Back in the 1970s, when the British Post Office ran the telephones, and its mascot Buzby encouraged us to "make someone happy", few could imagine the arrival of an Internet that would one day carry both voice and data. However, as more and more organisations implement Voice over IP (VoIP), we should not forget the lessons we've learnt about Internet and email security.

Cheap call charges means that talking over the Net is growing, and the most popular VoIP standard to emerge is SIP (Session Initiation Protocol). SIP is backed by the IETF (Internet Engineering Task Force) and enables anything from a simple two-way telephone call to a full multimedia conference session. It uses a request-response protocol that resembles HTTP and SMTP.

Unfortunately, this also makes it susceptible to the same attacks that plague Web applications and email, plus a few new ones. If you thought that email spam was bad, imagine arriving in the office on Monday morning to find that your voicemail contains hundreds of spam phone calls. Add the problems of identity theft, impersonation, session eavesdropping, voice mail bombing (vbombing), viruses, session hijacking and redirection, and it becomes clear that VoIP needs targeted security.

Evading inspection
One of the main problems is that SIP works on the application level and just like email messages, SIP traffic is simply routed past the firewall without inspection. This would not be a problem if all connections were from trusted sources, but when you open SIP up to allow communications from the Internet you cannot be sure the source is legitimate or its actions pure.

When the Internet and email first became popular there were very few attacks carried out, so security was not a priority. Today of course it is a different story, and security experts and analysts alike think that organisations should look back at the lessons learnt and apply them to their VoIP solutions now. This time there will not be a long delay before hackers and spammers move onto VoIP, and the more popular it becomes, the more they will look to exploit it.

There have been attacks that have affected VoIP for a few years. Code Red gave one major organisation a wake-up call when its network went down and with it the voice communication as well. It is annoying to lose either email or telephone links for several hours, but losing both could prove disastrous.

VoIP packets travel independently, and like all data packets they are vulnerable to being sniffed by off-the-shelf eavesdropping utilities. Packet sniffers not only allow a hacker to listen in, they can capture, replay and distribute the data files. Good encryption would improve security, but it would not stop someone carrying out a vbomb attack and leaving you 500 voicemail messages overnight - all that is needed for this is your phone number.

Cloning phones
As proven in 2004, hackers can reveal phone numbers that have been blocked by CallerID by routing the call through a VoIP line. From here it is just a hop, skip and a jump to spoofing the number. The concern is not just the fun of spoofing the CEO's phone line or having a few free long distance calls, it is that many businesses use CallerID to verify who the person is, from banks to pizza delivery. VoIP could bring a whole new meaning to identity theft.

In addition to spoofing an identity, a hacker can perform man-in-the-middle attacks including data interception and packet injection, and denial-of-service attacks by sending a cancel, goodbye or port unreachable message to the appropriate caller. Other DoS attacks involve sending malformed messages to a target phone or exploiting a buffer overflow vulnerability, causing the system to crash.

The potential for abuse is enormous. Before his demise, spoof posters of Buzby appeared with him bound and gagged to a telegraph pole. If you are implementing VoIP make sure you have all the risks covered, otherwise you might just find a hacker tying you up like Buzby.

Peter Cox is VP of BorderWare Technologies, which will be exhibiting at Infosecurity Europe on the 26-28th April 2005 in the Grand Hall, Olympia.