dan foo!

What follows is my short investigation into what additional risks VoIP introduces to your voice network when compared to traditional telephones. It was an essay I wrote for a network security course last semester.

Most new technologies go through very predictable evolutions of security, independent of similar advances already made in other fields, and those evolutions are usually a direct response to specific threats. For example, cell phone makers are just now beginning to think about trusted code execution and permissions systems due to the emergence of viruses on their platform. Another common occurrence amongst new technologies is to fall back to “security by patching” as they see the need to “just make it work” more important than putting security into their design process and hence, to some inexperienced managers, slowing them down. Unfortunately, it seems that a critical new technology has fallen into many of these oft-repeated traps: Voice over Internet Protocol Telephony, commonly known as VoIP.

Current implementations of VoIP are notoriously hard to integrate with existing phone networks, existing security infrastructure, and existing network architecture. VoIP requires VoIP-aware firewalls and routers and port forwarding on NAT gateways at the very least, either of which modification can introduce latency and jitter if done poorly making VoIP all but useless to the buyer. As a result, individuals and businesses alike give their main attention to fixing these problems before thinking of how to engineer security into this complex new technology. Further, one of the main reasons consumers switch to VoIP is because of the lower cost. Security can, and usually is, seen as adding unnecessary expense and slowing down the process of converting to VoIP. All of this makes security an after-the-fact addition to the deployment of VoIP, where it usually becomes more costly and less effective than if it had been integrated from the beginning.

The following is a simple quantification of threats present in VoIP voice services not present in Circuit-Switched voice services:

• Viruses
• Worms
• Denial of Service
• Hackers with knowledge of IP
• Accessible to users on a LAN
• More complex PBXs, media gateways, switches, routers, firewalls, cabling, phones, softphones
• General purpose OSs, databases, web servers
• Untested, immature software
• Immature standards (SIP, H.323, MGCP, H.248)

These risks are slowly making their way through the cracks only a short time after VoIP has reached the mass market. A quick search for public exploits shows weakness in many SIP implementations to not properly forward the NOTIFY parameter, allowing an attacker to spoof his caller ID, buffer overflow vulnerabilities in the entire line of Cisco 7900-series IP telephones, prompting information leaks, DoS vulnerabilities, and man-in-the-middle attacks, and the emergence of sophisticated, yes easy to use, software enabling IP “wiretaps”.

Of these risks, which one could easily expand to include many more, I believe the largest and hardest to reconcile will be the use of general purpose operating systems and the hackers the VoIP platform will inherit through its use of IP data networks. Gatekeepers, call managers, media servers, IP phones, PBX’s, and more can and will be run on general purpose operating systems like Windows and Unix (or its derivatives) in the VoIP environment, which the world is constantly struggling to secure for purposes less important than a worldwide telephone network. As demonstrated above, the vast expertise of hackers knowledge of applications run over IP is already being put to work at this first generation VoIP environment.

Another major source of security problems can arise from the different paradigm VoIP follows from traditional circuit-switched networks.

• If you have access to a computer, you can potentially turn it into a VoIP softphone. This presents interesting security problems to enterprise networks.
• If you hack into a VoIP gateway or other server, you now have access to a fully functional operating system through which you can launch further attacks on other networks outside of the VoIP network and into a private corporate network, for example.
• Related to the last problem, if you hack into a VoIP phone many of them run web servers, tftp servers, and some even go beyond typical embedded operating systems and include trimmed down general purpose operating systems instead like, for example, Windows Mobile. Compromising a VoIP phone can potentially give an attacker access to the network which it is connected to.
• VoIP calls are not tied to a specific area. One of the cited benefits of VoIP is that you can pick up your hardware and account information and make a call from anywhere. Also related to the last two problems, if you gain control of a VoIP server you can make calls from it and misrepresent your location.
• Your voice network now depends on your data network. Your voice network now inherits traditional IP-related problems like ARP spoofing, DNS poisoning, TCP injections, IP spoofing, and so on. Improper data network architecture can now greatly impact the security of voice network.

As with the previous list, this list can go on.

Many talented individuals are noticing this problem and grouping together to fix it as can be seen in the VoIP Security Alliance (VOIPSA). VOIPSA recently released its first standards document where they tried to enumerate possible threats. While this is a good first step, I believe it will take a major security-related event to shock the community into accepting these threats that VoIP brings with it to voice service. The situation now is as ripe a mass market technology can get for easy hacks that affect global audience.

References:
http://www.securiteam.com/exploits/5EP0D0AGAW.html – SIP NOTIFY message vulnerabilities
http://www.securiteam.com/exploits/5HP0O0U75Q.html – Multiple Vulnerabilities in Cisco 7900
http://vomit.xtdnet.nl/ - VOMIT, Voice Over Misconfigured Internet Telephones