Guide to VoIP security

New ways to hack VoIP aren't fatal if you're prepared for them

VoIP requires strict attention to security best practices

New exploits against VoIP continue to emerge, but experts say these demonstrations reveal the need for vigilant security and are not fatal flaws to the technology. At Black Hat this month researchers released hacking tools against VoIP signaling protocols H.323 and AIX as well as tools to insert audio into VoIP calls. At Defcon, a tool that automatically probes the Session Initiation Protocol for vulnerabilities was released to enable the covert piggy-backing of data over VoIP streams. The problem lies not in VoIP technology but in its implementation, says Barrie Dempster, a senior security consultant for Next Generation Security Software. "If you apply traditional network security logic to VoIP you can make it as secure as any other protocol," he says. Much of the notoriety of VoIP vulnerabilities come because the technology is relatively new and its code wasn't necessarily written with security in mind - a problem that plagues many new technologies. Dempster cites ways to exploit Asterisk, the open source PBX, including buffer overflows. He says this and other weaknesses can be dealt with by removing the code for unused features and performing security audits on the features that are used. "The problem is not the specific vulnerabilities themselves. It's the maturity of the software. There hasn't been enough security review yet," he says. The problem is well recognized, and known exploits are publicized to help develop defenses against them. For example, the industry group VoIP Security Alliance publishes a set of hacking tools on its site that it promotes as security tools to test that VoIP gear can withstand real-world attacks. Securing VoIP is not insurmountable, says Peter Thermos, CTO of security consulting firm Palindrome Technologies. He revealed vulnerabilities to media gateway control protocol (MGCP) that enable rerouting calls or cutting them off. He also showed a vulnerability to ZRTP, a pending-standard, encrypted VoIP protocol that didn't encrypt the sounds of tones made by pressing phone buttons. That potentially left credit card numbers being entered over VoIP lines open to being picked off, he says. The MGCP problem will ultimately require a change to the protocol itself, but in the meantime users can shore it up by blocking unauthorized access to the ports MGCP uses, Thermos says. The ZRTP problem involved the implementation of the protocol and has been addressed with a patch. The best route for businesses implementing VoIP is to set individual security requirements ahead of time, which differ among companies, he says. A financial institution or government agency may need confidentiality and therefore more encryption than other businesses, he says. "The common mistake I see is that customers don't define their security requirements for their particular network, realize later that they need security, then perceive it as an additional cost," Thermos says. Getting security tools in place from the outset also better defends VoIP against threats not yet discovered, he says. Despite the genuine possibilities of attack, some experts say that VoIP is more secure than the traditional public switched telephone network (PSTN). "The VoIP system is much more secure than traditional systems," says Ari Takanen, founder and CTO of Codenomicon, which makes software security-testing tools. Speaking at the recent VON Europe 2007 conference, he acknowledged VoIP vulnerabilities, but said they were not insurmountable. "IP systems are more exposed, but you have more security that you can install," he says. "If you don't use it - that's stupid." Cullen Jennings, a distinguished engineer at Cisco's VoIP group, who also spoke at the conference, notes that PSTN caller ID is easily spoofed, and toll fraud via traditional PBXs is still common. Jennings says PSTN reliability - the availability of dial tone nearly all the time - is one highly touted measure of the quality of service. But that does not mean the PSTN is invulnerable or even better than VoIP. "I'm not claiming the PSTN does not meet its [reliability] goals," he says, but that has no bearing on whether, for example, caller ID can be spoofed. "If the core network went down doesn't matter if the threat was to caller ID," he says. The top threats to VoIP listed by the VON panel were:
  • Zero day problems for which vendors have not yet issued a fix.
  • Security not being turned on because it is too complex.
  • Vendor-specific vulnerabilities that are not addressed by best practices.
Ultimately businesses will not turn their backs on VoIP because they are worried about security, says Akif Arsoy, a VoIP product manager for Verisign. They will adopt it for integrated voice and data in a converged network. "End users make decisions on what am I getting [with VoIP] that I'm not getting today [with traditional voice]?" Arsoy says. Even so, expect more VoIP exploits to emerge over the near-term, says Thermos, who says he has already identified more signaling protocol weaknesses and implementation vulnerabilities. "We're just touching on the beginnings of many exploits that will be coming down the road," he says.

