February 12, 2009, 5:12 PM — There are too many sources of vulnerability for VoIP to ever be completely secure, says Patrick Park, author of VoIP Security. Here he describes the VoIP threat landscape and offers best practices for making VoIP reasonably secure.
This is part of a regular series that highlights new books and their authors. Also in this series: Raffael Marty on security visualization, Joel Scambray on exposing the hacker's advantage, Brandon Carroll on wireless networking, and Scott Hogg on IPv6 security.
What is the threat landscape like for VoIP?
There are so many different kinds of threats or attacks in the VoIP world.
Attackers may disrupt media service by flooding traffic, or collect private information by intercepting calls, or make fraud calls by spoofing identities. Spammers may use VoIP networks to deliver spam calls, instant messages, or presence information, which are more effective than email spams because it is very difficult to filter VoIP spam.
There are four categories that most VoIP threats belong to:
- Threats against availability: A group of threats against service availability that is supposed to be running 24x7. These threats aim at VoIP service interruption, typically in the form of Denial of Service (DoS). Examples include call flooding, malformed messages (protocol fuzzing), call teardown, call hijacking (registration or media session hijacking), server impersonating, quality of Service (QoS) abuse.
- Threats against confidentiality: These threats don't impact current communications generally, but provide an unauthorized means of capturing media, identities, patterns, and credentials that are used for subsequent unauthorized connections or other deceptive practices. The typical examples are eavesdropping media, call pattern tracking, data mining, and reconstruction.
- Threats against integrity: Altering messages or media after intercepting them in the middle of the network. That is, an attacker can see the entire signaling and media stream between endpoints as an intermediary. The alteration can consist of deleting, injecting, or replacing certain information in the VoIP message or media. The typical types of threat are message alteration and media alteration.
- Threats against social context: Also known as social threats, these are somewhat different from other technical threats in terms of the intention and methodology. They focus on how to manipulate the social context between communication parties so that an attacker can misrepresent himself as a trusted entity and convey false information to the target user (victim). The typical threats against social context are misrepresentation of identity, spam of call (voice), IM, and presence, and phishing.
What kinds of tools can be used by bad guys to intercept VoIP communications?
First of all, I want to mention that intercepting VoIP communication is not easy in a real service environment. Most ordinary people are concerned about privacy issues (typically, wiretapping) when using VoIP devices (such as an IP phone) that are mostly connected to the open or public Internet. It sounds easy for a hacker to sniff the packets and eavesdrop the conversation, but in reality, it is not that easy. The hacker has to have a sniffing tool located in the same broadcasting domain as the IP phone (using switched Ethernet), or the hacker has to be on the same media path in order to eavesdrop, which means that it is very difficult for an external hacker to sniff the packets. Moreover, if the media packets are encrypted, even intercepted packets are useless.