VoIP: A New Frontier for Security and Vulnerabilities Introduction to Voice over IP Technology The promise of extremely cheap telephone service, utilizing the Internet to transmit voice, has made voice over IP an attractive and profitable idea. Vonage (web) and other service providers entice consumers by charging a flat, monthly rate for unlimited long distance in the U.S. and Canada; the rate is often less than it would cost for a regular phone line without any long distance charges. An entity with an enormous call volume, such as a worldwide retail corporation, could benefit from tremendous cost savings by transitioning all of its telephony networks to VoIP. Voice over IP uses a server to connect all telephones in a local area network and act as a gateway for VoIP packets traveling to and from the Internet. Consumers with broadband internet connections can purchase VoIP handsets or routers with an RJ-11 jack to connect regular telephones. Businesses must implement a VoIP application server to handle corporate telephone use, much like mail servers are used to manage email.
The Internet Protocol Private Branch eXchange (IP PBX) is telephone equipment used by private companies, rather than telephone service providers, for the management of VoIP calls placed on the data network. When considering VoIP, organizations should focus on necessary quality of service (QoS) requirements, the cost to implement, and a number of security precautions needed to protect the network (Mullins, 2005). Protocols The two most common protocols central to VoIP are Session Initiation Protocol (SIP) and H. 323. Both also rely on a number of other protocols, such as DNS and ENUM, in order to locate and navigate to other hosts on the Internet. SIP first uses either TCP or UDP to signal a host on port 5060; then the Real-Time Transport Protocol (RTP) is used to transmit an audio stream over UDP ports 16384 through 32767 (Mullins, 2005).
It is a broader specification, generally used to connect network devices to servers or other kinds of control equipment. SIP supports user authentication and the transmission of any type of media, including audio, video, and messaging. On the other hand, H. 323 is a bit more complex, deriving much of its design from legacy communication systems. Some would argue that it is also better, having already experienced and solved communication problems in the past. H. 323 utilizes unica st and multi cast on UDP port 1718 to locate the gateway; then remote access service (RAS) is started on UDP port 1719. H. 225 and H. 245 are also used for call signaling over TCP port 1720 and data transmission over TCP ports 1000 through 65535 (Mullins, 2005).
Security Concerns As with any new technology of the Information Age which has had groundbreaking implications for the way we communicate electronically, IT managers have been wise to greet voice over IP with some skepticism. After all, VoIP is a service that utilizes the Internet to transmit data, much like web browsers, email, or any other networked application. In that case, security should definitely be a major concern for anyone who is considering the adoption of VoIP telephone service. As Korzeniowski (2005) writes, "VoIP features all of the security problems inherent with IP communications and adds a few new items to the mix". The Internet The benefits that voice over IP offer must be acknowledged with these security concerns in mind.
Unfortunately for simplicity's sake, VoIP is not just a replacement for traditional phone systems operating on the PSTN (Public Switched Telephone Network). Indeed, we often take for granted the security we enjoy on the PSTN, which is by nature more secluded than Internet transmissions. A dedicated circuit handles only the relevant parties involved in communicating (normally only two in a typical two-way telephone call), making breaches or intrusions very uncommon. This is much unlike a typical link on a data network which may handle many IP transmissions at once. In fact, any host that sends or receives data on the Internet is as accessible to the public as the host's security permits.
This also includes the actual IP packets going to and from the host on public lines, which may be intercepted by other parties. Given the nature of VoIP as an Internet application, we can assume a number of security risks based on those we attribute to any Internet-based application. We should be especially wary of new technology that has yet to receive much attention in the areas of security / vulnerability corrections or known attack methods. Rend on writes, "There hasn't yet been a widely publicized attack on a voice system", but he interviews a few business technology professionals who either believe attacks have occurred or at least acknowledge that a thorough security assessment is required to protect from the many possible modes of attack (2004). One can only imagine what sort of havoc a hacker could unleash upon a company with a vulnerable VoIP system. The VoIP server and all of its administrative capabilities could be usurped, as well as individual telephone and voicemail systems.
The hacker may intercept and listen to calls occurring on the company's network or use the corporate phone system to call expensive, long-distance numbers. Compromising a company's telephony capabilities could impede important business functions, resulting in monetary damages. Eavesdropping One particular concern would likely pique the interests of consumer and business minds alike: the idea that your conversations and voicemail's could become a downloadable mp 3 on the Internet. Similarly to the way hackers have traditionally sniffed IP packets on a data network to study what is being sent, eavesdroppers could intercept VoIP packets, potentially recording and / or listening in on an entire conversation or voicemail. Caller ID Spoofing As VoIP services have begun emerging on the Internet, so have some competitive but highly controversial services. Caller ID spoofing can allow anyone with an Internet connection and a VoIP handset or software application, to place VoIP calls appearing from fabricated or misleading (spoofed) names and numbers.