Page Break

When it comes to deploying VoIP systems, making security a top priority can save an organization the expensive and headache of having to retrofit protection after a network is built; not to mention avoiding the pain caused by any VoIP-specific exploit. One way to ensure security is a priority from the start is to choose VoIP infrastructure products ? namely IP PBXes ? that include security measures or that integrate well with outside security offerings. The level of security that's integrated with different VoIP infrastructure products can vary greatly. "Because of VoIP's proprietary nature, the security of a Cisco VoIP system is different from one from Avaya, which is different from securing Nortel," says Lawrence Orans , a research director at Gartner. The following are just some of the questions enterprises should ask their VoIP infrastructure vendors to help them understand the level of security offered by their products: 1.) Does the vendor sell security appliances that sit in front of the IP PBX to protect voice traffic? If so, what protocols does the appliance work with? If not, is there an adequate selection of third-party security products that work with the vendor's infrastructure equipment? 2.) Is the security appliance default-configured to work with VoIP traffic? According to Orans, Nortel is the only big North American IP PBX vendor that sells a firewall preconfigured to work with VoIP traffic. "This shows a lack of maturity in the market; only one vendor has taken the steps to do it," he says. Since VoIP security expertise is still an emerging specialty, it's worth it to have the vendors do the preconfiguring for these products to work together than possibly having to hire an outside consultant to do it. 3.) Do these products also offer features such as encryption and authentication of VoIP traffic? Such features are particularly important if an enterprise is planning to run VoIP traffic across the Internet. Customers should also determine how complex configuring these features can be. 4.) Do the VoIP applications that run on these offer adequate security, such as multilevel administration features so that access to all management features aren't granted to administrators when they're not necessary? For example, an application should be able to grant one administrator rights to user management and another to dialing plans without having to expose all rights to all managers. 5.) Enterprises should ask if perspective VoIP security products work with the IETF's Session Initiation Protocol (SIP), the standard towards which many experts believe the market will eventually shift, as well as the proprietary protocol used by the vendor's IP PBX. As VoIP installations multiply across the corporate landscape, so do products aiming to secure these communications. While many of the vendors that manufacture VoIP infrastructure products sell dedicated security products as well, there is also a market of third-party security offerings designed specifically for VoIP equipment that look to add much of the same protection to voice traffic that traditional firewalls, intrusion-protection systems, and other security offerings do in the data world. Highlighted by startups with significant venture-capital funding behind them, such as Sipera Networks and Covergence, this market for third-party VoIP security products is gaining ground. Third-party VoIP security products offer features ranging from firewall protection to intrusion prevention to encryption and authentication ? all designed to heighten VoIP security to a level of enterprise acceptance. In order to ensure an organization is getting the most protection possible from its third-party VoIP security products, the following questions should be asked of any potential vendor: 1.) Which types of threats does your product protect against? Ideally an organization wants to secure itself from all of the threats known to the data world -- including spam, phishing, viruses, intrusion, information theft, and others ? as well as exploits specific to voice communications, such as eavesdropping. If multiple products are necessary to achieve this coverage, ask how well they would work together. 2.) What voice protocols does your product work support? Listen closely to the answer of this question, as protocol support can be a confusing issue in the voice world. "There are multiple flavors of SIP [the IETF's Session Initiation Protocol], so even if two companies say they support SIP, they may not interoperate," warns Mark Slaga, chief technology officer with Dimension Data, and IT services company that has installed enterprise VoIP systems and also offers security testing of existing systems. 3.)What kinds of advanced security features are offered? Encryption is emerging as a must for VoIP communications, particularly when voice traffic travels out across the open Internet. Other advanced security features include authentication; spam and virus filtering, and enabling security policies based on user, group, device, or other characteristic. 4.)How difficult is it to implement the advanced security features? If these features, particularly encryption and granular policy control, require a customer to call in VoIP security experts to configure, it's best to find that out up front.

