature of voice calls will make dealing with spit much more challenging than email spam. While emails can sit on a server for an extra hour to go through a spam filter, calls must be routed to the recipient instantly.

The good news is there are companies that are developing technologies that differentiate spit calls from real telephone calls with up to 99 percent accuracy.

Phishing for voice (Vishing)
Vishing uses telephony to obtain information such as account detail directly from users. One of the first reported cases was Vishers’ favourite target PayPal. The scam was a true multi-channel attack. Victims first received an e-mail request from PayPal which requested credit card detail verification via a phone line.

Those who called the number were then asked to enter their credit card number using the telephone. Once the credit card number had been entered, the fraudsters were free to siphon money from their victims’ accounts.

Scams like these are not just a danger for VoIP users but due to the low cost of IP calls will make them increasingly popular. Furthermore, Vishers can call thousands of people with very little capital outlay.

Plus, as users in general still trust the telephone, these criminal attacks will have a scary air of authenticity to it.

VoIP hacking
Like any IP system, a VoIP network is vulnerable to hackers. A US fraud case in 2006 heard how hackers broke into VoIP service providers’ systems using the common ‘brute force’ hack to identify holes in their networks.

Essentially, VoIP service providers use a prefix on the IP packets to identify their own calls. Therefore, by sending millions fake test calls these hackers could determine which prefixes had access to the network. Once they had determined the prefix they were able to send calls through those service providers’ networks and sell these minutes through front companies.

By reassembling the packets into speech hackers can eavesdrop on media streams and intercept VoIP packets to obtain sensitive information.

One way for hackers to do this is through a man-in-the-middle attack, where a third party spoofs the MAC addresses of the two speaking parties, to force the IP packets to flow through the hackers’ system.

Therefore, the very nature of IP networks makes it easy to access phone conversations. Eavesdroppers will no longer need to physically put a tap into a phone line, they can simply gain access from a laptop loaded with the right tools and connected to the Internet.

By Yusef Simjee, senior systems engineer at KSS