A few weeks ago I came across an interesting article about one more “vishing” attack which targeted the customers of multiple financial institutions. This adds to the list of other vishing attacks that have been discovered in the past. Essentially, the scammers hacked into a web-based email system to send fraudulent text messages to millions of mobile phone users asking them to call a specific phone number. The phone number belonged to a fake IVR system which was setup using VoIP. This is a classic example of how scammers can use VoIP to exploit the trust that the average phone user puts on his/her phone. ISS has a good paper  on vishing which talks about other ways to initiate attacks (such as email, voicemail, or a live call). This attack and others, where VoIP is hacked to get to the data side or used as part of a bigger well-orchestrated data-side attack, show how VoIP is increasingly being used as an effective tool in hackers’ arsenal. Consequently, for effectively securing your VoIP network one must understand the security threats coming from the data side and vice versa.Here are some of the other “vishing” attacks in the news over the last two years targeting the financial sector–

June 2006: Santa Barbara Trust vishing scheme emails users a message indicate 3 unsuccessful account login attempts and prompts user to call customer service number.
July 2006: Pay Pal vishing scheme prompts users to verify credit card information.
December 2006: Fort Bragg Federal Credit Union reported targeted vishing attack that asked customers to verify account information due to a virus attack.
March 2007: Bank of America targeted in vishing scheme
July 2007: South Korea reported losses of approximately $43.6 million from June 2006 through July 2007 due to vishing attacks.
September 2007: First Technology Credit Union customers had cumulative losses of less than $1,000 from two customers in a targeted vishing attack.
October 2007: Phishers send an email purporting to be from CUNA a national trade organization for credit unions. Email prompts them to call an 800 number in response to questionable activity on their check card.
October 2007: Largest vishing gang caught after bilking 25 Koreans out of approximately $38,000.
January 2008: Attack directed at Bank of Stanly utilizes an automated calling system, which randomly calls individuals reporting account problems and prompts them for account information.

First of all, let me make it clear that this discussion is by no means a complete guide to VoIP security. You should also refer to other available white papers (Sipera has one) and standard publications (e.g., this) to thoroughly assess your requirements. However, this post is meant to be a good starting point for implementing some of the very essential security practices and mechanisms for your VoIP network.

In my previous blog posts, I discussed the availability of VoIP exploits in-the-wild and how classic IP network attacks apply to VoIP as well. These posts and background brings us to the obvious question—“ what are the must-have characteristics of a VoIP security solution”. “Solution” is picked deliberately because you need to take a comprehensive approach to securing your VoIP network including threat modeling, network reconfiguration, implementing application-level security, and monitoring and control tools. These requirements can be broadly classified in the following categories:

Threat modeling
A threat is any possible intentional or unintentional activity that can cause damage to your computer system and your business in general. The objective of threat modeling is to carefully analyze application trust boundaries, identify assets, decompose applications, map data flows, rate threats based on risk, and formulate threat mitigation strategies. Standard threat categorization and risk rating models such as STRIDE (Microsoft), CVSS (Common Vulnerability Scoring System- US DHS), OCTAVE (Carnegie Mellon), and DREAD can be used to develop a threat model for your VoIP deployment. Additionally, since VoIP is a real-time IP communications application it’s exposure to some additional threats such as QoS degradation and toll fraud increases many folds compared to PSTN phones. For such threats, a more specific threat taxonomy such as the VOIPSA threat taxonomy may be used.

Layer 2 to 4 must-haves–
Here are some basic security measures you can implement that will go a long way in protecting your VoIP network from classic network-level attacks.

Network segmentation and traffic prioritization: VoIP shares the same LAN with other data applications such as http traffic and email traffic. To ensure that you prioritize the VoIP traffic over other traffic you will need to implement virtual LANs (VLANs). However, keep in mind that VLANs is not a security mechanism, it just isolates the LANs.

Layer 2 authentication: Enforcing layer 2 authentication, such as IEEE 802.1x (both wired and wireless), is essential for preventing many attacks that rely on IP connectivity. However, 802.1x support is not very common in IP phones and Wi-Fi phones. Among other attacks, without this authentication the network is open for VoIP hopping attacks.

Transport layer encryption with mutual authentication: VoIP signaling traffic must be encrypted to prevent VoIP signaling attacks such as registration hijacking, call hijacking, and message tampering. Additionally, it prevents traffic analysis and application-level authentication replay. Mutual authentication must be enforced to prevent spoofing and impersonation attacks. Typically, these goals are achieved with TLS.

