The Voice over IP Security Alliance (VoIPSA) was formed in 2005 to create VoIP-specifi c security resources. According to VoIPSA chairman and founder, David Endler, who is director of security research for TippingPoint, VoIP is susceptible to the same types of attacks that threaten other network applications - and there are potential new threats ahead.
What new VoIP threats do you see out there?
We saw the first voice phishing attack. It looks much like the traditional email phishing attack except that, instead of tricking or inducing your victim to click on a spoofed link to take them to a website, you're actually tricking them to dial a phone number that takes them to a spoofed automated attendant.
If I can trick you into calling a number that you think is Bank of America, then I can ask you to enter in your account info and your PIN number and even other verification details. Then the hacker can go in and reconstruct those tones after the fact and use them to access your account.
What other new threats have you seen?
The rest of them are more mischievous or not necessarily as financially motivated. Things like redirecting someone's incoming calls to yourself might become a problem. Registration hijacking is the way you would do that. The way these phones work is when I take my VoIP phone and plug in, the PBX knows that I am where I am basically by my IP address, and all incoming calls to me go to my office phone.
But if I go on the road and I take my phone or I use the softphone on my laptop, I'll want incoming calls to go there. Registration hijacking is tricking the PBX into thinking that someone has moved and then having all their calls directed to the wrong IP address.
There's also something called an invite flood, which is more for an SIP-based network. This is about making someone's phone ring off the hook. It's like a flooding attack on the application side.
What can you do about that?
Enabling encryption and authentication on the VoIP side helps. That way you can't necessarily spoof messages to the PBX as easily.
Do general network attacks affect VoIP more than other applications?
There are measures you can take to mitigate against denial-of-service (DoS) attacks or distributed DoS attacks. Within an enterprise without VoIP, you may not feel the pain as much, because an email that you sent might arrive a few hours later. VoIP is not as forgiving. It has very strict QoS requirements, so a distributed DoS attack can cripple your VoIP network so that calls coming in are unintelligible or you think your phone system isn't even usable.
How steep is the learning curve for securing VoIP?
We looked at Cisco, Avaya, and Asterisk, and we looked at some of the softphone technologies that have the potential to permeate into the enterprise - things like Skype, MSN. What we found is all of these systems are securable, but they do take some knowledge to get them to that point. None of them come installed by default out of the box in a secure manner.
Disable services that aren't really required. Many of these VoIP phones have Web servers on them and things like Telnet and FTP. A lot of these phones are almost like minicomputers. You really need to apply best practices that you would with any other technology.