First we had viruses, then rootkits, now we have ransomware. One thing is certain, the next bit of malware technology is currently under development and be with us soon. Even systems like VoIP are under attack and are being used as portals to gain access to corporate information.
What kind of threats are currently being seen in VoIP systems and how are they to be countered?
The first thing to understand that because VoIP is based on IP technologies it is vulnerable to all the malware and attack techniques that are inflicted on IP networks. The second is that VoIP goes over the Internet, and while you can contain and manage IP security in your internal closed corporate network, you are at the mercy of third-party service providers of varying quality in their security systems. The third, and one often forgotten, is that all devices in the VoIP network are IP devices and are therefore vulnerable to all the threats found with other IP devices. That must be factored into the overall data and voice protection scenario.
Packet Loss and Denial of Service
VoIP systems are vulnerable to certain types of interference. Packet loss may not be the biggest issue in data networks, they can be requested again, but packet loss will affect the quality of voice traffic. The SQL Slammer worm in January of this year affected packet switching and give rise to serious questions about VoIP reliability.
A further question is address spoofing. Unlike telephone numbers, IP addresses are not centrally controlled. This provides an opportunity for DDoS attacks to use spoofed addresses to bring down a corporate VoIP PBX, in effect making it give out a continuous “engaged” tone.
Interception of calls and Illicit Monitoring of calls
Currently formal encryption standards for VoIP calls have not been adopted. Cisco and Microsoft are pushing the SIP protocol to have the ability to establish an encrypted session between two endpoints. Interoperability between SIP implementations is becoming widespread. The biggest current drawback is that there is no authentication built into the protocol as yet, leading to a potential for identity theft and for intercepting already open calls. H323 is an alternative, but has performance implications. Some observers think that problems with Quality of Service are a greater threat than hacking.
So, how easy is it to hack into a VoIP call and listen to it or record it? Not easy at all. It takes a lot of effort. Because most sites have implemented security measures against this type of activity for data, and VoIP is basically data at this stage, you should be protected. In short, with well-structured and comprehensive data protection you are far better protected than under traditional POTS systems.
Even if an attacker has gained access to the corporate network, he needs to identify the correct stream of packets out of many packet streams, drill down to the voice packets, decode them and record the conversation. All in real time. Not very likely. You are more likely to lose information by someone overhearing an unguarded call in a public place.
To summarise, VoIP calls are extremely difficult to compromise, particularly when operated over a secure data network. Indeed, there is some concern that some VoIP systems are too secure to allow for successful court-sanctioned wire-tapping.
Theft of Service
Theft of Service occurs when an unauthorised user comes onto your network and uses it to make internet‑based calls or an authorised user makes calls above their normal security level. This occurs far more often over a wireless based network. Simply put, the infiltrator logs onto the WiFi network, and makes calls by using software on a cellphone handset. Office based use requires the insertion of a physical handset. A variation on this theme is to use improperly configured handsets, or to deliberately reconfigure a handset.
This can lead to billing issues, particularly if the spurious calls are logged against a real user account. This is most often overcome by restricting the ability to configure a handset and by implementing device and user authentication.
Some organisations have strict controls over export of corporate data and have restrictions about data transmission over normal data channels. VoIP has the capability to operate media feeds and transmit data when it is used to support collaborative work sessions using video conferencing or Skype. This is a management rather than a technical issue.
Import of Malware
On a similar note, data incoming via a media feed over VoIP has the potential to bypass normal malware checks.
VoIP systems, because they traverse the same networks as other IP traffic are inherently secure, provided of course that the data network over which they operate is itself properly configured and secured. VoIP systems mean adjustments to Firewall configurations and to malware protection systems. VoIP systems must be considered as an integral part of the overall network architecture, and included in network security and protection review and deployment.