Application-level must-haves–
In addition to having TCP/IP and layer 2 protections, VoIP must also be protected against application-level attacks like any other complex application such as web server and email. Here are some essential application-level security mechanisms that you must have.

Authentication and authorization policy enforcement: Application-level authentication and authorization ensures that only legitimate users can access the authorized service from an allowed device. This becomes important when you have international/toll dialing or in a rich unified communications network.

VoIP QoS monitoring: Unlike email, voice is a real-time application and poor quality voice is equivalent to denial of service. Voice quality must be actively monitored and any security appliance that handles VoIP media traffic should not degrade the voice quality.

Service availability guarantee: Application-level request flood attacks are very easy to launch but very difficult to prevent. Although the risk of such attacks is increased when using unencrypted signaling transport, misconfigured phones and infected soft phones may generate a flood of traffic and cause a denial of service. One must apply sophisticated, application-level intrustion prevention system (IPS) which guarantees legitimate call protection under attack conditions.
 
Patch management: Unlike old PSTN phones, IP phones use software programs running on either custom hardware or a general purpose PCs. This is a mind shift and you must include these phones under your patch management schedule. You must also monitor vulnerabilities being discovered in the phones that you have deployed and keep the software patches up-to-date.

In the end, you have two options: a) assume that you don’t have to do anything special to secure your VoIP network and hope nothing bad will ever happen; or b) understand the threats and implement security mechanisms to truly enjoy the benefits of VoIP/unified communications.  Of course, I recommend the later and this blog post should give you enough information to get you started.

VoIP, being an application over the IP network, is also susceptible to all the attacks that can be launched over the IP network. Moreover, unlike other traditional data applications such as email and web servers, voice applications are less tolerant to attacks. It may not be a problem if your emails get delivered a few minutes late. But, a phone is a real time communication device and a call delayed is a call denied. Additionally, typical VoIP phones have underpowered  hardware making them less tolerant to simple resource exhaustion attack.

Although there are several unique threats to VoIP, several of the traditional data network threats are also applicable to VoIP. Additionally, traditional data network attack tools and exploits have been around for a long time now and are very effective for attacking VoIP applications as well. These attacks range from layer 2 attacks to application-layer attacks and attacks on supporting services. Let’s look at few such examples, but keep in mind that, by no means, this list is exhaustive.

Some of the layer 2 attacks that can do damage to a VoIP network are VLAN hopping and 802.11 attacks. VLAN hopping (which is explained here) allows an attacker to connect an unauthorized device on the VoIP VLAN to gain unauthorized access to another VLAN or to eavesdrop on calls while 802.11 attacks such as access point spoofing allow an attacker to hijack calls from unsuspecting WiFi/dual-mode VoIP phone users. Layer 2 attacks have a greater effect because all upper layer protocols rely on and trust layer 2 protocols for their operation.

TCP/IP attacks can also have a big impact on the VoIP infrastructure because VoIP phones have lower resources so simple attacks such as TCP SYN flooding can disable the phones quickly. Additionally, classic attacks such as IP spoofing, UDP flooding for bandwidth exhaustion, and IP fragmentation attacks can also be used to disable VoIP service and cause DoS.

VoIP devices rely heavily on supporting services such as DNS, DHCP, and ARP. Unlike your old PSTN phone, an IP phone relies on several network protocols to boot up and get connected to the network and eventually to the VoIP server. There are several (see this and this) classic spoofing and cache poisoning attacks that corrupt the information contained in the supporting servers. Unavailability of supporting services may result in a network-wide service outage.

Another important feature of VoIP phones is that they typically run a web server that uses poor authentication. One can hack the web server running on a VoIP phone by exploiting some of the most common web application vulnerabilities such as cross-site scripting and SQL injection. As a result, an attacker can steal phone records and other confidential data or use the phone as a launching pad for other flooding and reconnaissance attacks on the enterprise network.

VoIP brings you a richer user experience and many more communications applications than the old PSTN phones, but unfortunately you cannot bring the “taken for granted” security attitude with it. While understanding and addressing unique real-time security threats is important, it would not be wise to ignore these classic IP-based attacks when implementing a security solution for your VoIP network.

In my subsequent blog post I will attempt to discuss more about the “must have” characteristics of your VoIP security solution and the best practices that increase the overall security posture of your VoIP network.

Before commenting on the current state of VoIP security, it is helpful to review the state of VoIP attacks and exploits in the real world. There are several references to the real-world VoIP attacks and exploits in my previous blog post such as unauthorized surveillance, VLAN hopping, and the milw0rm exploits database. These published and possibly many more unpublished real-world VoIP attacks/exploits put the onus of reviewing the current state of VoIP security on the ethical security analysts and organizations.

