MI-80 De Oppresso Liber

Like many small & medium businesses (SMBs) in recent years we've decided to utilize Voice Over Internet Protocol (VoIP), after all it's cheap, perfect for a decentralized organization, as well as quick and easy to deploy. Unfortunately being a security company the many inherent weaknesses soon began to surface, some obvious, yet some not so much.

Research firm Access Markets International (AMI) Partners, Inc. estimated VoIP solutions brought in over $3billion last year, up 26% from 2005 [1]. They even estimate a majority of SMBs will migrate to VoIP by about 2012. Suffice to say regardless of its flaws, VoIP isn't going away, so we as an industry while unable to magically fix the issues, must ensure we're at least aware of them. Here are the top five security hurdles we run into with customer VoIP deployments and what we recommend to work around them.

Denial of Service (DoS)
Any one who has used VoIP has most likely run into bandwidth issues. For commodity connections like cable and DSL lines it's easy to saturate bandwidth (especially the asymmetrically sluggish upload) if you're not careful. It's certainly not good for business when your child launches BitTorrent and your call quality goes to hell. VoIPs biggest strength, the fact it becomes nothing more than another set of bits on the wire, may be its greatest inherit flaw as well. All bandwidth issues, intentional and accidental, effect VoIP like they affect all other services.

It's hard to run a website long these days without running into these issues. Botnets, large groups of compromised computers, are common and bored teenagers have gained the power to knock some of the most powerful sites in the world off-line using DoS attacks (flooding the sites bandwidth to block legitimate traffic). On the flip side this has lead to huge leaps in anti-DoS technologies as well as entire service infrastructures such as the Akamai network [2]. Apply this to a business vital function like voice communications and it can be devastating.

Unfortunately DoS is a tough problem to solve. It involves paying for services or buying more bandwidth than you need, neither of which come cheaply. A common solution for our customers has been to get dual Internet connections, such as a cable and DSL line. Besides giving them general fail-over when one connection dies this separates prime targets like web and DNS servers from the VoIP line, making it a secondary target. And of course giving the voice communications a dedicated line isolated from the clutter of the data line doesn't hurt anything.

Protocol Vulnerabilities
Every protocol, almost without exception, when first deployed has bugs to be worked out. Some have outright security flaws, while others (like IPv6 [3]) simply open themselves up for abuse. Further complicating things is the fact that so many vendors develop their own network stacks, so even if the core protocol is fine how many insecure implementations are out there? This is a lesson learned over and over again by the security community. Wired Equivalent Privacy (WEP), the first generation wireless encryption protocol, is the classic example.

WEP was developed by a small committee of engineers. They utilized over all good standards, such as the RC4 encryption algorithm (used widely in SSL for years without issue), but in their implementation they botched it so massively it's now possible to crack 128bit WEP in around 53 seconds on a decent laptop [4].

Moving beyond that is the lack of a single standard. Cisco has their VoIP protocols (Skinny), Apple has theirs (H.323, but in all fairness far from a Apple only protocol), etc. Luckily most companies seem to be sticking with Session Initiation Protocol (SIP). Unfortunately the sheer number of different VoIP protocols and various implementations means it's going to be several years until the technology matures enough to really be trusted.

Finally SIP, like most other VoIP protocols, has next to no security built-in. It's natively susceptible to denial of service attacks along with many VoIP specific attacks like the ability for an attacker to intercept, modify, reroute, and prematurely disconnect calls.

As far as negating this? Well good luck. The technology will get beat up and will eventually mature, and until then there's little any of us can do but keep things patched, sit behind good defenses, and weather the storm.

Sniffing
Eavesdropping is possibly the most obvious VoIP flaw most implementors consider. No major VoIP protocols include native encryption. Vendors are so concerned about getting the best performance they make major compromises such as using stateless protocols (UDP), pushing Quality of Service (QoS), that they'd never spend precious milliseconds encrypting the data before transmission.

Human nature becomes the major concern here. For decades people have considered the public telephone systems a secure out of band method of communications. People are more inherently willing to give confidential information over the phone than via the Internet. We constantly have people openly giving us passwords over the phone but unwilling to do so via email.