Obviously, this presents a breakthrough opportunity for prank callers, but it can also be a clever ploy for telemarketers and scam artists. Gordon describes a situation that occurred late last summer when people all over the U.S. and Canada started getting phone calls from a Twin Cities phone number. A voice recording would offer deals on wireless phone services. But when people dialed the displayed caller ID number, they were connected to a local-area Minneapolis janitorial business (2005). With modern computer processing power connected to the Internet, telemarketers can launch massive amounts of voice recordings to telephones and voicemail boxes everywhere.
This form of mass solicitation has been called SPIT (spam over Internet telephony). The use of caller ID spoofing to scam people may push VoIP into the legal spotlight. It could become impossible to verify the authenticity of a caller. Is it the bank or a scammer looking for credit card numbers? Is it really the professor or my friend pulling a prank? Western Union uses caller ID to verify that the displayed home phone number and name matches the identity of the person wishing to wire money.
A credit card thief could spoof the caller identity of his victims and perform anonymous fraudulent money transfers without having to buy anything (Sullivan, 2005). In fact, any system that verifies people based on caller ID-such as voicemail boxes with no password-is put at risk. IP Spoofing In similar ways that hackers might sniff VoIP packets to eavesdrop on conversations, they may also take note of the hosts' IP addresses and any authentication or command / control messages that were sent. This information may be used to spoof a phone's IP address in an attempt to gain access to the VoIP server or equipment.
Session Initiation Protocol Because SIP is a broad standardization with a range of applications, it can be studied fairly easily on the Internet. This provides an easy forum for hackers to exchange information about possible vulnerabilities or exploits in SIP. For instance, open source IP PBX software that operates using SIP can be downloaded for free on the web, making it only a matter of effort to simulate one's own VoIP-SIP security system. Consumers can even purchase inexpensive SIP phones intended for VoIP service. Supporters of the H. 323 protocol often consider security to be a risky issue with SIP, although contrary opinions have created some debates surrounding the future of VoIP's position concerning security and secure protocols. Addressing Concerns Host-Hardening Before investing in a voice over IP system, available hardware and operating system combinations used to run VoIP software must be researched and evaluated.
Possible operability, QoS, security, and cost impacts of implementation should be separately addressed. If any component suffers from inherent vulnerabilities, it may compromise the entire VoIP system. Effective measures should be taken to apply all available security patches and assess any relevant risk associated with remaining vulnerabilities. Like any application server, host-hardening is an essential step for VoIP servers. To protect the VoIP network from DoS attacks, it should use a different IP addressing scheme than the one used for the regular data network. This will also make it more difficult for a host on the computer network to directly access VoIP devices, should it be misused or taken over.
Antivirus software should be in place on the server, but companies should also explore antivirus solutions for employee handhelds and mobile phones. A virus that infects one of these could access a company computer during synchronization and compromise the network. Architecture When evaluating the security strength of a new VoIP system, the entire network architecture should be put in context. In addition to server-hardening, clients should also be hardened to the available extent, providing defense in depth on the VoIP network. A company may choose to require that VoIP handsets be authenticated on the network to prevent IP address spoofing. In some cases, default or weak user-defined passwords may be in use for VoIP authentication.
A strong password system should be enforced to make sure that only the right people are able to place calls over the network. Product functionality enhancements also play a role in improving the defense of VoIP networks. Many VoIP packages are bundled with firewalls and other security tools. These tools can monitor network traffic, detecting any signs of suspicious activity, such as spoofing or DoS attacks. Vendors of VoIP equipment such as Avaya, Cisco, Nortel, Siemens, and 3 Com have begun implementing new security features, such as restricting the number of MAC addresses on a port (making it harder to spoof network devices). Encryption Definitely a primary focal point for voice over IP security, encrypting VoIP traffic is the only established way to provide VoIP users with the assurance of confidentiality and safer authentication.
Unfortunately, companies must also take into consideration any QoS impacts that various cryptographic systems will have on their network. As the amount and complexity of need encryption routines increases, so does the necessary computer processing time and network bandwidth requirements. Encryption can increase congestion and bog down performance. Therefore, companies need to determine which risks must be addressed and what level of encryption will suffice. Some calls may not be sensitive in nature and do not require full protection from eavesdropping.