Overall VoIP security involves three equally important parts—
1. The state of technology that protects VoIP from attacks
2. The state of attack and test tools that find security holes in VoIP systems and networks.
3. The state of open standards and co-operation between VoIP vendors

If you are VoIP network admin, you need at least the first two parts to be effective in order to sleep peacefully at night. Open standards and vendor co-operation, on the other hand, act as catalysts to improve quality of test and protection tools.

There are two types of devices that protect against VoIP attacks and intrusions– one is the traditional data security devices (typically firewalls) enhanced to apply security policies on VoIP signaling and media traffic, and the other type includes devices purpose-built for VoIP intrusion detection/prevention. Although it is almost always necessary to upgrade your firewall so that it does not block the VoIP signaling and media traffic, you should also protect your VoIP network against some of the more sophisticated real-time threats using the purpose built equipment. Additionally, these devices do their job even better if they are configured to meet the security needs unique to your deployment scenario. The effectiveness of the security devices can be increased many folds by first assessing and understanding VoIP threats that are applicable to your VoIP network. This leads us to the second aspect which involves VoIP security assessment tools.

Recently, VoIP attack and test tools are mushrooming like crazy. But, as Mark Collier noted, and I agree, most of these tools are for SIP, RTP, and other open protocols. There are a proportionately smaller number of tools to attack/test proprietary VoIP protocols including Cisco Skinny, Nortel UNIStim, and Avaya’s H.323 variant. This is sad, because these are the big players in IP telephony landscape and although they now offer IP telephony products based on open protocols and standards, there is still a large deployment base of their proprietary protocol products. Additionally, several vulnerabilities in products implementing these proprietary VoIP protocols have already been published which makes it all the more necessary to have more tools to test these products and networks for security holes.

Third and probably the most impacting aspect is open standards and co-operation between VoIP infrastructure vendors, VoIP providers and VoIP security vendors. Organizations such as VOIPSA and SIP Forum are doing a great deal for the VoIP security community by driving this co-operation and coming out with standards such as the threat taxonomy and best security practices. IMO, more active participation from big players will make such efforts more fruitful in the real world.

Even though VoIP is a fairly new technology, there is no doubt that there are VoIP attacks and exploits in the wild. VoIP attacks are coming and the VoIP security market is keeping pace but organizations need to understand there is a risk and implement the best security practices ASAP.

There are definitely VoIP exploits happening but not nearly at the scale of data exploits. But, it would be very naive to say that you can forget about securing your VoIP network and relax for the next couple of years. Keep in mind that VoIP is a fairly new technology and that the number of so-called “open” VoIP deployments isn’t large enough for exploit databases such as milw0rm to start taking serious note of VoIP.

On milw0rm, if you search for voip, sip, skinny, pbx, etc , you will get real exploit codes but they form a small percentage of the total number of exploits posted there. Also, VIPER Lab has found a similar number of VoIP exploits so far on various devices and services including WiFi/dual-mode phones, VoIP soft phones, VoIP hard phones. Additionally, the VIPER Lab website has been tracking VoIP security incidents that make news. Some of them are “real” attacks on “real” networks with “real” damage (e.g., this, this, this, and this) which further proves that VoIP exploits are happening. If the media is reporting the attacks you can be assured that many more are happening which go unreported.

Most of the “big” consumer oriented corporations using VoIP would not want to be named, even if their VoIP network gets attacked, because it’s like telling their customers they are at risk, although there are laws mandating companies to disclose certain types of such incidents but they may lose some future business.

And finally, one more point that proves it would not be wise to ignore VoIP exploits is that there are two general categories of VoIP threats—one needs the target to have a specific exploitable implementation flaw like buffer overflow, while the other does not need the target to have such flaws. The second type of threats arises when not implementing enough VoIP security mechanisms in the network and leaving the default configurations/passwords unchanged.

So, to answer the question, yes, keeping in mind that there aren’t as many VoIP deployments as there are web server or email deployments, there are good enough documented and undocumented VoIP exploits/attacks in the wild and, of course, the number is growing. Combined with that, the lack of implementation of the VoIP security best practices leaves your VoIP networks exposed to attacks that can compromise confidentiality, integrity, availability, and compliance.

