VOIP More Vulnerable

Hear that? That's the sound of hackers starting to wield the latest VOIP hacking tools

If you're talking over your IP network right now, then voice-over-IP should be at the top of your security priorities for next year.

Securing enterprise IP voice hasn't been on most organizations' radar screens, mostly because VOIP so far hasn't been a popular target of attackers or bug hunters, nor have many organizations torn out their traditional voice systems altogether, anyway. But security experts say it's time to make VOIP security a priority.

For one thing, the cat's out of the bag: VOIP hacking tools, that is, are widely available now. "There had not been widespread availability of those tools until now," says Dan York, best practices chair for the Voice Over IP Security Alliance (VOIPSA) and director of IP technology for Mitel. "Now there will be more interest in [VOIP]...and the cool kids will start hacking VOIP."

David Endler, director of security research for TippingPoint, and co-author of a new book called Hacking Exposed: VOIP has released over 20 VOIP hacking tools that he and co-author, Mark Collier, CTO of SecureLogix, wrote while researching the book. The tools cover everything from denial-of-service to adding audio to active IP calls.

"There's not a lot of research here yet. VOIP is still a nascent market," Endler says. "VOIP is following the same path as other technologies. It was considered a killer app, and it was widely deployed and security wasn't addressed until afterward," he says.

"Today, attacks are just on a network and VOIP is this collateral damage," he says.

But Endler expects all that to change in '07. "There are going to be more attacks targeted at VOIP." VOIP is basically just another app running over the IP backbone, so it's susceptible to most network-based attacks. The main ones associated with VOIP are denial-of-service and sniffing or intercepting traffic.

But the big black hole in VOIP security is with the Session Initiation Protocol (SIP) trunking area, says VOIPSA's York. SIP trunking basically lets you bypass the PSTN and use your Internet connection to link to a VOIP service provider, for instance. "A lot of new startups are rushing to provide SIP trunking, but not looking at security," he says.

That leaves endpoints wide open to attack, he says. There are plenty of these types of attacks going on right now, he adds. "And there are tools out there for attacking SIP endpoints."

But Lawrence Orans, research director with Gartner, says while the focus has been on SIP security, enterprises are really still mostly implementing proprietary signaling protocols in their IP telephony systems. "You need to secure the proprietary signaling in firewalls and IPSes," Orans says. "There should be more focus on firewalls and IPSes better protecting PBX servers."

And remember, that the Windows server your Cisco Call Manager application runs on has holes of its own, too, aside from the holes VOIP hacker tools can poke in VOIP applications. "Any VOIP system runs on the same vulnerable components" that viruses and worms target, TippingPoint's Endler says.

That means attacks against management interfaces, call control systems, and voice frames, York says. One way to protect voice content is encryption: "Confidentiality is one thing that's big in ensuring phone calls are secure...basic encryption solves a lot of that."

VOIP may be where Oracle databases were security-wise a couple of years ago, says Nicolas Fischbach, senior manager for network engineering/security at Colt Telecom. "[It's] a key system, not patched because it's too critical, no hardening because of laziness or 'it always worked like that,' so it's also easy to own," he says. "But things are going to change."

— Kelly Jackson Higgins, Senior Editor, Dark Reading

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights