Do You Have a Good Voice…over IP?
Voice Over Internet Protocol (VoIP) services was first introduced in 2004, but it was six years later when first criminal was charged with hacking1. The six year lag time, however, does not indicate VoIP is any less vulnerable to
hacking than other technologies. This 2010 charge appears to be only the tip of the iceberg. The Good
VoIP has been a boon to businesses worldwide. The high costs associated with phone calls, national and interna-tional, are a thing of the past with what VoIP offers today. Early concerns about VoIP’s reliability, robustness, qual-ity, and convenience have been stifled by years of satisfied customers and proven success, and the commercial world is now on board viewing VoIP as an equal competitor to traditional LAN line service. What started out as a personal-use technology has today turned into a serious business enabler.
In spite of all of its success, VoIP still faces a serious threat to information security:
The most basic thing a hacker can do with your VoIP service is to steal it. In doing so, the perpetrator can make free calls and possibly start off a new VoIP telephony business of his/her own at “amazingly cheap rates”--just like the first criminal who was charged with hacking VoIP 1. Service theft is relatively easy with VoIP because the Session
Initiation Protocol (SIP) that is used for authentication in VoIP calls does not use encryption by default.
Close on the heels of service theft is the risk of identity theft. If someone can steal a service, they have everything else they need to steal the identity of the person(s) using the service. Accounts as basic as utilities and as critical as financial loans are often tied to a specific phone number. If all else fails, the hacker can, at a minimum, gather sig-nificant information about the target individual(s) to be able to take the next step towards stealing the person’s identity.
One might remember when tapping a phone required some serious instruments that needed to be installed at the right places while at the same time the person “bugging” the phone would have to make sure that nobody watches him/her in action. This procedure is a lot easier with VoIP. The instrument might still look like a phone and work like a phone, but “tapping” this phone is not at all difficult for someone with the right knowhow and tools and the wrong intentions.
Hackers today can take control over several VoIP features such as voicemail, call forwarding, caller ID, call forward-ing, calling plan selection, and billing details. Stealing the VoIP service to enable free calls is actually much less prof-itable and desirable for hackers. Instead, with businesses increasingly using VoIP, sensitive corporate information is now the target. VoIP packets flow over networks like packets of data that can be “sniffed” just like regular data pack-ets. These packets can then be merged together to play the voice conversation in a normal media player software. Mix VoIP hacking with corporate espionage and you end up with a very lucky and enabled hacker.
What if you were to receive a call from your bank or your credit card company that had an automated voice at the other end asking you to enter your debit/credit card number, PIN, and other details? Chances are you might comply with the request. Better still, if you were the person making the call to your phone banking number then these chances are actually quite high considering the fact that you were the person making the call.
In both these cases, a Vishing attack could have been launched using VoIP that could lead you to believe that you’re calling an entity that you trust. Specifically in the second case, redirecting your call to a “Visher” would actually be much easier if you use a VoIP based phone.
Denial of Service
One VoIP hacking method that can cause significant frustration and losses to businesses is the Denial of Service. As the name suggests, the main aim of the hacker is to ensure that your organization is denied the usage of your VoIP telephony service.
Voice calls made by an organization can be manipulated, tampered, and even dropped. Hackers can even flood the target VoIP infrastructure with several call-signaling SIP messages. Many times, these DoS attacks are actually a smokescreen for hackers to plant malware or even take control of systems in the background.
A user would have to run this software over a computer, a PDA, an iPhone, or such. This introduces the vulnerabil-ity of falling prey to viruses, spyware, malware, worms, and just about all forms of malicious code.
Spam exists with VoIP, although it is known as SPIT or Spam over Internet Telephony. While more typically just an annoyance, SPIT does at times carry viruses and malware, just like spam. While the occurrence of SPIT is not very common today, trends definitely dictate that SPIT is heading in the direction of SPAM.
Business today is a highly regulated space. The Gramm-Leach-Bliley Act (GLBA), the Sarbanes-Oxley Act (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health Act (HITECH), the Family Educational Rights and Privacy Act (FERPA), the Fair and Accurate Credit Transactions Act (FACTA), and even standards like the Payment Card Industry Data Security Standards (PCI DSS) all require the protection of the confidentiality, integrity, and privacy of sensitive information.
If a hacker attacking your VoIP infrastructure was bad, organizations that have been hit by the regulatory whip will bear testimony to the fact that it gets ugly when the regulators come knocking.
