Who else is listening?

Picture an evil-minded hacker – no doubt wearing a balaclava and Marilyn Manson T-shirt – using his computer to hack into the VoIP phone systems of your clients, eavesdropping on corporate secrets and blackmailing the CEO.

It’s easy to imagine, and plenty of people do. “VoIP security” is the buzzphrase of the hour and security companies are predicting a wave of attacks that could send SMEs’ VoIP networks sprawling.

The problem is that there is very little evidence out there to support the scenario, and the IT community appears divided on the question: how great is the threat to VoIP security?

As early as June 2005 a Gartner report was arguing that organisations should not delay in introducing VoIP systems because of security fears, the key reason many cited for staying with the limited and sclerotic PSTN service.

According to many integrators and network vendors, the report’s conclusion remains valid today:
“The same security processes that protect data networks from worms and denial-of-service attacks will protect IP telephony applications. For networks that have an acceptable level of business security, the value of IP telephony will outweigh the risks. Organisations that cannot yet protect their data networks should not deploy IP telephony until they can.”

But the picture has changed, say security companies. Now there is vishing or voishing, the VoIP version of phishing emails that trick people into divulging critical personal or financial information, which is then used to assume their identity.

Security vendor MessageLabs gives an example where a victim receives an automated telephone call reporting that the victim’s credit card has been used illegally, and gives a fake 1800 number to dial and confirm details. The spammer uses VoIP to spoof the phone number of the credit card company and add credibility to the scam.

“As with more traditional forms of social engineering deceptions it is very difficult to safeguard against [these calls] as they often take place offline,” says MessageLabs’ marketing director, Asia Pacific, Andrew Antal. “

With so many VoIP providers vying for market domination, call costs are relatively low, making such scams an attractive proposition.”
Other threats include denial-of-service (DoS) attacks, which can “wreck your ability to make a telephone call” or “provide the potential for your calls to be ‘digitally’ intercepted,” says Antal.

MessageLabs also adds that, unlike secure Internet transactions that display a padlock icon in your web browser, VoIP calls are not generally encrypted.
“That makes them susceptible to eavesdropping,” says Antal.

And then there are new and terrifying acronyms such as ‘spit’ (spam over IP telephony), which will send automated messages selling body-part enhancers and cheap medical degrees to millions of VoIP voicemail accounts with the press of a single button.

Even more devastating are trojan-style attacks that can download a payload through your handset to your PC.
D-Day for VoIP is due to arrive when VoIP platforms by the various vendors merge together. When Yahoo and MSN opened up their instant messaging (IM) systems to each other, it led to an increase in IM threats (now up to 40–50 a week, according to MessageLabs).

“I would expect that once the VoIP ecosystems merge (Skype, Cisco etc.) we will start to see an increase in VoIP-related threats,” says Antal.
However, MessageLabs could offer no evidence to back up its predictions, other than the logic that if it happened to IM, it would happen to VoIP.

But what about the trojan-style attacks with their devastating payloads? There are no examples of these in the wild yet either. “Not to my knowledge,” qualifies Antal.

And, although the concept of spit has been around since late 2004 and tools are available on the Internet to create spit servers, there is very little spitting going on.

There are concerns, too, over the preparedness of SMEs and the sanity of IT managers. Handsets come with their own browsers, FTP software and other applications – “basically a VoIP phone is a mini-PC,” says Chris Gatford, senior security consultant with Pure Hacking, a company that carries out penetration testing. Admins struggle to look after security for the 100 or so servers in an average SME, and moving to a VoIP system effectively gives them thousands of mini servers to look after, he says.

Gatford also claims the use of several vendors in a VoIP solution increases the likelihood of vulnerabilities. For example, Cisco’s solution is only secure if you have Cisco end-to-end, he says.

Network vendors and clueless SMEs need not worry, as security vendors are determined to meet any future threats well prepared. For this purpose Symantec has rushed out a VoIP Security Alliance (www.voipsa.org) to present a coordinated front. One of the alliance’s founders, David Endler from Tipping

Point, has co-authored the book Hacking VoIP Exposed, which lists common VoIP hacks as well as standard voicemail responses that can be used to identify whether a system is Avaya, Cisco or Asterisk.

