Wiretapping Just The Start of VoIP’s Security Woes

Security experts are once more urging businesses and consumers be wary of wiretapped Voice over IP (VoIP) calls — as well as the vast number of potentially worse IP telephony vulnerabilities to which they may be exposed.

Last week, U.K. security researcher Peter Cox introduced a proof-of-concept that showed how easily Voice over IP phone calls could be intercepted. Cox, the former chief technology officer and co-founder of security vendor Borderware, successfully captured phone calls over a period of several months with a prototype Session Initiation Protocol (SIP) call monitoring tool.

The demonstration came as only the latest reminder that VoIP is vulnerable to monitoring. But experts warn that wiretapping is only the tip of the iceberg.

“In the grand scheme of things, it’s rather small,” said Forrester Research Analyst Paul Stamp. “This is something people implementing VoIP systems have known for a long time. But it’s certainly not the biggest vulnerability in the system.”

With VoIP on the rise, there’s plenty of reason to be concerned about all of those vulnerabilities. According to a survey of telephony carriers conducted by IBM’s Internet Security Systems (ISS), almost 85 percent of phone service providers will roll out an IP-based architecture for their services within the next five years.

And while 87 percent of the participants in ISS’s survey believed that these “next-generation networks” would fail without strong security measures, only 46 percent said their companies had a plan in place for dealing with the security issues involved with the shift.

That might come as something of a surprise, since it’s not as if the threat of call interception is anything new.

“There have been tools available for a very long time that allow someone to listen into VoIP calls,” said Tom Cross, X-Force Researcher at IBM ISS. “A lot of people in IT have this perception that you can’t snoop on a switched network. But you can, using a technique called [Address Resolution Protocol] cache poisoning.”

Address Resolution Protocol (ARP) cache poisoning, also known as ARP spoofing, is a way of inserting a device on a switched Ethernet network between two other devices, masquerading as the intended device while passing traffic along.

“There’s a tool called Cain and Able, which has been out for some time that will do ARP cache poisoning,” Cross said. “If those devices happen to be VoIP phones, it’s trivial to record the conversation and play it back.”

The risk of monitoring needs to be considered by anyone implementing VoIP, Cross said, especially since VoIP encryption isn’t necessarily an option yet for many users.

“Out of the box, a lot of this stuff doesn’t have encryption built in, or it’s not turned on,” he said. “The standards for how to encrypt VoIP are still being worked out –a lot of vendors have different solutions for that, and they’re not necessarily interoperable.”

But as vulnerable as VoIP may be to monitoring, it’s much more exposed to other potential threats, experts warned.

“I think people realize that there’s a possibility to do [wiretapping], and in many cases, have accepted that risk, given that you’ve got a lot bigger fish to fry,” said Stamp. “Most of the vulnerabilities out there have to do with availability and what you can do to make sure that there won’t be dial-tone for the person on the other end.”

Researchers said that on the whole, threats facing VoIP networks are similar to those confronting any other networked services — denial of service attacks, software vulnerabilities, and other exploits with which most security professionals are already familiar.

“It’s important that you make sure your VoIP phones and infrastructure are all patched and up-to-date,” Cross said. “And tools like IPS technologies that we’ve used for years to protect operating systems and servers — they can be deployed to protect VoIP systems as well.”

Continued on Page 2.

However, unlike most data networks, enterprise VoIP networks don’t always fall under the jurisdiction of corporate IT departments, which Cross sees as a potential point of concern.

“Often in organizations, the phone system is not run by the IT department — it’s often run by a facilities group that runs things like HVAC and other building services,” he said. “And those guys don’t necessarily have the kind of processes in place for managing software systems that IT departments have. It’s just not something they’ve had to deal with in the past.”

While VoIP networks are as susceptible to denial-of-service attacks as any other networked service, “denial-of-quality is also a concern,” Cross said. That’s due to the fact that even a small degradation in service quality can have the effect of knocking out VoIP calling.

“Because Voice over IP has very strict latency requirements, it’s very easy for a small network flood attack to affect it,” he said. “Whereas with SMTP or other services, you might not notice a degradation of services as quickly.”

The problem multiplies if you’re using a single network for voice and data, said Stamp. “If you’ve got a converged data and voice network, the sum of those parts has a greater business value than they do separately. If someone brings it down, you can’t use your data network, and you can’t pick up your phone to call anyone to help you bring it back up, either.”

And like any other networked computer, VoIP systems are vulnerable to remote code execution attacks. In July, ISS discovered two such vulnerabilities in Cisco Systems’ Cisco Call Manager that could have been used to cause a denial of service to VoIP users, or to potentially allow someone to gain unauthorized access by executing a program on the system, Cross said.

Nearly every enterprise VoIP system has what Cross called a “media gateway” at its center, running on top of either the Windows or Linux operating system.

“They are the heart of a VoIP network,” Cross said. “They have all the voice mail stored on them, and the provisioning information… if someone were to gain control of one of them, they’d have complete control over the phone systems.”

“A lot of those attacks are similar to the kinds of remote code execution attacks that we see against traditional operating systems,” he added.

Also of concern is remote code execution against VoIP phones themselves, which Cisco, for instance, first warned about more than two years ago.

“If it’s a VoIP phone, it’s really a computer,” Cross said. “If someone is able to exploit one of the services running on that computer, they could take control of it and turn on the microphone and push the audio somewhere, essentially using it as a listening device.”

One particularly scary example Cross cited is a UT Starcom wireless handset, first reported in late 2005.

“It came out of the box with a telnet port on it,” he said. “You could telnet into it, and the default password was fairly trivial to guess. It was as simple as telnetting to the phone and logging in, and you’d have complete control over the phone.”

News Around the Web