With 2007 coming to an end, this is a good time to recap the VoIP vulnerabilities published and the VoIP attacks that occurred in the past year. 2007 was definitely a very active year in terms of number of VoIP vulnerabilities published which allowed VIPER Lab to publish its version of the Top 5 VoIP Vulnerabilities reported in 2007 here.

The list includes VoIP vulnerabilities ranging from remote eavesdropping to toll fraud and VoIP hopping to the Skype worm. Interestingly enough, the VoIP vulnerabilities published in 2007 have a wide range of impacts and motives. On one hand, we saw more traditional types of vulnerabilities like implementation flaws getting exploiting by the Skype worm while on the other hand we saw more financially motivated and coordinated VoIP attacks such as toll fraud and vishing (VoIP phishing). With out doubt, VoIP has become a very effective and cheap tool in the arsenal of spammers and hackers.

The root cause lies in the fact that we trust “voice” more than we trust “email”. Scam emails are now quickly suspected by targeted email users. But, will they listen to a scam voicemail with an equal suspicion? I think not… yet. It is very easy for someone to hit the call-back button and get trapped into a fake VoIP-based IVR system posing as a legitimate bank, for example, and give away personal information. This trust of “voice” is carried over from the traditional telephone system which made it much harder and more expensive for spammers and hackers to orchestrate such attacks.

Owing to such facts, it is not hard to predict that VoIP threats will be on rise. One such prediction was reported in McAfee® Avert Lab’s report which says that VoIP attacks should increase by 50% in 2008 and that there is no sign of VoIP attacks slowing down.

Fortunately, there is a good side to this story as well. VoIP vulnerabilities and attacks are being openly published and discussed in the media helping VoIP users become more aware of the threats. Industry alliances such as VOIPSA are doing a great service to the VoIP security community by making available the much needed information about VoIP threats and defenses. With large number of free and commercial VoIP assessment tools now available, the onus now falls on the “good guys” to be pro-active and take advantage of these tools to test the security readiness of their VoIP networks.

Today, for any user application to be successful, one cannot ignore the mobile phone market. Of course, being a communications application, VoIP, in particular, needs to penetrate further in the mobile phone market. Currently, in spite of several device manufacturers offering VoIP as an alternate calling feature, VoIP penetration is significantly less compared to cellular technologies. If one looks more closely, we can understand the reasons clearly since current US cellular operators are in control of introducing VoIP over mobile and this hurts their traditional cellular business. A recent case in point was when T-Mobile in Europe blocked the Truphone VoIP service. The Truphone service allowed cellular users with data plans to use VoIP at a much cheaper price then cellular plans. You pay a hefty monthly fee for 1000, 2000, or even unlimited calling minutes but imagine if you could use a VoIP service over the cheaper data plan and you don’t need to pay for the calling minutes any more (or you pay for fewer minutes). Who loses in this scenario? Of course, it’s the operators.

So, the bottom line is that for VoIP to be a truly ubiquitous service it needs to penetrate the mobile phone market and for that to happen the mobile phone operators need to look at VoIP as an alternative offering. At the very least, the operators should not block VoIP use over their data plan. Well, ironically enough, T-Mobile recently launched their hotspot@home VoIP service in the US. So, even better, why don’t more operators enable dual-mode phones as an offering so that consumers and business can finally realize the dream of one phone and one number but without the hefty bill? That is really when VoIP over mobile will take off because everyone wins

I’d like to address some recent commentary and analysis about “Sipera announcing security issues with the Vonage VoIP service.”

Continuing its effort to notify the public about VoIP vulnerabilities, and share information that hackers may already have, Sipera VIPER Lab this week announced security issues with Vonage, Globe7 and Grandstream VOIP services and specific adapters. This follows six month of similar publicly released threat advisories about VoIP protocols and standards, and services and devices offered by Aastra, AOL, Avaya, Dell, D-Link, HTC, Microsoft, Nortel, Polycom, Research in Motion, Samsung, and Snom, among others.

In the six months that Sipera VIPER Lab has been issuing VoIP threat advisories, some vendors have quickly offered fixes and patches on their own, some have worked with Sipera to do the same, some have requested more time to address security issues, and some did not respond or accept Sipera’s offer to help. When vendors do not respond, or act to address security issues, there is little Sipera can do to help them but make numerous attempts to contact them and offer assistance which we have done in all cases.

In this case, following standard industry practice, well over 30 days ago Sipera notified Vonage, Globe7 and Grandstream of specific security issues in their VoIP services and certain adapters. Sipera also offered to work with each vendor on possible fixes and patches, but none of the three responded, requested assistance with a fix, or even asked for additional information.

