Increasingly, VoIP solutions are under attack. We see IP PBX’s being targeted by toll fraud, DDoS or being hacked as companies keen to benefit from the undoubted advantages of VoIP are not made aware of some of the risks. The tendency is for suppliers to want to sell on price and anything that adds to the cost is not welcomed. It is not that good security takes away from the return on investment, but it may have some effect on profit margins of the supplier which may be passed on. So how is this possible?
This is just telephony, isn’t it? Don’t the ITSPs provide the required protection? You have to consider that VoIP is just data to computers and as easily compromised as other data is. It is no longer on a separate network, somewhere this data touches other networks and in the case of least cost routing, the networks that are touched can be considerable. In some cases, it is possible that a sales person may not understand that voice will be routed not only across the providers considerable network but may interface with the internet with some providers. It should also be understood that the security posture of an ITSP is inevitably different to that of the enterprise, there are rare occasions where the coincide but the ITSP is about connecting networks, least cost routing and reducing obstacles to communication in the same way that you would expect an ISP of traditional data to behave.
There is likely to be a conflict with the ITSP somewhere in this remit. But first, how is it possible? From a hackers point of view, VoIP has all the advantages of both data and telephony. So, for instance, the telephone system can be attacked via the WiFi as both WEP and WPA have been hacked. Perhaps if the IP PBX server does not have up to date software, maybe a NIC driver is not up to date. It could be as simple as the operating system not being fully patched and this might be a recommendation of the VoIP manufacturer specifying that autoupdates are turned off. It is also the case that the telephone system is now exposed to generalised network issues like broadcast storms.
Which could also affect handsets on the same network. Similarly for switches and routers, if they are not up to date, they may be vulnerable to well publicised exploits. Obviously DDoS attacks are a concern for any organisation and it seems that large companies are just as vulnerable to such attacks as can be seen from the attack against TelePacific Communications lasting a number of days (http://www.networkworld.com/news/2011/100411-ddos-voip-251553.html?page=1). And there is a lot about the ability to eavesdrop or sniff VoIP data as recently illustrated by a flaw in some Cisco phones where phones still on-hook (that is apparently not being used) can be turned into listening devices (http://www.h-online.com/security/news/item/29C3-Big-bugging-with-Cisco-VoIP-phones-1775050.html) . It starts with the various components required for a VoIP deployment:
- User Agents (devices)
- Media gateways
- Signalling gateways
- Proxy Servers
- Redirect Servers
- Registrar Servers
- Location Servers
- Network management systems
- Billing systems
These are a lot of services that need to be configured correctly and which are prime targets for any hackers. After which the hacker will look at the various VoIP protocols that are used:
- Session Initiation protocol (SIP)
- Simple Gateway Control Protocol (SGCP)
- Internet Protocol Device Control (IPDC)
- Real Time Transport Protocol (RTP)
- Secure Real Time Transport Protocol (SRTP)
- RTP Control Protocol (RTCP)
- Secure RTP Control Protocol (SRTCP)
- Media Gateway Control Protocol (MGCP)
- Session Description Protocol (SDP)
- Session Announcement Protocol (SAP)
- Multipurpose Internet Mail (MIME)
- Inter-Asterisk eXchange (IAX)
- Gateway Control Protocol (Megaco H.248)
- Remote Voice Protocol over IP (RVP over IP)
- Real Time Streaming Protocol (RTSP)
- Skinny Client Control Protocol (SCCP – Cisco)
- Unified Network Stimulus (UNISTIM – Nortel)
The intention will be to see if there are any inconsistencies in the way the protocols have been implemented and any configuration issues that can be taken advantage of. With so many servers and protocols to attack, this allows for a number of different approaches:
- Identity Spoofing
- Conversation Eavesdropping/Sniffing
- Password Cracking
- SIP-Cancel/Bye DoS (prematurely ending calls)
- SIP Bombing (transmitting a large quantity of forged SIP messages)
- RTP Insertion Attacks
- Web Based Management Console Hacks
- Default passwords
However, it is not just these well-known attack vectors that companies need to be aware of. VoIP introduces some nuances that allow a hacker to be quite inventive. In one case, the hacker realised that the Teleco actually stripped off the ‘head’ number and just passed on the extension. However, the ISR (Integrated Service Router) on the customer site had been configured to allow call forwarding. The hacker discovered this and by prepending the code for an external line (‘9’), they were able to make calls to premium rate numbers. Example: DDI 0123456 x 123 So Teleco stripped the 0123456 and sends on the extension. The hacker realised this and sent: DDI 0123456 x 9premium_rate_number
In another case, the VoIP system had a voice mail system that could be accessed by employees remotely by the dialing and entering a PIN number. So one of the PIN numbers was broken by the hackers and now they had access to that voicemail which is obviously not good but the intrusion became worse. The VM feature provided the ability to configure a call transfer. So once in, the hacker could configure a call transfer to a premium rate number. They did this on a Friday evening and changed the PIN number ensuring the legitimate user could not log back on.
By Monday, the ITSP was ringing to inform the customer of a 100,000 Euros bill. VLAN hopping is another threat that is not commonly understood. The “Voice VLAN” is a special access port feature of Ethernet Switches which allows IP Phones to auto-configure and easily associate to a logically separate VLAN. This feature provided various benefits, but one particular benefit is when the Voice VLAN is enabled on a switch port that is also enabled to allow simultaneous access for a regular PC. This feature allows a PC to be daisy chained to an IP Phone and the connection for both PC and Phone to be trunked through the same physical Ethernet cable. This provides the enterprise cost savings on both cabling and moves/adds/changes.
However, when IP Phones are located at physical locations outside of close physical proximity to the corporate network, the threat of attacks based on VLAN hopping greatly increases. The reason for this is that many companies implement a configuration of Voice and Data VLANS at these remote locations that mirrors the exact VoIP configuration of the internal network. So at this remote location, the hacker ensures that his or her laptop/PC is directly terminated into the Ethernet cable coming from the network jack on the wall rather than being terminated on the Ethernet port on the IP phone.
The hacker then uses “sniffer” software to collect data from the network. Dissecting these multicast frames will tell the attacker the VLAN numeric ID of the VoIP VLAN. After the hacker has set the Ethernet frames emanating from their laptop/PC to have the Voice VLAN ID, the Ethernet switch permits and switches the traffic correctly. The IP Phones will then be allowed to send a DHCP request for an IP address in the Voice VLAN network. So now we have an unauthorised laptop/PC on the VoIP VLAN which cannot be good. Now that the system is on the Voice VLAN, it can now do a regular VLAN hop onto the data network and hence gain access to other vital company resources like databases and financial information.
The result is that VoIP security needs to be considered, it is not trivial and it can mean that resources become vulnerable unnecessarily.