VOIP Security

If carrier purchasing activity is an early indicator of technology trends, then it is only a matter of time before VoIP emerges as the dominant form of voice traffic. The majority of new gear purchased today is IP-based, fueled largely by the rapidly growing demand for VoIP services from consumers and businesses.

However, efforts around VoIP to date have focused primarily on improving reliability and quality, largely at the expense of security. Security simply has not been built into VoIP, and now that the technology is achieving mass adoption, it will become an increasingly attractive target for the cyber-crime organizations currently targeting the data networking world.

Of course, VoIP is simply data transmitted in digital packet form. This means it can be attacked, hacked, intercepted, manipulated, re-routed and degraded just like packets on the data network. All of the maladies of the data network — viruses, worms, Trojan horses, DoS attacks and hijacking — likewise are risks to VoIP networks.

Because VoIP is a nascent technology, its equally immature underlying operating systems and applications are as vulnerable as data networkbased operating systems were in the early stages of their development. Specifically, there are three key weak points in today’s VoIP ecosystem that represent prime targets for attacks:

Endpoints/Customer Premises Equipment
Vulnerabilities in IP phones’ operating systems and supporting software introduce risks. Additionally, PC-based IP phones are susceptible to attack just like any other PC-based application. They also are open to “crossover” attacks, since they lie at the intersection of the data network and VoIP.

Central Administration/Call Processing and Management Applications
These applications, which serve as the “switches” for IP-based voice traffic, often are installed on dedicated servers and, thus, are subject to the same security issues as any server in the network. They are also the most vital link in the VoIP architecture and represent a single point of failure, making them a prime target for attack.

The Voice Mail System/Server
Voice mail servers are likely targets for “prank” attacks, such as altering messages, in addition to eavesdropping, spamming and other attacks.

As we can see, VoIP has inherent weaknesses and is vulnerable at multiple points. VoIP must be secured to ensure the integrity and performance of the VoIP communications network, and, equally important, to maintain the marketplace’s confidence in VoIP-based communications. Today, however, VoIP is susceptible to a number of easily anticipated and defined attacks, including:

Denial of Service
DoS attacks are the simplest and most common type of attack faced by data networks. A VoIP DoS attack would bombard call processing/ management applications with an inordinate amount of simultaneous requests that cannot be processed, causing them to shut down. Crime organizations extort money from DoS attack targets in the data networking world today, and one easily can imagine the same thing happening in the VoIP world tomorrow.

Toll Fraud/Service Theft
This likely will be the most common attack in the early stages of VoIP, where an unauthorized user gains access to the VoIP network by mimicking an authorized user or seizing control of an IP phone and initiating outbound long-distance calls.

Eavesdropping
VoIP services measurement and troubleshooting software makes eavesdropping on a packetized voice call relatively easy.

Phishing
The same techniques used to steal identity information over e-mail are being used over VoIP. Criminals spoof caller identification information so it looks like the call is coming from a legitimate organization and then ask the call recipient for identity information.

Other types of attacks will include call redirection, where calls are sent to an incorrect destination where identity thieves lay in wait; information theft, where names and phone extensions are obtained through unauthorized access to voice mail servers or call processors; and call integrity compromise, where call content is corrupted so quality degrades.

VoIP remains in its “age of security innocence” today simply because there has not yet been a tempting enough payoff for cyber-criminals to focus their attention on VoIP. Growing adoption will change that calculus as VoIP becomes a highly attractive target for attacks, because VoIP largely is undefended and end users are not conditioned to distrust the phone in the same way that they do e-mail and the Web. When this happens, security will displace quality and reliability as the most critical focus of VoIP carriers and equipment vendors, just as it has in the data network.