VoIP security attacks: We ain't seen nothing yet!

VoIP security incidents haven't attracted a ton of attention so far, in part because hackers and criminals haven't found enough incentive in a market that is still emerging. But experts say that it's just a matter of time before major incidents become more common, and they offer their advice for how managers can prepare for a portfolio of threats that bridges both the data and voice realms.

"There's not a huge amount of hacks and attacks happening in voice yet. But the problem is that it will happen, and it is starting to become a major concern to people,'' said Andrew Graydon, security requirements committee chair for the industry association VoIPSA and CTO for security vendor Borderware Technologies, Inc.

There's no major incident on the Internet at the moment, and that's true because we have a chicken and egg scenario. There is very little incentive for hackers or virus creators or spammers. Andrew Graydon, Security Requirements Committee Chair, VoIPSA

`"There's no major incident on the Internet at the moment, and that's true because we have a chicken and egg scenario. There is very little incentive for hackers or virus creators or spammers. If there is no incentive for these guys to attack, then there is no reason for security. But, as more and more people open up their IP PBXs and IP communication systems, then the hackers and the virus writers and the spammers will get more and more interested,'' he added. Graydon estimates that up to 70% of enterprises are using VoIP in some way, but that most of those are closed systems, using IP within the organization but linking into traditional telephone systems.

VoIP security presents a new challenge for network managers who are accustomed to the perceived security inherent in traditional, copper wire voice systems where telephone companies owned and secured the network, according to Graydon and other experts.

Public impressions of VoIP vulnerabilities may focus on someone eavesdropping on calls, but experts say that sniffing for sensitive phone calls is extremely difficult. Instead, incidents are likely to include a mix problems found in the past on data and voice networks.

"One that is not found in the data world but is found in the voice world is toll fraud. They have incentive, especially for international calls, to do toll fraud, calling people worldwide and have it charged to some firm. Until telephone calls become flat fee, unlimited usage worldwide there will be incentive,'' said Gary Audin, president of consultancy Delphi, Inc., in Arlington, Va. Soft phones present particular risks for toll fraud because users can figure out how to bypass the network server and speak directly to a trunk gateway, said Audin.

But, as more and more people open up their IP PBXs and IP communication systems, then the hackers and the virus writers and the spammers will get more and more interested. Andrew Graydon, VoIPSA

Nora Freedman, research analyst for IDC in Framingham, Mass., reported that besides toll fraud, denial of service attacks have been seen in the VoIP space, particularly those targeting service providers.

Graydon also warned that spamming is finding its way through VoIP systems, and that it will become more common when VoIP reaches a critical mass, as it did with email. Spamming could present a greater productivity challenge to corporate users than email spam because of the time it would take to go through voicemails.

Audin reported that a new threat is what he calls "phone phishing.'' In that case users receive a voicemail from what seems to be a trusted source asking for personal or financial data. He cites one incident where employees were asked to confirm their corporate credit card account numbers with a return call to a phony voicemail box.

The experts said while there have been questions raised about security in mixed vendor VoIP environments, it is only one of the interoperability issues that managers face. Those issues include the fact that vendors rely on different standards, and that even when they use the same standards they are likely to add proprietary enhancements that aren't recognized by other vendors' equipment.

Those experts offered a variety of suggestions to help managers secure their VoIP networks.

• Check out two Web sites that list publicly-known VoIP vulnerabilities that have been addressed by vendors, although there probably are many more vulnerabilities that vendors haven't acknowledged. The sites: CVE and National Vulnerabilities Database. – Audin

• Managers, particularly those who are new to VoIP, should use the VoIPSA Security and Threat Taxonomy as a framework to build a request for proposals. – Freedman

• Be ready to include the VoIP network in the security audits required by regulations such as the Sarbanes–Oxley Act and Hipaa if the voice application ties into servers hosting financial or health data. – Audin

• Make sure you have a SIP-enabled firewall, which may require adding a software upgrade. – Graydon

• In planning a VoIP implementation, allow for an application-layer gateway that handles call and traffic analysis – Graydon

• In a multi-vendor environment, never assume that the security is equal at both ends of the call because vendors use different encryption standards and sometime no encryption. – Audin

• Look at Linux as a more secure platform than Windows for VoIP. – Freedman

• Carefully structure service-level agreements with VoIP service providers, covering factors such as acceptable amounts of downtime, call routing in case of a failover, and the default setting in terms of downtime prior to failover. – Freedman

• A virtual private network (VPN) offers good security for VoIP connections between branch locations, but it won't support external communications. – Graydon

• Look at systems and network management companies rather than hardware vendors to tighten security. – Freedman