Threats below the radar
Of course, the biggest problem with some VoIP attacks like eavesdropping and call recording is that, unlike DoS, the victim never knows it is happening. Some security companies believe these attacks occur frequently but integrators and carriers are unaware.

“The likelihood of [carriers and integrators] knowing of a threat succeeding is extremely unlikely,” says Gatford. This explains why there is so little data on VoIP attacks, he says. Few records of security breaches make it to the press, but this is not unusual as companies never want to let their customers, business partners and shareholders know they have failed to protect important information.

However, two widely reported events did make the news in the past six months.
The first was a widely reported hack into the VoIP system of Buckingham Palace by a reporter, who was able to listen into conversations between members of the royal family.

The second, more devious attack was carried out in Miami, Florida, where a hacker broke into the VoIP system of a large company. He then began reselling air time to customers of a bogus company he set up, running up an enormous phone bill with the host company.

Tipping Point’s security marketing director, Asia Pacific, Ken Low, admits that, “VoIP is not the priority target for hackers at the moment”, and that there are few attacks in this region. Nevertheless, “the fact that they have happened in the UK and the US means it can happen
in Australia”.

Lined up against the doomsayers are integrators and carriers who claim not to have witnessed any security breaches. Also there are some security experts who admit that the present level of defences is adequate.

“I believe the industry has the security set at the right levels,” says Greg Bunt, regional engineer, Asia Pacific, Juniper Networks. “If you implement a voice network properly you shouldn’t have a problem at all.” In fact, Bunt believes the easiest way to record a VoIP conversation is to buy a small microphone and bug the office. Hacking into a system leaves a lot more fingerprints, he says.

Integrators acknowledge there are risks and list measures to minimise their success.

The first is control access lists, which limit access to the VoIP network to a list of MAC addresses matched to each device. The second is the segmentation of the data and voice network by using VLANs; voice is sometimes run over multiple VLANs. Host intrusion detection systems with anti-virus on servers running unified messaging are also sensible.

Adding a firewall in front of the call control software takes the security detail a step higher. A VPN must be used over the WAN. Encryption from handset to handset will give the internal hacker an earful of white noise. And then there is the physical security, such as a lock on the comms room door.

There are several things that one should never do, such as connecting a handset directly to the Internet without the protection of a firewall. But most integrators stopped doing this a long time ago.

“The reality is in the old analogue TDM network you could walk into the basement of a building and tap into a phone call,” says NSC’s managing director,
Craig Neil. “I think the IP world is more secure.”

Neither NSC nor Cerulean, with over 850 VoIP sites between them, has had a single notification about a VoIP-related security breach, according to their representatives. And many don’t even use end-to-end encryption. “The mechanisms are there today – we could easily have every voice packet encrypted – but a lot of organisations haven’t seen the need,” says Cerulean’s practice manager for IP communications, Craig Campbell.

Only one of Cerulean’s 150 customers has high-level encryption.
ISPhone’s CTO James Spenceley says he has never heard of an attack on a handset, even though he first started working on VoIP in 1999 with Comindico/Soul. “This is why the whole VoIP security is amusing – I’ve never heard of a problem,” says Spenceley.
Will the real threats please stand up?

Sorting out the FUD (fear, uncertainty and doubt) from the reality takes some work. “The VoIP security discussion is made difficult by scare tactics and outright exaggerations,” says Gartner analyst Bjarne Munch.

Hype about threats is based on the false assumption that SMEs are running VoIP over an open IP network, which is very rarely the case with enterprise. “The risk of hacking, spitting, voishing etc. is currently small for an enterprise because these attacks traditionally are initiated from the Internet and the
Internet is shielded by a firewall,” says Munch.

Claims that hackers can listen to SMEs’ calls as they travel over
the Internet are totally misleading. In fact, business-grade VoIP calls
rarely travel over the public Internet and when they do are normally encrypted.

“Very, very few customers are doing anything over the Internet,” says Mark Duncan, convergence practice manager at Avaya. Avaya also encrypts the call signalling whenever a VoIP call is made over a public network as an added measure.