Page Break

Lawrence Orans, a research director with Gartner, says some of these threats are overblown and aren't likely to happen in a corporate setting. Frank Dzubeck, president of Communications Network Architects, which analyzes the industry, believes that given the lack of security built into IP, anything can happen. Network World Senior Editor Cara Garretson spoke with both, aiming to separate hype from reality. How serious are security threats to VoIP systems? LO: First of all, I'd like to clarify the term voice over IP. Voice over IP is an umbrella term. We see it used for all forms of packetized voice, whether it's Internet telephony, such as Skype, or Internet telephony services provided by cable operators. We also see Voice over IP used interchangeably with IP telephony, which is very much enterprise focused. And there the problems are very real. [VoIP] is really just another application running over the network, and it's been the most reliable, so any outage or security breach is just a huge problem. The lack of high-profile attacks has lulled people into a false sense of security. However, the actual threats are very real. With IP telephony, we've got a second computer on someone's desk; the IP telephony handset has memory, and it's got an operating system. True, it's a hardened appliance, but still it can be attacked. The PBX server itself, that can also be attacked. And also the protocols themselves, many of the signaling protocols are still relatively new or they're proprietary, so in either case they've not undergone a level of scrutiny for security vulnerabilities as a more mature protocol. So overall I would say the threats are very real and the key thing is to understand the issue well enough so that you can separate the overhyped threats from the real threats. FD: The issue is IP itself. IP was never designed with security in mind. Voice over IP, correct, it's an application, and as an application inside the enterprise it's going to be a pervasive application. But the issue is . . . it has all the vulnerabilities. If you don't take a look at the security aspects upfront for voice over IP, then you stand a tremendous disaster staring you in the face, because the holes will occur. I'm in one bit of disagreement with what was said previously [by Orans] and that is . . . the evolution into the Internet space is not a subtlety; it's a significant piece of this puzzle. Integrating the Voice over IP that may be [on a LAN] and the Voice over IP that's going to be Internet-based is going to become a reality . . . and if we don't kill the security aspects now, we never will. Reports of eavesdropping on VoIP calls make great headlines, but are these things really happening on corporate networks? LO: Eavesdropping is one example of an overhyped threat. Sure, it's technically possible to execute a man-in-the-middle attack and capture packets, but let's discuss it in the context of IP telephony, which is really a LAN-based system. To capture packets on a LAN, it typically requires physical proximity - that the easiest way to do it is to be right there in the building. The typical scenario is Joe Smith in the mail room is capturing conversations from the CEO. But Joe Smith could do the same thing just as easily with e-mail, and most organizations aren't concerned with e-mail eavesdropping, most are not encrypting e-mail, so why would you encrypt voice? The reason that we hear so much about eavesdropping is that it really does illicit this visceral reaction. The main thing is to focus on the greater threats, for example attacking an IP PBX server itself. FD: I agree [eavesdropping] is overhyped, but perception is reality. I believe encryption is the kind of thing that makes everyone feel better, so even though the threat may be overhyped, the fact is encryption is available. We should encrypt our voice inside the LAN, and I'm also a believer of doing that exact same thing with respect to data and video in the long run. What about spam over Internet telephony, or SPIT? How real is that threat? LO: This is an example of another overhyped threat. Technically, sure, SPIT is possible, but the key problem here is the business model, not the technology. We've all received spam, and the transaction model is very different for spam than for SPIT. With spam, you get an e-mail message, and you say, yes, I want to refinance my mortgage, so you click [on the Web link], and all of a sudden you're entering into that transaction. In other words, spam works. With SPIT, it's a totally different story. If I receive the message in my voice mail box, how do I complete the transaction? Do I have to copy down the URL and walk over to my computer? Do I have to call someone back? It's a totally different business model. The other issue is a legal issue. In the U.S. we have Do Not Call lists. So there's a legal deterrent and a business-model deterrent, and both of these are against the SPIT model. I believe that's why we haven't seen much SPIT to date. FD: I'm in total agreement on the legal issue ? there are 137 million people registered on the Do Not Call list; it's the most successful program I know of in the federal environment. But I see a version of this [voice over IP spam] coming in the future. There's one wireless company called O2, and whenever I get into a country where O2 has a presence, even though I'm using [a different carrier] at the moment, I get a text message saying welcome to O2. I didn't request getting connected, but I get a text message welcoming me. Using a letter grade of A,B,C, etc., how well would you say most organizations are securing their IP telephony environments? FD: It's not an IP telephony or voice over IP issue; it's an IP issue, one should not get lulled into the suspicion that IP or the layers above it are secure. That said, I'd give a grade of probably B+. Very few are A's, and very few are F's; a lot of them are in the midrange. But they haven't experienced anything, so they're not under attack. LO: I'm a tougher grader, I would give most organizations a D. Most people don't truly understand the risks that are out there, which stems from the fact that there's a gap between a security professional and a voice professional, and they don't understand each others' worlds that well. So if you add this all up, people are just very complacent and very much at risk. What do you see happening in the next 3 to 5 years regarding VoIP threats? FD: You're going to see a serious issue come up, whether it be like Lawrence says at the server level or at massive denial-of-service attack at the desktop level in a large corporate entity within the next 24 months. The reason being that the opportunity is going to present itself, and the hole is going to exist. LO: I do agree that it's only a matter of time before we see attacks against these systems. We've already seen vulnerabilities against PBXs, against handsets, so it's only a matter of time before we see execution against these vulnerabilities.

