Voice over IP (VoIP) systems are increasingly popular. However, IP-based private branch exchanges (PBXs) are being hacked or targeted by toll fraud and distributed denial of service (DDoS) attacks. Companies keen to benefit from the undoubted advantages of VoIP need to be aware of the risks. VoIP is just data to computers and is as easily compromised as other data. It is no longer on a separate network; usually, voice data touches other networks and, in the case of least cost routing, the networks that are touched can be considerable. In some cases, voice may be routed not only across the providers’ considerable network, but may interface with the Internet. It is therefore up to the customer to make sure that VoIP security is properly addressed. From a hacker’s point of view, VoIP has all the vulnerabilities of both data and telephony networks. To appreciate this, it is important to take into account all of the various components required for a VoIP deployment. There are a lot of services that need to be configured correctly and these are all prime targets for any hacker. They are: 1. User Agents (devices) 2. Media gateways 3. Signalling gateways 4. Gatekeepers 5. Proxy Servers 6. Redirect Servers 7. Registrar Servers 8. Location Servers 9. Network management systems 10. Billing systems servers So now the telephone system is just a computer and can be attacked in the same way. For instance, it can be attacked via the WiFi as the protocols used for wireless – both WEP (Wired Equivalent Privacy) and WPA (WiFi Protected Access) – can now be hacked. Or it could be that switches, routers or NIC drivers are not up-to-date, have a flaw and can be compromised. Perhaps the operating system is not fully patched, as sometimes VoIP manufacturers recommend that autoupdates be turned off. The telephone system is now also exposed to generalised network issues like broadcast storms, which can affect handsets on the same network. The point is that the telephone system needs the same protection as your other servers. Next, the hacker will look at the many VoIP protocols that are used: 1. Session Initiation protocol (SIP) 2. Simple Gateway Control Protocol (SGCP) 3. Internet Protocol Device Control (IPDC) 4. Real Time Transport Protocol (RTP) 5. Secure Real Time Transport Protocol (SRTP) 6. RTP Control Protocol (RTCP) 7. Secure RTP Control Protocol (SRTCP) 8. Media Gateway Control Protocol (MGCP) 9. Session Description Protocol (SDP) 10. Session Announcement Protocol (SAP) 11. Multipurpose Internet Mail (MIME) 12. Inter-Asterisk eXchange (IAX) 13. Gateway Control Protocol (Megaco H.248) 14. Remote Voice Protocol over IP (RVP over IP) 15. Real Time Streaming Protocol (RTSP) 16. Skinny Client Control Protocol (SCCP – Cisco) 17. Unified Network Stimulus (UNISTIM – Nortel) The intention will be to see if there are any inconsistencies in the way the protocols have been implemented and any configuration issues that can be taken advantage of. With so many servers and protocols to attack, this allows for a number of different approaches: 1. Identity Spoofing 2. Conversation Eavesdropping/Sniffing 3. Password Cracking 4. Man-in-the-Middle 5. SIP-Cancel/Bye DoS (prematurely ending calls) 6. SIP Bombing (transmitting a large quantity of forged SIP messages) 7. RTP Insertion Attacks 8. Web Based Management Console Hacks 9. Fuzzing 10. Default passwords However, it is not just these well-known attack vectors that companies need to be aware of. VoIP introduces some nuances that allow a hacker to be quite inventive. In one case, the hacker realised that the telecommunications company actually stripped off the ‘head’ number and just passed on the extension. However, the integrated service router (ISR) on the customer site had been configured to allow call forwarding. The hacker discovered this and by prefixing the code for an external line (‘9’), he was able to make calls to premium rate numbers. For a more indepth explanation go here. In another case, the VoIP system had a voice mail system that could be accessed by employees remotely by the dialling and entering of a PIN number. One of the PIN numbers was broken by the hackers, giving them access to that voicemail. The voicemail feature provided the ability to configure a call transfer, so the hackers could configure a call transfer to a premium rate number. They did this on a Friday evening and changed the PIN number ensuring the legitimate user could not log back on. By Monday, the ITSP was ringing to inform the customer of a 100,000 Euros bill. Obviously, distributed denial of service (DDoS) attacks are a concern for any organisation and it seems that large companies are just as vulnerable. TelePacific Communications fell victim to an attack that lasted a number of days. Organisations should also be aware of the risk of eavesdropping or ‘sniffing’ VoIP data. This was recently illustrated by a flaw in some Cisco phones, where phones still on-hook (but apparently not being used) could be turned into listening devices. Virtual LAN (VLAN) hopping is another threat that is not commonly understood. The “Voice VLAN” is a special access port feature of Ethernet switches that allows IP phones to auto-configure and easily associate to a logically separate VLAN. This feature provides various benefits, however, when IP Phones are located at physical locations outside of close physical proximity to the corporate network, the threat of attacks based on VLAN hopping greatly increases. The reason for this is that many companies implement a configuration of voice and data VLANs at these remote locations that mirrors the exact VoIP configuration of the internal network. So, at this remote location, the hacker ensures that his laptop/PC is directly terminated into the Ethernet cable coming from the network jack on the wall rather than being terminated on the Ethernet port on the IP phone. The hacker then uses “sniffer” software to collect data from the network. Dissecting these multicast frames will tell the attacker the VLAN numeric ID of the VoIP VLAN. After the hacker has set the Ethernet frames emanating from his laptop/PC to have the Voice VLAN ID, the Ethernet switch permits and switches the traffic correctly. The IP phones will then be allowed to send a dynamic host configuration protocol (DHCP) request for an IP address in the Voice VLAN network. So now we have an unauthorised laptop/PC on the VoIP VLAN which cannot be good. Once on the Voice VLAN, it can now do a regular VLAN hop onto the data network and hence gain access to other vital company resources like databases and financial information. The purpose of this article is not to scare but to prepare. Organisations can gain innumerable benefits from VoIP, but this telephony strategy should not be adopted without putting effective and comprehensive security systems in place. For more information on how to protect against the threats detailed in this article, visit www.redscan.com/node/582.