Securing VoIP systems
Voice over Internet Protocol (VoIP) is a methodology and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. VoIP communication has reduced the cost of international calls dramatically allowing people to dial ISD calls with a cheaper cost. In this growing era of smartphones everyone carries a VoIP application in their pocket to make cheap calls.
VOIP systems can take many different forms. Any computer is capable of providing VOIP services. Microsoft's NetMeeting, which comes with any Windows platform, provides some VOIP services as does the Apple Macintosh iChat and many more in Linux platforms. In general, the term Voice over IP is associated with equipment that provides the ability to dial telephone numbers and communicate with parties on the other end of a connection who have either another VOIP system or a traditional analog telephone.
What should you learn next?
VoIP can be implemented in the following ways:
ATA
The simplest and most common way is through the use of a device called an ATA (analog telephone adaptor). The ATA allows you to connect a standard phone to your computer or your Internet connection for use with VoIP. The ATA is an analog-to-digital converter. It takes the analog signal from your traditional phone and converts it into digital data for transmission over the Internet.
IP Phones
These are specialized phones look just like normal phones with a handset, cradle and buttons. But instead of having the standard RJ-11 phone connectors, IP phones have an Ethernet connector sockets. IP phones connect directly to your router and have all the hardware and software necessary right on board to handle the IP call. Wi-Fi phones allow subscribing callers to make VoIP calls from any Wi-Fi hot spot. This method is most commonly employed in corporate networks.
Computer-to-computer
This is certainly the easiest way to use VoIP. You don't even have to pay for long-distance calls. There are several companies offering free or very low-cost software that you can use for this type of VoIP. All you need is the software, a microphone, speakers, a sound card and an Internet connection.
A VoIP network generally consists of several components
- VoIP Server
- VoIP Gateway(VoIP gateway is used to connect the PSTN with the VoIP system)
- VoIP Client
VoIP makes use of several protocols to transfer voice data over packet based networks some commonly used protocols include SIP, RTP, Skype, Cisco's SCCP etc. Of these the SIP protocol is commonly used for carrying out VoIP conversations. The major protocols are explained in greater detail below
VoIP quality of service issues
- Jitter
Jitter refers to non-uniform packet delays. It is often caused by low bandwidth situations in VOIP and can be exceptionally detrimental to the overall QoS. Variations in delays can be more detrimental to QoS than the actual delays themselves. Jitter can cause packets to arrive and be processed out of sequence. - Latency
Latency in VOIP refers to the time it takes for a voice transmission to go from its source to its destination. Ideally, we would like to keep latency as low as possible but there are practical lower bounds on the delay of VOIP. - Packet Loss
Packet loss is another major QoS issue for VoIP systems. VOIP is exceptionally intolerant of packet loss. Packet loss can result from excess latency, where a group of packets arrives late and must be discarded in favor of newer ones. It can also be the result of jitter, that is, when a packet arrives after its surrounding packets have been flushed from the buffer, making the received packet useless. - Bandwidth
In computer networks, bandwidth is often used as a synonym for data transfer rate - the amount of data that can be carried from one point to another in a given time period (usually a second). So it is obvious that the more bandwidth we have better the call quality.
One of the great attractions of VOIP, data and voice sharing the same wires, is also a potential headache for implementers who must allocate the necessary bandwidth for both networks in a system normally designed for one. Congestion of the network causes packets to be queued, which in turn contributes to the latency of the VOIP system. Low bandwidth can also contribute to non-uniform delays (jitter), since packets will be delivered in spurts when a window of opportunity opens up in the traffic. - Session Initiation Protocol (SIP)
The Session Initiation Protocol (SIP) is a signalling protocol, widely used in VoIP systems it is extremely popular. The SIP protocol is simple and text based like the HTTP protocol. The protocol defines the messages that are sent between peers which govern establishment, termination and other essential elements of a call. SIP requires a SIP server and a SIP client to work properly. - Real Time Transport Protocol (RTP)
The Real-time Transport Protocol (RTP) defines a standardized packet format for delivering audio and video over IP networks. RTP is used extensively in communication and entertainment systems that involve streaming media, such as telephony, video teleconference applications, television services and web-based push-to-talk features.
RTP is UDP based and due to this is not highly reliable but due to the nature of VoIP traffic hundred percent reliability is not essential. RTP is designed for end-to-end, real-time, transfer of stream data. The protocol provides facilities for jitter compensation and detection of out of sequence arrival in data, which are common during transmissions on an IP network. RTP allows data transfer to multiple destinations through IP multicast.