Page Break

Securing VoIP networks has long taken a back seat to numerous other corporate IT priorities because while threats to these systems are known, there has yet to be a high-profile exploit to demonstrate the need for VoIP security. But times are changing. In the summer of 2006, two men were caught illegally routing calls over service provider Net2Phone's VoIP network. Also last year, the first VoIP phishing scam was launched that directed e-mail recipients to call an 800 number connecting them with a VoIP system that spoofed their bank and stole their personal information. While these examples represent minor pain compared to the wide-spread damage that worms, viruses, and other attacks have caused in the e-mail, Web, and instant-messaging worlds, they illustrate the point that VoIP security needs to be taken seriously. "Most organizations are too complacent and not placing the proper focus on protecting their VoIP systems," says Lawrence Orans, a research director at Gartner. The major threats to VoIP are not so different from those that plague the data world; denial-of-service (DoS) attacks, viruses, spam, and spoofing. But there are a few unique threats to the voice world, such as eavesdropping. Accordingly, securing VoIP traffic is not unlike protecting data traffic, except that there are vastly fewer companies and products focusing on the voice component at this point in time. Firewalls, intrusion-prevention systems, and other security elements that have become standard components of data networks are still emerging for VoIP, despite the rapid adoption of the underlying VoIP technology; IDC says VoIP expenditures hit $2.9 billion last year, and are expected to grow to $6.9 billion by 2011. "Security products need to understand voice protocols," says Mark Bornstein,manager of security marketing with Cisco. "We have to supply the same security standards to all types of traffic." While enterprises can't yet rely on most of today's data-centric security products to protect their voice traffic, security offerings specifically designed for VoIP are emerging. Cisco's Adaptive Security Appliance, for example, offers firewall, intrusion prevention, and content filtering features for traffic that uses a number of voice protocols, including Session Initiation Protocol (SIP) and Skinny Client Control Protocol (SCCP), Cisco's proprietary protocol. Other IP PBX makers, including Nortel, Avaya, 3Com, and others, also sell security devices that sit in front of their voice equipment to protect that traffic. Additionally, there's a growing market for third-party VoIP products. Companies including Sipera, Ingate, SecureLogix, Borderware, CheckPoint, and others make SIP firewalls, although Gartner's Orans says most enterprises are not yet using SIP,depending instead on the proprietary protocols that their IP PBX equipment vendors offer and their related security equipment. Another market that's forming around VoIP security is session border controllers, which enable two different VoIP providers to connect their networks, and often add security measures such as authentication and encryption to voice traffic. These products from companies such as Covergence, NexTone, Acme Packet, Ditech Communications, and others, are considered particularly useful for companies looking to deploy VoIP outside of a single domain. In addition to deploying VoIP-specific security products, enterprises can protect their IP telephony systems by ensuring that these, as well as their existing data networks, operating systems, and applications, follow best practices in security. "You have to apply the same hardening strategy [to VoIP networks] as you do to a normal data network," says David Endler, chairman of the VoIP Security Alliance and director of security research for TippingPoint. "But you can't have blinders on to just the VoIP system, you have to look at your entire environment." Basic steps such as changing default passwords on all software ? including products that may not seem related to the VoIP network but can affect it, such as third-party management tools ? as well as applying operating system patches in a timely fashion can help protect enterprises from VoIP threats, says Endler. Also, architecting networks so that VoIP traffic is segmented from the data network by a firewall can prevent an intruder or malware that penetrates one virtual LAN from getting at the other. Implementing quality-of service (QOS) policies that prioritize certain types of traffic is essential for VoIP networks, Endler says. In the case of a DoS attack or other such event that impacts network performance, VoIP traffic will be most sensitive to degradation that could render the voice network unusable. "VoIP applications really take some of the existing security threats inherited from the data network world and expand the severity because VoIP is just like any other data application, except that it's very unforgiving," Endler says. Since VoIP security is still a relatively new concept and not thoroughly understood by IT departments, many are turning to VoIP security assessments by third parties to help identify weaknesses and reinforce systems. Assessments are available from a number of service providers including Verizon Business, AT&T, and Sprint, as well as a host of testing companies. While these assessments can run in the tens of thousands of dollars, that cost pales in comparison to the toll of becoming the victim of a high-profile VoIP exploit.