There are vulnerabilities in VoIP networks but these mainly require access to the physical servers that run the application. This follows the accepted wisdom that the greatest threat, like the majority of attacks, is internal.

There is a real threat of staff eavesdropping within the security perimeter. An IT-savvy person who has access to the Ethernet switch can take a feed of all data, enter in the IP address of the MD’s handset to isolate the traffic and listen in on the call. Vendors like Avaya have responded by encrypting calls from handset to handset or handset to PSTN, which eliminates this problem.

Avaya’s Duncan also rubbishes the claim that a single-vendor environment is more secure than multiple vendors. “There are very few vendors who would suggest that,” says Duncan. In fact, he believes the opposite is true: experience shows that “lock-in drives complacency”, he says.

VoIP is most vulnerable when used over a wireless network, as there are many network-based attacks that can scan for VoIP devices and sniff VoIP conversations. Using a VPN over the wireless network to make calls addresses this vulnerability.

Softphones – software-based versions of IP handsets that are sold by most vendors – are another weakness, says Gatford. This is because they run on the PC and therefore it is much more difficult to separate voice traffic onto another network to that carrying data.

From outside, it is often easier to attack not the VoIP application itself but the server it is running on. Windows servers, even regularly patched, are the easiest targets thanks to the volumes of documentation on the Web listing vulnerabilities and exploits. A hacker that can create a new account with administrator privileges will then be able to listen into phone calls, says Tipping Point’s Low.

However, there are dedicated products running highly secure OSes, which are much harder to crack. One such switch is made by Shoretel and runs on a highly stable OS called VXWorks, which is found in pacemakers. If a worm goes through a company’s servers, at least the phone server won’t need to be rebuilt, says Tony Warhurst, managing director, South East Asia at Shoretel.

Two years ago Tipping Point brought out VoIP filters that stopped intrusions rather than simply detecting them. An intrusion protection system (IPS) sits behind the firewall and inspects every TCP/IP packet. If a packet doesn’t
fit the pattern of expected activity, the IPS blocks it.

While Tipping Point did have success with an IPS sale to a large government department in Canberra recently, Australian companies haven’t rushed out to buy Tipping Point’s IPSes, says Low. He estimates the size of the market here as only 1 percent that of the US.

Bored or malicious employees at a network provider are also in a prime position to listen in on calls. One way to lessen the opportunities for
non-staffers to hear a conversation is to minimise the number of networks a call travels across.

Consumer-grade calls can travel through four or more networks, and a technician managing any one of those networks can easily listen in.
ISPhone is a wholesaler to resellers for the SMB market, which has physical access to its national network and the DSL tail into a client’s premises. This not only means that the wholesaler can monitor congestion and ensure QOS and security, says ISPhone’s Spenceley.

If a company also takes DSL with the wholesaler, ISPhone is responsible for each VoIP call until it terminates at a PSTN point with a tier-one carrier. He adds that he trusts his own co-workers not to snoop on customers’ calls.

Banks, crisis support centres and other institutions with an extreme need for confidentiality can minimise the time an integrator has access to its VoIP network. Security tokens with expiry dates and times can grant authorisation for one hour to allow QOS monitoring.

Despite assurances, some vendors are offering even greater levels of protection. Like Avaya, Nortel also recommends encrypting the call set-up and teardown signalling, which identify the extension number a phone is dialling, even if the call itself is encrypted from handset to handset, says Mitch Radomir, product and solutions marketing, voice, Asia Pacific, Nortel.

This feature adds another box, called the security media control server, to the set-up, as well as several thousand dollars more to
the final bill.

However, Radomir denies that the feature is one being foisted unnecessarily on the market; defence and security customers are demanding it.
He is also one of the few vendors that believes that the VoIP threat is significant. Radomir points to the number of patches and updates released on www.cert.org, a security website, as evidence of an ongoing tussle between vendors and hackers.

“You wouldn’t be spending that much money doing security patches if there were no attempted breaches or attempted vulnerabilities,” Radomir says. ?