Sticking your head above the parapet and talking about security threats on Voice- Over-IP (VoIP) networks is a dangerous business. Peter Cox discusses his proof-of-concept VoIP hacking tool.
A recent Techworld news story on SIPtap, a proof-of-concept demonstrator I wrote to illustrate the problem of VoIP call eavesdropping, resulted in a flurry of postings accusing me of scaremongering. Most of the negative comments fell into one of three categories. Firstly that the eavesdropping threat would work only if encryption and other security controls were turned off; secondly that the issue of VoIP security was well understood; thirdly that securing VoIP network is really just the same as securing any other IP application. One posting included the comment:
“Many of the [VoIP] security precautions should already be in place if your network and IT environment is secure.”
On the plus side, the article generated as many positive comments thanking me for highlighting the eavesdropping threat.
So what is the reality? Are such stories just hype or are there a set of threats and risks unique to VoIP protocols and applications that merit special attention? To answer this it is necessary to draw some comparisons between VoIP and other network applications.
VoIP as its name suggests runs on an IP network. This means that it shares a common set of security threats and vulnerabilities with other IP applications such as web and email. These threats and vulnerabilities include all the IP network level threats that web masters and email administrators deal with on a daily basis; threats which are addressed with standard network security technologies and good network design.
In addition to this set of network level threats VoIP applications also face a set of protocol and application specific threats and a set of content related threats.
The protocol and application specific threats stem from the design and implementation of the protocols and the services that VoIP applications deliver. VoIP protocols are complex. This is partly because VoIP aims to provide a real time communication service on an IP network and partly because VoIP protocols have to provide an interface to the standard phone system and mirror some of the features and facilities we have become dependent on after a lifetime’s use of both fixed and mobile phone services.
In addition virtually all VoIP applications provide a rich set of non-voice services such as video conferencing, presence services (providing information on a person’s availability and indicating the best contact options) and even Instant Messaging and paging services. Protocol and application threats include a range of flooding attacks and call disruption threats. Disruption threats include call termination attacks were a malicious attacker can simply cut-off a call and hijacking attacks where an attacker can take over a call. Many of these VoIP application specific threats have no direct analogue in any other network application.
Content related security threats affect the “content” of a VoIP call; a person to person call, a voice conference call or a video call. The threats in this category include simple unauthorised call monitoring or eavesdropping (as demonstrated in my SIPtap utility) and hijacking or injection threats where an attacker takes over a call or injects a voice or video stream to obscure or replace the original conversation. While VoIP content related threats have their analogues in email and web, for example email spam and malicious or inappropriate web content, the technologies behind a VoIP hijack or injection are clearly different from those technologies responsible for email spam and malicious web content.
Both VoIP content and protocol and application security threats are real and can be demonstrated. The call eavesdropping demonstrator described in the story on SIPtap is just one example. Other demonstrable threats include a range of flooding attacks, call termination attacks, call hijacking attacks and set of denial of service attacks that are unique to VoIP. While these are known threats and while I make no claim to be the first to discover these threats, are certainly not common knowledge.
It is possible to protect against all of the known VoIP threats. Standard security technologies and practices such as using Firewalls and implementing good design and operational policies are a good and necessary step but do not provide the whole answer. Standard security technologies will address standard threats, but a specialist measures need to be taken to fully address many of the VoIP specific threats. This should come as no surprise as specialist security products such as spam filters, web content control and access policy systems exist for email and web applications. VoIP is considerably more complex than either of these applications.
Just as specialist security technologies are needed to protect VoIP networks, so specialist testing and analysis technologies are needed to identify security vulnerabilities. The standard penetration and testing tools can do a good job of finding network level vulnerabilities, but lack the ability to detect man of the VoIP application, protocol and content threats.
So is the threat of VoIP call eavesdropping just hype and should this label be attached to all the other VoIP security threats that can be demonstrated? In my view the answer is a clear no, these threats are real. While it is true that security controls exist to protect against these threats, no amount of technology will help until VoIP network managers are aware of both the existence and scope of these risks.
Finally to address the criticism that the SIPtap would work only if encryption and other security controls were turned off, a recent SIPit event held in Beijing in November 2007 reported that only 25 percent of tested systems supported SRTP. SRTP is an agreed standard for encrypting VoIP calls and SIPit is a SIP interoperability workshop. While it can be argued that at this event the sample size was small, this statistic shows that turning off encryption to demonstrate a theoretical threat is not the issue. The challenge is one of raising awareness of the issue to the point where more vendors of VoIP systems build encryption into their products.
Peter Cox, who co-founded firewall company Borderware, is currently running a three-day workshop that examines the VoIP protocol and application specific threats. He can be contacted at [email protected], or through his website Voipcode.org .