Improving Your VoIP
The key to securing a VoIP infrastructure is to remember that it involves sending voice over the Internet Protocol (IP). So, the way to secure it is quite similar to the way you deal with an IP data network. Here are the key aspects to keep in mind when securing a VoIP infrastructure –
VoIP packets, by default, are transmitted in clear-text and so encryption is vital to ensure confidentiality. VoIP in-frastructures based on Secure Real-time Transport Protocol (SRTP) take a step ahead of the unencrypted SIP and en-sure that VoIP traffic privacy and confidentiality is maintained. Alternatively, encryption in the form of Transport Layer Security (TLS) or Internet Protocol Security (IPSec) can also make a great difference.
A basic rule of thumb to remember is to logically separate voice and data networks. The best case scenario would be to let the VoIP infrastructure have its own isolated network with only the minimum necessary interactions with other sub-networks via secure firewalls. Having dedicated VoIP servers with audited and hardened operating systems and all unnecessary services disabled is the next step to fortifying your VoIP infrastructure.
Soft phones add to an administrator’s misery by offering another end point that needs to be secured. The ideal solu-tion is to avoid using Soft phones altogether.
If they must be used, ensure that they are fully hardened and patched at all times. While it adds an additional bur-den, it is absolutely paramount to the security of the VoIP infrastructure.
Hard phones offer a great alternative to soft phones, especially when coupled with private branch exchange (PBX) systems running on a hardened and, preferably, dedicated server. Periodic checks and updates are essential to ensure that the IP-PBX and IP Phone firmware is fully patched.
This is an often understated aspect of VoIP security. While an organization can spend countless hours and resources securing the medium of transmission, it is critical to also ensure the physical security of the enabling infrastructure components like the hard phones, the VoIP servers, and any other device that directly or indirectly supports the VoIP infrastructure. Physical security can become the Achilles heel of your VoIP infrastructure if it is not respected.
Defaults and Passwords
More often than not, default passwords and settings are not secure. These defaults are created with a generic scenario in mind and will most likely not fit the requirements and customization that your organization demands. It is impor-tant to replace all default passwords with strong passwords that are at least eight characters long, and employ a com-bination of uppercase letters, lowercase letters, numbers, and special characters. This should be further bolstered by good password policies and robust identity management.
Voice Messaging Systems and Storage
One typical area that is easy to miss is the security of calls that are stored on voice messaging systems. Ensure that the voice message boxes of all users require that the password be changed each time the service is used. It might cause a bit of inconvenience, but it will also offer a mile of improved security. It is also important to secure the storage of voice messages by performing periodic checks and audits to look for exploitable holes.
Last, but most important, a periodic vulnerability assessment of the VoIP infrastructure can ensure that no holes have emerged due to the ever-changing nature of business requirements and the networks that support them. Inde-pendent audits can often provide useful insights into the state of the VoIP infrastructure and serve as an additional
Make VoIP Work For You
VoIP has truly been a genuine money saver for businesses all over the world and the world is a smaller place, in part thanks to VoIP technology. The security issues around VoIP are serious and very real. However, taking the right steps and countermeasures can truly help your organization make the most of VoIP.
The Internet is like alcohol in some sense. It accentuates what you would do anyway. If you want to be a loner, you can be more alone. If you want to connect, it makes it easier to connect.
- Esther Dyson Commentator on Emerging Digital Technology
Enterprise Risk Management:
At a Glance
ERM brings clients the highest level of expertise to assess and address risks, comply with standards and regulations and mitigate risks, using integrated and reasonably priced security services and solutions. Our practice provides organizations with the tools they need to address the compliance and risk manage-ment issues of today, as well as the broader and ever-increasing security challenges of the future.
ERM wants to hear from YOU….
With this edition of our newsletter, we’re rolling out a new format and new features. Tell us what you think! What features or topics would you like to see covered in future issues? Who else should receive this newsletter?
Your feedback is welcome and encouraged. Please send your comments to email@example.com.
For more information, visit www.emrisk.com
ServicesIT Security Regulatory Compliance IT Audit Computer Forensics Risk Management Attestation
Certified Public Accountant (CPA)
Certified Information Systems Security
Certified Information Systems Auditor (CISA)
Certified Information Systems Manager (CISM)
Certified Information Technology
GIAC Security Essentials Certification GIAC Systems and Network Auditor
Qualified Security Assessor (QSA)
Approved Scanning Vendor (ASV)
Some of our Clients
ABN-AMRO Private Banking Bacardi-Martini, Inc.
Banco Industrial de Venezuela Banco ITAU
Bank United Caja Madrid Bank
Carnival Cruise Lines, LLC CitiBank
Coconut Grove Bank Commerce Bank E-data Financial
Florida International University Florida Power & Light Company Heico Aerospace
Helm Bank Knight Ridder
Nova Southeastern University Rinker Materials
Rudy, Exelrod & Zieff, LLP Seabourn Cruise Line TecniCard, Inc.
The International Bank of Miami TransAtlantic Bank