Voice over IP and Security
VoIP Security Concerns
Every technology comes with vulnerabilities, and VoIP is no exception. Because the market for voice over internet (consumers) expects a certain level of quality, quality has been the primary focus for developers and providers. As VoIP matures, however, more attention is being given to security. There are measures you can take to reduce your exposure to attack and malicious individuals who would love to take something from you.
Here are a few ways VoIP can be abused, and a few suggestions on what you can do about it. As is often the case, awareness is the first step in providing good security to your VoIP system and the data it carries.
Eavesdropping
It is certainly possible to listen in on VoIP calls. Even though VoIP is a digital process, tools exist that allow system administrators to troubleshoot their systems, and those same tools can be abused by dishonest people looking to damage or steal.
Packet sniffers can capture raw packets of data from your VoIP communications and, when enough of them are captured, re-construct enough authentication information to gain access to accounts and configuration portals.
There are also tools that will record and playback VoIP calls by capturing the data stream and decoding it into audio files.
Combating Eavesdropping – There are a number of ways to enhance the security of your VoIP communications.
One is to use encryption on your VoIP system. You might be surprised to find out that the VoIP data stream is not encrypted. Developers of VoIP have traditionally been more concerned with quality than security, and every form of encryption has overhead which slows down the process of converting, transmitting and reconverting the sound of your voice. There are devices that use encryption to secure the data transmitted. Ask your provider about secure SIP.
Make sure all your users are using good authentication methods. Poor or easy usernames and passwords just make it easier for bad guys to figure out how to get in. Once in, they can do anything you can do.
If you are running a larger system, separate your VoIP network from your regular data network. This adds a layer of protection by making it more difficult to access the VoIP data stream in the first place. If you can’t separate it physically, put it on a virtual LAN by itself.
Spam over Internet Telephony: SPIT
It is possible to send unwanted voicemails to VoIP accounts. It is also possible for those spam messages to contain viruses or spyware. Look into a VoIP firewall or filtering to prevent this.
Phreaking: Stealing Service
The ability to use packet sniffers to collect authentication information can allow capable thieves to steal the use of network resources. It is still a problem in the telecommunications industry. Some telecom companies are running VoIP traffic over private networks, bypassing the public Internet altogether.
Vishing: Phishing using VoIP
The power that VoIP brings to legitimate users is also available to illegitimate users. People who previously avoided using the telephone to con people into giving out personal data now are figuring out ways to use the features of VoIP PBX systems to their advantage.
Using the power inherent in account configuration software, vishers can create fake phone numbers, manipulate CallerID to display the names and numbers of trusted institutions. They can automate the vishing process by setting up prompts and recording responses, work from anywhere and move operations quickly.
Protections that are effective against phishing apply to vishing. Mainly, don’t give account or other personal data to people until you have thoroughly verified their identity. While this might seem simple, the violation of this basic rule is what allows phishing to work.
Call Tampering
A malicious individual can create problem for VoIP users by disrupting calls in progress. An attacker can introduce noise or interrupt the flow of packets, rendering the call unusable or at least unpleasant.
Man-in-the-Middle and Denial-of-Service
In a Man-in-the-Middle attack, the attacker collects signaling data and then masquerades as the calling party.
Denial-of-Service attacks are aimed at making your entire system useless by flooding the network with traffic or overloading a device’s internal resources.
Call Tampering, Man-in-the-Middle and Denial-of-Service are generally rare, and are more likely to happen to major corporate clients or service providers than to small business or residential customers. It is good, however, to be aware of these practices.
Vunneling
In 2009 the US Defense Information Services Agency issued a guide which included information on an information security threat discovered by the Illinois Institute of Technology. An outsider gains access to data on your file servers by tunneling through a VoIP call. Here’s how.
VoIP uses two data streams to do its business, SIP and RTP. The SIP stream starts and finishes the session. The RTP stream contains the voice data. The RTP stream is very difficult to monitor because the time it takes to examine packets introduces unwanted latency in the communication process which end-users do not want. For this reason corporate firewalls are often configured to allow the RTP stream to flow, assuming that all the packets in that stream belong to the stream.
Someone figured out a way to tunnel into that stream, thereby getting their packets in and out without detection. This was termed Vunneling.
Vunneling, like Man-in-the-middle, Denial of Service and Call Tampering, is not something most small businesses will ever face, but it is always a good idea to be aware of the existence of threats like these. Who knows, your business could grow big enough to become a target someday.
Conclusion
Security of any communications system is a constantly moving target. Changes in technology, equipment and even business practices create new ways for dishonest people to exploit others. If your business or personal telephone conversations are of a sensitive nature, you will want to work with your providers to insure adequate measures are being taken to protect your information.