That said, man-in-the-middle attacks, MAC address spoofing, APR poisoning, sniffing, and all the normal methods of illicitly intercepting Ethernet traffic work for VoIP. And unlike a normal phone tap attackers can tap VoIP phones from the other side of the planet.

This being one of the most obvious threats also makes it one of the easiest to fix. You can at least raise it to the level of security offered by the normal telephone system. VPNs are prime for utilization here. Our first internal deployment was simple; each employee had a phone which connected over a VPN to the home office where it went through the gateway and entered the phone system. Most modern appliances, like SonicWALL's, include special hardware for speeding up encryption, meaning the penalty spent on securing this vital data in transit is for all practical purposes, zero.

Of course most users have gateways in house, or may utilize something like Vonage or Packet8. Unfortunately you're out of luck unless your provider utilizes encryption between your phone and their gateway. That said it's still a good idea to secure the traffic on your LAN as much as possible. Virtual LANs (VLAN's [5]) have become increasingly popular for this in recent years, at least presenting a hurdle to anyone who'd like to plug in a laptop and listen to your conversations.

Spam and Phishing
Any new technology these days seems to have some form of spam and phishing attached. Sadly a new technology means new words for the same thing, and the mass media has become fond of the buzz words “SPIT” and “vishing” for VoIP. Don't ask me, I didn't make them up.

SPIT is at least an acronym for “spam over Internet telephony”, so it makes some sense. What makes VoIP more susceptible than traditional phone lines are the resources required to send it. Normal phone lines would require a vast array of modems or auto-dialers and a large amount of money for phone lines, long distance fees, and the like. A “spitter” (I can't be the first to think of that word to describe SPIT spammers, but I'll gladly take credit) could simply set a few computers on brandband connections to sit there 24/7 dialing random numbers for $20 a month. The barrier to entry is simply too low not to expect abuse. Then again why pay anything? With botnets controlling millions of compromised computers imagine the amount of voice spam which could be spewed out using those. And of course, on the receiving end, if a spammer finds your gateway they don't even have to touch the normal phone line, they can send VoIP spam to you like any other data traffic.

How can this be prevented? Well that's the million dollar question. You can buy hundreds of devices currently to block email borne spam. But those emails can also sit on the device for a few minutes, or even an hour, running through various filters. The inherent nature of the phone means you have a few seconds to make that critical decision, because the person calling is only going to be on the line for a few rings. Pair that with the fact the technology is immature, spit is new and defenses are practically non-existent, it's really just a matter of time for people with malicious intent to build up their arsenal of tools before this becomes more of a problem.

Vishing, as you can imagine, is just a new twist on phishing. Imagine getting a call from an automated source saying they've detected fraudulent activity on your credit card and must verify some information or they'll put a hold on your account. 0.01% of people receiving it will fall for it, and the rest of us will suffer through the annoyance because it pays off so well.

This also opens up the possibility of multi-channel attacks. There have already been reports of email borne spam trying to trick Paypal users out of their logins, but with a twist. Instead of linking to a login page they tell them to call a phone number, and well, it works. As touched on above as long as people inherently trust the phone system more than the Internet, this will work.

Targeted Attacks
As touched on above, VoIP, like other services, has an attack surface. This isn't even new; there are already well publicized reports. In 2006 attackers broke into a large provider and were able to generate their own traffic in such a way that they were able to sell minutes through multiple front companies. Using nothing but some software they were making money off someone else's infrastructure.

It stands to get worse. Imagine the consequences of someone gaining access to your VoIP gateway. They could simply kill your service, but just as easily they could listen in to your conversations or make calls at your expense while pretending to be you. The possibilities are endless.

Like any other service all one can do to mitigate this threat is enforce best practices (like those listed here). Keep software up to date, and accept the fact that given enough time, any service can, and likely will one day, be compromised. That's the Internet we live on. Keep backups, remain diligent, and have a recovery plan in place. That's the only practice which always works.

------

1. http://www.ami-partners.com/ami/sections/Studies/CPE-Hosted-finalTOC.pdf
2. http://www.akamai.com/sitecomparison/
3. http://www.securityfocus.com/news/11463?ref=rss
4. http://eprint.iacr.org/2007/120.pdf
5. http://en.wikipedia.org/wiki/VLAN