VoIP Security Issues
- Call Interception
One of the most commonly encountered problems with VoIP setups is data that passes through VoIP gateways are not encrypted by default. If a malicious attacker is able to find the source of the stream he is easily able to hijack the signal and listen in on all our conversations.
The attacker only requires physical access to a LAN segment that the VOIP packets travel across. Most enterprises use Ethernet switches instead of hubs and this limits the number of locations that such an exploit is possible. Call interception is more of a risk if companies make use of unsecured wireless networks, this can be used to easily enter a corporate network and listen in on calls. - Denial of Service attacks
A DoS attack causes the disruption of services by flooding the network with large amounts of data. This data can be of my forms but they all force the network from functioning properly. DoS attacks can be far more devastating if it is carried out by several thousands of computers, such an attack is called a DDoS.
DDoS attacks may target different parts of the network however, if your VoIP infrastructure is directly connected to the main network it may be affected by the main DDoS attack. Denial of service attacks can cause several problems for VoIP sessions. Some DDoS attacks may not bring down the network itself but may cause severe traffic disruption due to increased latency and jitter in the network.
Gulp tool can be used to create SIP flood that too more than 200mpbs from thousands of random sources consistently changing the SIP headers to avoid detection. The tool can also be used to send malformed or spoofed request to cause damages to SIP devices. - Exfiltration of Data
Another major problem for enterprises is the exfiltration of confidential data from their networks. Attackers can make use RTP sessions to exfiltrate information from a corporate environment, since firewalls do not block VoIP traffic it becomes nearly impossible to stop such attacks.
VoIP packets unlike data packets in other formats are much more difficult to scan for hidden content or data without introducing delay into the entire data stream. Exfiltration attacks are usually carried out by VoIP Trojans that send data out of the host system as an RTP stream. - Vishing
Voice phishing is practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward or confidential information. The term is a combination of "voice" and phishing.
Voice phishing tricks the victim into trusting the caller he/she may then inadvertently release sensitive information to the caller. Vishing is very similar to its counterpart in Email. Due to its nature Vishing attacks are very difficult to mitigate, user awareness against such attacks are the best solution.
Vishing is typically used to steal information such as credit card numbers or user information used in identity theft schemes.Some fraudsters utilize features facilitated by Voice over IP (VoIP). Features such as caller ID spoofing (to display a number of their choosing on the recipients phone line), and automated systems (IVR). - Spamming over Internet Telephony (SPIT)
VoIP spam or SPIT (Spam over Internet Telephony) is the mass sending of automatically dialled pre-recorded phone calls using VoIP. These messages are sent to several victims hundreds of times. SPIT messages are similar to their telephone counterparts however they are much more difficult to monitor and mitigate.
As Voice over IP systems make use of computer systems it easy extremely easy to send massive amounts of Voice spam to thousands of different VoIP users. VoIP technology also has many free and open source tools that are easily available (e.g. Asterisk and SIP). Such tools greatly simplify the job of the VoIP spammer.The main technology that is exploited to carry out SPIT attacks is the Session Initiation Protocol (SIP). SPIT attacks can be mitigated using a variety of techniques including:- Blacklisting and Whitelisting possible spammers
- Audio Captcha's
- Reputation Systems
-
Consent based communication
- Caller Id spoofing
Caller Id is used to identify the caller's information. Some device has an inbuilt device while others need to attach an external device to identify the caller's information. Having a caller id doesn't makes you to see the callers information, we need to call the service providers and request for caller id service, sometimes these are optional services which comes for a price from the provider. Caller id will contain the time of call, duration of call and callers information. There are different websites that are available which can be used to spoof calls ex spooftell, covertcalling etc. some of these websites are limited to specific countries. By spoofing, the call will appear to us a legitimate call from the bank asking for confidential information which can further lead to data breaches. - Registration Hijacking
When a user agent (IP phone) is plugged in to a VoIP network, it will try connecting to SIP server for registration and the phone is available for use after registration is done. Attackers impersonates the user agent and tries to connect to the SIP server to become a part of the network. When registration is hijacked the calls intended for a particular user will be diverted to a rouge person and the entire VoIP network becomes messy. The fact that registration is hijacked is because the registration method used in VoIP is UDP rather than TCP and the authentication mechanism from user agent to server is very weak. Scanners (SiVus) are available to check the weakness of VoIP security and registration hijacking is one such exploit that can be carried out. - Viruses and malware
Nothing to say more on viruses and malware. Such actors can bring down the entire VoIP network down or abuse the VoIP usage. Malwares imposing as genuine software which leaks VoIP credentials or open a remote backdoor on the target are common now adays.Software phones are more vulnerable to such attacks.
