Securing VoIP

by Patrick Park
Be the first to comment | 11I like it!
Tags: book, voip, voip security
More »
on this topic
February 12, 2009, 05:12 PM —  ITworld — 

There are too many sources of vulnerability for VoIP to ever be completely secure, says Patrick Park, author of VoIP Security. Here he describes the VoIP threat landscape and offers best practices for making VoIP reasonably secure.

This is part of a regular series that highlights new books and their authors. Also in this series: Raffael Marty on security visualization, Joel Scambray on exposing the hacker's advantage, Brandon Carroll on wireless networking, and Scott Hogg on IPv6 security.

VoIP Security

What is the threat landscape like for VoIP?

There are so many different kinds of threats or attacks in the VoIP world.

Attackers may disrupt media service by flooding traffic, or collect private information by intercepting calls, or make fraud calls by spoofing identities. Spammers may use VoIP networks to deliver spam calls, instant messages, or presence information, which are more effective than email spams because it is very difficult to filter VoIP spam.

Bio
Name: Patrick Park
Patrick Park has been working on product design, network architecture design, testing, and consulting for more than 10 years. Currently, Patrick works for Cisco as a VoIP test engineer focusing on the security and interoperability testing of rich media collaboration gateways. Before Patrick joined Cisco, he worked for Covad Communications (a VoIP service provider) as a VoIP security engineer focusing on the design and deployment of secure network architecture and lawful interception (under the Communications Assistance for Law Enforcement Act [CALEA]) with various tools and solutions. Patrick graduated from Pusan National University in South Korea, where he majored in computer engineering. While attending graduate school, he wrote the book Web Server Programming with PHP. Patrick lives with his wife and children in Los Gatos, California.

There are four categories that most VoIP threats belong to:

  • Threats against availability: A group of threats against service availability that is supposed to be running 24x7. These threats aim at VoIP service interruption, typically in the form of Denial of Service (DoS). Examples include call flooding, malformed messages (protocol fuzzing), call teardown, call hijacking (registration or media session hijacking), server impersonating, quality of Service (QoS) abuse.
  • Threats against confidentiality: These threats don't impact current communications generally, but provide an unauthorized means of capturing media, identities, patterns, and credentials that are used for subsequent unauthorized connections or other deceptive practices. The typical examples are eavesdropping media, call pattern tracking, data mining, and reconstruction.
  • Threats against integrity: Altering messages or media after intercepting them in the middle of the network. That is, an attacker can see the entire signaling and media stream between endpoints as an intermediary. The alteration can consist of deleting, injecting, or replacing certain information in the VoIP message or media. The typical types of threat are message alteration and media alteration.
  • Threats against social context: Also known as social threats, these are somewhat different from other technical threats in terms of the intention and methodology. They focus on how to manipulate the social context between communication parties so that an attacker can misrepresent himself as a trusted entity and convey false information to the target user (victim). The typical threats against social context are misrepresentation of identity, spam of call (voice), IM, and presence, and phishing.

What kinds of tools can be used by bad guys to intercept VoIP communications?

First of all, I want to mention that intercepting VoIP communication is not easy in a real service environment. Most ordinary people are concerned about privacy issues (typically, wiretapping) when using VoIP devices (such as an IP phone) that are mostly connected to the open or public Internet. It sounds easy for a hacker to sniff the packets and eavesdrop the conversation, but in reality, it is not that easy. The hacker has to have a sniffing tool located in the same broadcasting domain as the IP phone (using switched Ethernet), or the hacker has to be on the same media path in order to eavesdrop, which means that it is very difficult for an external hacker to sniff the packets. Moreover, if the media packets are encrypted, even intercepted packets are useless.

Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world

I like it!
Close

On Twitter now

voip

Powered by Twitter
Refresh results
You are logged in | Sign out
Sign in and post to Twitter

What are you thinking?

Insert this article url
Cancel Tweet sent

On Twitter now

Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
peer-to-peer

Esther Schindler
If the comments are ugly, the code is ugly

claird
SVG a graphics format for 21st century

pasmith
Take Chrome OS for a test spin

Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?

sjvn
64-bits of protection?

jfruh
Android fragments vs. the iPhone monolith

mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive

 

Where Google Chrome security fails: the password
I heard mention that the Chrome OS will have some sort of encryption available a la bitlocker. If it's possible to encrypt personal data using another password or key, then it may have potential for very secure data.... And Ubuntu has an 'encrypt home directory' option, perhaps google should follow suit.
- Dann

Join the conversation here

The Daily Tip

The Daily TipQuick, practical advice for IT pros. Made fresh daily.

Hot tips:

Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.

Newsletters

Subscribe to ITWORLD TODAY and receive the latest IT news and analysis.

I would like to receive offers via email from ITworld partners.
By clicking submit you agree to the terms and conditions outlined in ITworld's privacy policy.
view all newsletters »
Featured Sponsor
Case Study: AISO grows its "green" business

AISO founders envisioned a Web hosting company that was environmentally friendly. While the company employed energy-efficient innovations like solar panels, its infrastructure produced unacceptable power and cooling requirements. Find out how AISO leveraged AMD technology to overcome their challenge in this case study white paper.

Download this white paper »
Myth of the Million Dollar Database

In this whitepaper, Scalar explores the opportunity to change the landscape with respect to mission critical databases built around Oracle. Leveraging technologies such as Linux, high-end commodity processing power and Oracle RAC technology to architect, design, build and maintain database infrastructure that delivers maximum availability, reliability and performance at a fraction of traditional cost.

Download this white paper »
Success Story: Weather.com handles whatever nature serves up

On a typical day, weather.com, the Web site for The Weather Channel in Atlanta, serves up between 15 million and 20 million page views. But in September 2004, when back-to-back hurricanes ransacked Florida, the peak traffic on one day more than tripled: over 70 million page views by more than 7 million unique visitors. Read the full success story now.

Download this white paper »
Marketplace