There are too many sources of vulnerability for VoIP to ever be completely secure, says Patrick Park, author of VoIP Security. Here he describes the VoIP threat landscape and offers best practices for making VoIP reasonably secure.
This is part of a regular series that highlights new books and their authors. Also in this series: Raffael Marty on security visualization, Joel Scambray on exposing the hacker's advantage, Brandon Carroll on wireless networking, and Scott Hogg on IPv6 security.
What is the threat landscape like for VoIP?
There are so many different kinds of threats or attacks in the VoIP world.
Attackers may disrupt media service by flooding traffic, or collect private information by intercepting calls, or make fraud calls by spoofing identities. Spammers may use VoIP networks to deliver spam calls, instant messages, or presence information, which are more effective than email spams because it is very difficult to filter VoIP spam.
There are four categories that most VoIP threats belong to:
- Threats against availability: A group of threats against service availability that is supposed to be running 24x7. These threats aim at VoIP service interruption, typically in the form of Denial of Service (DoS). Examples include call flooding, malformed messages (protocol fuzzing), call teardown, call hijacking (registration or media session hijacking), server impersonating, quality of Service (QoS) abuse.
- Threats against confidentiality: These threats don't impact current communications generally, but provide an unauthorized means of capturing media, identities, patterns, and credentials that are used for subsequent unauthorized connections or other deceptive practices. The typical examples are eavesdropping media, call pattern tracking, data mining, and reconstruction.
- Threats against integrity: Altering messages or media after intercepting them in the middle of the network. That is, an attacker can see the entire signaling and media stream between endpoints as an intermediary. The alteration can consist of deleting, injecting, or replacing certain information in the VoIP message or media. The typical types of threat are message alteration and media alteration.
- Threats against social context: Also known as social threats, these are somewhat different from other technical threats in terms of the intention and methodology. They focus on how to manipulate the social context between communication parties so that an attacker can misrepresent himself as a trusted entity and convey false information to the target user (victim). The typical threats against social context are misrepresentation of identity, spam of call (voice), IM, and presence, and phishing.
What kinds of tools can be used by bad guys to intercept VoIP communications?
First of all, I want to mention that intercepting VoIP communication is not easy in a real service environment. Most ordinary people are concerned about privacy issues (typically, wiretapping) when using VoIP devices (such as an IP phone) that are mostly connected to the open or public Internet. It sounds easy for a hacker to sniff the packets and eavesdrop the conversation, but in reality, it is not that easy. The hacker has to have a sniffing tool located in the same broadcasting domain as the IP phone (using switched Ethernet), or the hacker has to be on the same media path in order to eavesdrop, which means that it is very difficult for an external hacker to sniff the packets. Moreover, if the media packets are encrypted, even intercepted packets are useless.
In VoIP, an attacker uses two methods typically. One is sniffing media packets in the same broadcasting domain as a target user’s‚ or on the same path as the media. The sniffing tools are available on the Internet, like Wireshark (formally Ethereal). The other way of intercepting communications is compromising an access device (for example, Layer 2 switch) and forwarding the target media to an attacker’s device, which generally happens in enterprise networks.
Can VoIP ever be completely secure?
No. There are too many sources of vulnerability to make VoIP completely secure. Today's VoIP includes not only voice, but also video, IM, presence data, and fax data.
VoIP has two types of vulnerability. One is the inherited vulnerability coming from an existing infrastructure such as the network, operating system, or web server that VoIP applications are running on. The other is its own vulnerability coming from VoIP protocols and devices, such as IP phone, voice gateway, media server, signaling controller, and so on.
In reality, it's hard to control every component to provide 100% security. However, we are able to make it reasonably secure. The best practice is to integrate all possible solutions according to service model, network architecture, protocol model, target customers, and peering partners.
What is a Session Border Controller (SBC) and how does it secure the VoIP network border?
An SBC is, as the name implies, a controlling device located on a border of two network sessions. The session is a logical boundary of a VoIP network, like between the consumer and the service provider network, or between two different enterprise networks.
The function of SBC is, simply speaking, resolving border issues like interop and security issues. Let me summarize the critical functions of SBC:
- Network topology hiding: it's a key function of SBC, hiding the core network topology from either access or peer network. Most VoIP servers like SIP proxy are exposed to the external networks so that endpoints may access the servers to request calls or register, which means that the topology of the service network is partially visible and vulnerable. So, an SBC encapsulates the core network and provides a single logical interface for external networks. The external endpoints can see only the IP address and port of the SBC rather than actual VoIP servers, and the SBC routes the call to the corresponding server based on type of service, policy, protocol, and so on.
- Denial-of-service protection: SBC uses access control that allows secure traffic, limits uncertain traffic, and denies insecure traffic. It's similar to white list, black list call control.
- Overload prevention: the meaning of overload prevention in this context is that the SBC monitors regular traffic from legitimate endpoints and controls it in order not to overwhelm VoIP servers, which is somewhat different from DoS protection dealing with malicious or flooded traffic. The typical method of preventing the overload is that an SBC reduces redundant or unnecessary signals by controlling the frequency of messages (for example, periodical registration or keepalive), or distributes the load to multiple targets based on policy.
- NAT traversal: One-way or no-media issues are very common when traversing a NAT. SBC can resolve this issue in the middle of the network by relaying media or rewriting protocol messages as a B2BUA.
- Lawful Interception (LI): It's a VoIP service provider’s duty to intercept call data or contents, and forward them to a law enforcement agency according to a warrant. The reason for using an SBC for the interception is that it can see most of the signals and media going back and forth among endpoints and VoIP servers as an access device.
- Other functions of SBC are load balancing, transcoding, protocol conversion, number translation and QoS marking.
A new term we're seeing is SPIT. This is essentially spam on VOIP. Is this a real concern?
Yes, it's a real concern. The main reason SPIT is becoming popular is that it is cost-effective for spammers.
In some cases, spammers use computational and bandwidth resources provided by others by infecting their machines with viruses that turn them into "zombies" that can be used to generate call spam.
Another reason SPIT is getting popular is its effectiveness, compared to email spams. Most spam filters for email today work very well. Even though users may still receive a small percentage of email spams, they usually look at profiles (for example, sender name and subject) and delete most of them without seeing the contents. However, the method of filtering emails does not work for SPIT because voice is real-time media.
Only after listening to some information initially can users recognize whether it is spam. There is a way to block those call attempts based on a blacklist (spammers' IP address or caller ID), but it is useless if spammers spoof the source information.