Instead, only the initial authentication process may require encryption. Confidential calls, on the other hand, may require sustained encryption to protect from any data being leaked onto the Internet. Suppliers now offer Virtual Private Network (VPN) functionality for providing a secure tunnel between two VoIP devices. To further secure VPN links, VPN features may also be maintained on their own virtual LAN (VLAN), delegating all VLAN data transmissions through regulated checkpoints, rather than just any endpoint. Possibly even more crucial than thwarting eavesdroppers, encryption is used to protect authentication and call control information between the VoIP server and device. Call control information includes all of the necessary instructions needed to move data from a sender to a receiver.
A hacker with access to authentication or call control information could become a dangerous one, performing control routines by spoofing legitimate network devices (Korzeniowski, 2005). Future VoIP Security Developments Protocol Developments A group of telecommunication and security companies was formed to sponsor research and share knowledge about the securing of VoIP networks. Called the VoIP Security Alliance (VoIPSA), these companies have chosen the advantages of teamwork over attempting to singularly master VoIP security to gain a competitive edge. Even though few attacks have targeted VoIP systems thus far, with VoIP consumers predicted to number twelve million by 2010 in the U.S. alone, it may only be a matter of time (McArdle, 2005). Without a doubt, VoIPSA is involved with some of the recommendations and expertise behind current VoIP protocol developments. The International Telecommunication Union (ITU) is in the process of drafting a universal X. 805 standard, which will provide security protection across a variety of network applications.
Among the features of X. 805 include support for secure network signaling, using SIP. At the same time, SIP is going through the Internet Engineering Task Force's (IETF) standards process. Revisions are expected to ease many security concerns surrounding the protocol and will likely coincide with new functions found in X. 805. Hall presents the view of Kevin Fec her, CEO of Open Air Technologies Inc. and supporter of VoIP using SIP. He considers the H. 323 protocol "far more complex to manage than SIP is" (2005). SIP supporters tend to praise the protocol for its simple administration ability and support for all types of media.
Once the ITU and IETF reach a set of new standards and SIP is perceived as secure, it may gain many more supporters. Wireless Voice over IP Most in the IT industry would agree that wireless VoIP will be the next big thing. It has already made a few small appearances, and talk of phones that can roam between wireless LAN and cellular site access is surfacing. As Wi Max reaches more cities in the U.S., it may be soon before we rarely require the use of cell sites because a cheaper IP address is waiting to be snatched from the airwaves.
It goes without saying then that this realm of VoIP will introduce an entire new set of security implications. Concluding Thoughts The technologically savvier and wiser corporate workforce of today has exercised a fair amount of trepidation with the introduction of VoIP. I believe that allowing security issues to catch up with new technology is vital for preserving hope and interest in the technology. A careful vigil of potential vulnerabilities has been started by the VoIPSA and current protocols are already under development before they have become a widespread problem. I think that symmetric encryption is vital for authentication, signaling, and other call control messages between VoIP devices. A smart card system would be more convenient for users logging into their phones, and strong passwords must be used.
The company must determine the necessary level of encryption required on each specific call basis. On the consumer end, people will need to be patient in the battle against spammers and the whole freedom of speech debate. I believe VoIP spam should be treated similarly to the way email spam is. Users should have a way to stop receiving the spam from callers or block certain IP addresses. Telephone companies should provide a service that tells whether the caller is using VoIP or not. This way, consumers can know if the number is a possible spoof.
Reference List Gordon, J. (2005, March 9). Caller ID spoofing an emerging VoIP security threat. American Public Media. Retrieved March 24, 2005 from the World Wide Web: web M. (2005, March 21). SIP tips VoIP into secure. Computerworld.
Retrieved March 24, 2005 from the World Wide Web: web P. (2005, February 16). Why VoIP is raising new security concerns. IT Manager's Journal. Retrieved March 24, 2005 from the World Wide Web: web D. (2005, February 18). Group tackles VoIP security fears.
Electric News. Net. Retrieved March 24, 2005 from the World Wide Web: web M. (2005, November 3). Doing the VoIP security groundwork. CNET Asia.
Retrieved March 24, 2005 from the World Wide Web: web J. (2004, December 8). The security risks of VoIP. CIO News. Retrieved March 24, 2005 from the World Wide Web: web g ci 1032194, 00. html.
Sullivan, A. (2005, March 21). Scam artists dial for dollars on Internet phones. Computerworld. Retrieved March 24, 2005 from the World Wide Web: web.