VoIP Security
What are the potential security risks when using VoIP?
VoIP vulnerabilities are typically similar to the ones users face on the Internet, although some attacks unique to IP telephony are now emerging.
Specific vulnerabilities that can be exploited range from:
Criminal (fraud) e.g. Vishing, Caller ID Spoofing
Malicious disruption e.g. DOS attacks
Unsolicited calls e.g. SPAM over Internet Telephony (“SPIT”).
Are there more risks to a VoIP service than a traditional phone service?
All new or emerging technologies offer both opportunities and vulnerabilities, particularly if the scale of their adoption is potentially enormous.
Many of the motivations to attack VoIP users are the same as telephone service attacks: to benefit financially, via toll fraud, identity and information theft, and to gain notoriety, by disrupting service and inconveniencing users. Such attacks are similar to attacks we have seen on cellular and landline phones for years.
Others are all too familiar attacks we see against networked computers. VoIP phones and computers running VoIP software (softphones) are more computer than phone. They have operating and file systems, use Internet protocols, and run data and management as well as voice applications. They are vulnerable to unauthorized access, privilege escalation and “system” misuse. Viruses, worms, and all the “classic” denial of service attacks that exploit network protocols are possible.
What is a Denial-of-Service attack?
A Denial-of-Service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or Web service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.
In terms of VoIP telephony, DoS attacks can overwhelm a company’s phone lines, creating long-term busy signals, forcing calls to disconnect.
What is SPIT?
SPIT or SPAM over Internet Telephony is the proliferation of unwanted, automatically-dialled, pre-recorded phone calls using VoIP. VoIP systems, like email and other Internet applications, are susceptible to abuse by malicious parties who initiate unsolicited and unwanted communications. Telemarketers, prank calls and other telephone system abusers are likely to target VoIP systems increasingly.
Up to now there have not been a great many instances of VoIP spam but there is great potential for it to become a major problem. SPIT could be generated in a similar way to email spam with botnets targeting millions of VoIP users from compromised machines.
The real-time nature of voice calls will make dealing with spit much more challenging than email spam. While emails can sit on a server to go through a spam filter, calls need to be filtered/detected in a real-time environment.
What is Vishing?
Vishing is the criminal practice of using social engineering over the telephone system, to gain access to private, personal and financial information from the public for the purpose of financial reward. The term is a combination of “voice” and phishing. Vishing exploits the public’s trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals.
(Social engineering is the act of manipulating people into performing actions or divulging confidential information)
What is Caller ID spoofing?
Caller ID spoofing is the practice of causing the telephone network to display a number on the recipient’s caller ID display which is not that of the actual originating station; the term is commonly used to describe situations in which the motivation is considered malicious by the speaker. Just as e-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, caller ID spoofing can make a call appear to have come from any phone number the caller wishes. Because of the high trust people have tended to have in the caller ID system, spoofing can call the system’s value into question.
For example, an attacker could possibly inject a bogus caller ID into an ordinary VoIP call so that the receiver believes the call to be coming from a known and trusted source (a bank, for example). The receiver, fooled by the electronic identification of the caller, may place unwarranted trust in the person at the other end. In such an exchange, the receiver may be tricked into disclosing personal information like account numbers, social security numbers, or secondary authentication factor: a mother’s maiden name, for example. This scheme is essentially the VoIP version of traditional phishing, where a user follows links in an unsolicited email and is tricked into providing personal information on a bogus website. Attackers may use these bits and pieces of personal information to complete partial identity records of victims of identity theft.