But, by issuing threat advisories, consumers and enterprises are at least educated about and aware of certain security issues, so they can make informed decisions about addressing them. Just as in the data security industry, in the absence of this public knowledge, hackers otherwise benefit when others have no idea of the security threats and abuses that might face them.

It is this mission which Sipera VIPER Lab will continue, sharing its VoIP security research and expertise with vendors and the public.  And VIPER Lab will likewise continue to provide at least 30 days notice before announcing vulnerabilities and offer to assist vendors.

Finally, Sipera hopes any controversies about VoIP security, advisories, and Sipera’s actions lead to more and more discussion of the issues involved and the ongoing development of VoIP security best practices.

As I mentioned in my previous blog post, residential VoIP users should verify three security aspects of their VoIP service, namely authentication, confidentiality, and service robustness. However, the proof of these concerns is really in the pudding so to speak. As part of our ongoing research at Sipera VIPER Lab, we assessed some aspects of the Vonage, Globe7, and Grandstream residential and SMB VoIP service and equipment. Not surprising to us, the findings re-affirmed the need for verifying basic security practices such as strong authentication, signaling security, and media encryption as vulnerabilities. Our analysis of these services and equipment reveal several vulnerabilities including the lack of some basic security mechanisms mentioned above. These vulnerabilities leave users of these services exposed to threats such as spoofing, eavesdropping, and remote exploits. VIPER Lab today issued a news release and posted multiple threat advisories for these vulnerabilities here.

With residential VoIP users expected to grow to over 200 million in next 5 years, a number of people will be left without phone service in the case of a widespread attack on VoIP meaning this is far too big an issue to ignore.

I’m sure many of you have already made the switch or at least considering it having heard about how much money it can save you compared to your old telephone. At the same time, you have probably also read about some security concerns for VoIP and may be wondering if your calls over VoIP are secure, if  someone listening to your conversations, or if you will start to receiving more “marketing�? calls.

Do not let these concerns make you run away from this exciting new technology. Instead, take proactive steps to verify some basic security mechanisms. As a residential VoIP consumer you should ask your VoIP service provider certain questions to understand the security they have in place.
1. Authentication: Can someone steal your caller ID?
2. Confidentiality and Privacy: Is your conversation being heard by an unauthorized third party?
3. Robustness: Are there remotely exploitable vulnerabilities in your VoIP adapter?

Unlike traditional PSTN telephone whose identity is tied to the physical telephone line, VoIP phones connect to their VoIP server over the Internet. The VoIP phone has to prove it’s identity to the server with the use of an authentication protocol. Although most of the authentication protocols are theoretically flawless, while implementing these protocols, several VoIP phones and servers may leave themselves vulnerable to credential spoofing or worse may not implement the authentication mechanism at all. You must verify what type of authentication mechanism is implemented by your service provider and if it is possible for an unauthorized third party to spoof your phone number and make calls. The VoIP server must implement strong authentication and spoof detection mechanisms to prevent such spoofing attacks.

Next question and an equally important one is that you must ask your VoIP provider if the conversation is encrypted. Since your voice is now transmitted over the Internet, which is a public IP-network, unless a strong encryption scheme is used to ensure the privacy of your conversation, you are left vulnerable to eavesdropping. Even though eavesdropping requires getting access to some network node by an unauthorized party, it is possible and you would not feel comfortable talking over your phone if you know that someone could potentially listen to your conversation.

The last question you would want to ask your VoIP service provider is about the adapter that is connected to your phone. These adapters implement several complex VoIP, authentication, and encryption protocols, and are freely available to anyone signing up for the VoIP service. It does not take much for someone to find security holes in such adapters using several freely available tools (see VOIPSA tool list). It is quite easy to subject such adapters to malicious attacks and discover denial of service or other vulnerabilities which may compromise the adapter. You must verify that you have the latest firmware installed on your adapter with all latest security patches. This will protect your adapter and your VoIP service from known attacks. You may still be left vulnerable to zero-day attacks which are attacks for which security patches from the vendor are still not available but at least you are protected against know attacks.

To summarize, VoIP phones have hard to ignore benefits over the old PSTN-based telephones. However, as a consumer of a VoIP service, you should be proactive in confirming at least 3 security aspects of the service with your VoIP provider. Your VoIP providers, on the other hand, should do a thorough vulnerability assessment of their core and access VoIP infrastructure to understand the security risks and take the correct actions to mitigate them. Taking these precautions is critical to ensuring their customers of the highest levels of security and availability. It’s your job to ask whether it’s being done.