Countermeasures
The various security issues mentioned above are major detriments to VoIP infrastructure and can cause large scale loss of money and intellectual property. Countermeasures for these security issues are given below in greater detail:
- Encryption
Encryption has yet to be completely integrated into VoIP protocols only end-to-end encryption techniques exist for current VoIP. The problem with encryption is that it may increase latency, jitter, bit error rate, error propagation and affect bandwidth. As is often the case with encryption, the implementation details are crucial to success. One should also be aware of the various levels at which encryption can be applied.Application layer encryption can provide end-to-end coverage but increase covert channel problems at firewalls and guards because of the traffics being encrypted. Virtual Private Networks (VPNs) and link encryptions can be used at the network layer but may require decryption and re-encryption at various points, leaving the message exposed briefly at some nodes. However encryption will also introduce delay, either during call setup or as latency during the session. If the encryption is not sufficiently fast, some form of voice compression may be required for effective use.IP phone to the server channel can be encrypted by using TLS.Signalling messages and voice streams are encrypted via TLS to establish secure and reliable data transfer between two systems. - Firewalls
The use of VoIP requires the adaptation of the firewalls in the network to allow access to ports used by VoIP and to allow out the various protocols VoIP use. Because an adversary could use these paths as well, configurations must be chosen carefully. Note that in this instance the concern is not so much about the impact on VoIP, as about the effect of the introduction of VoIP equipment and traffic on the security of the pre-existing data network. In a similar vein, it is unclear how VoIP can be incorporated across a network boundary protected by a guard. The inclusion of firewalls into front of VoIP traffic can also lead to performance issues for the system such as increased latency and Jitter.Firewalls can also be used to mitigate DDoS attacks against VoIP networks. - Traffic Analysis
Deep packet inspection tools are essential to protect organizations from VoIP threats. VoIP packets are notoriously difficult inspect stripping useful data from the traffic requires high quality packet inspection tools. Such tools can attempt to look for hidden data within VoIP traffic, security devices such as NGFW's and UTM's offer deep packet inspection capabilities. These devices can analyze network traffic and attempt to detect the data leaving the network and stop it before it does. - Improved network Security
Improved network security is important for VoIP security particularly to prevent call interception. Wireless networks in the enterprise should be properly secured to prevent tampering and Wardriving attacks as they allow easy access to the VoIP network. - Authentication mechanisms
IP phones should carry certificates to verify its identity on the voip network. Ideally the certificates in IP phones are signed by certificate authority and are verified by the certificates store that is present in the server. - Apply appropriate patches
Apply appropriate patches to VoIP applications. All patches has to be applied via the ITIL framework to ensure the patches are deployed smoothly. A threat intelligence service can be subscribed to get the latest patch and its workaround in a timely manner. - Turn off unnecessary protocols
Depending upon the vendor you use for VoIP systems it should be hardened by disabling unused services in the system. This will stop intruders to exploit security vulnerabilities to a limit. Best practices and recommendations are available in all vendor sites or can be received by subscribing to a threat intelligence feed. - Physical Security and Awareness
VoIP gateways should be properly secured in data centers and controls should be in place to prevent unauthorized physical access to such machines. The best prevention against Vishing attacks is user awareness proper training should be given to employees to ensure that they do not inadvertently release sensitive information to malicious third parties.
Conclusion
The number of VoIP implementation in organisation is changing dramatically and many exploit tools are introduced in the market to bring down the VoIP systems. It is necessary for us to safe guard our VoIP systems by proper designing, deploying and analysing VoIP traffic on a daily basis. Organisation should be prepared to handle such type of attacks and closely consider new solution to improve the current practice.
References
- http://en.wikipedia.org/wiki/Voice_over_IP
- http://www.voip-info.org/wiki/view/VOIP+Security
- http://en.wikipedia.org/wiki/VoIP_spam
- http://en.wikipedia.org/wiki/Voice_phishing
- http://en.wikipedia.org/wiki/Real-time_Transport_Protocol
- NIST Document 800-58 VoIP Security Considerations