VoIP Security and Possible Threats « The World of VoIP, Asterisk and Linux

VoIP Security and Possible Threats

I once did some research on VoIP based security threats and the results were surprising to me. Despite being a VoIP professional, even I was not aware of these tricks to exploit this wonderful technology. It is amazing how some human minds can find ways to misuse anything they can find to harm others.

Now that VoIP is all around us, it is absolutely necessary that we all know how VoIP can hurt us. Whether we use it or not, it is using us anyways.

Based on my finding, the threats can be divided into following categories.

Caller ID Spoofing
Toll Fraud
Vishing
Eavesdropping
Call Hijacking
Injected Messages

1. Caller ID Spoofing

Make a call seem originate from a different number

Attackers can call with a caller ID information to make it appear that their calls originate from elsewhere. They can make themselves appear calling from your bank, employer, neighbor, relative, etc. and steal personal information from you. Unfortunately, lately it has become so easy to spoof caller ID, that almost anyone with a VoIP service, who wants to do it, can do it. Seems like regulatory authorities have no interest in controlling it. Many small VoIP service providers provide you with this service, that you can log into your account online and change your outgoing caller ID and name.

Even if a VoIP service provider doesn’t allow it, the attackers can still send a caller ID of their own and it’ll fool most of the VoIP systems and successfully reach the called party.

HOW TO PROTECT YOURSELF:

As an end user, if it is a call from your bank, credit card company, insurance company, or any source which involves money matters, and you don’t recognize the person on the other end. Tell them that you’ll call them back, hangup, and call them back on a valid number from your bank statement, back of your card, invoice, bill, etc.
Even if you recognize the number, you might be a victim of caller ID spoofing. So when you hang up and call the same number back, it’ll not go back to the attacker but go to the real person, unless it is a case of call hijacking, in which case you really can’t do anything.

If you are a VoIP system administrator:

Never authenticate calls based on caller IDs.
Two privacy SIP headers were added to the SIP protocol for authentication purposes, which many VoIP companies don’t use due to their complexity, but it is important to use them on SIP proxy servers to avoid caller ID spoofing.

2. Toll Fraud

Making calls using your information

Hackers are always trying to gain access to not well secured VoIP networks and allow unauthorized users to make repeated long distance calls, especially to international destinations. VoIP systems are particularly vulnerable to toll fraud because they form an integral part of an enterprise’s IP network. Toll fraud causes serious financial damages every year, in millions of dollars to small VoIP companies in North America.

HOW TO PROTECT YOURSELF:

Don’t provide your VoIP hardware or account log in info to anybody
If someone is hacked into the providers network and used your account, it is not your fault and the providers knows it. In this case they can’t over bill you.

If you are a VoIP system adminitrator:

Use strong encryption policies.
Implement authentication safeguards.
Do careful analysis of the system’s call logs regularly, as they can tell you when something is going wrong.

My personal favourite tools for this purpose are fail2ban and munin, plus I have my own scripts as well to suit my needs.

3. Vishing

This is the VoIP version of Phishing. Voice + Phishing = Vishing.

Here is an example how it works: You receive an e-mail, text message, or telephone call, purportedly from your credit card company or your bank directing you to contact a telephone number to re-activate your card due to a security issue. Upon calling the telephone number, in a sweet voice you are greeted with a message like “Welcome to the bank of Caledon. Please enter your card number”. You enter your card number, on which the sweet voice asks you to enter your pin or security number. Once done, the voice tells you that your account has been re-activated, thank you for calling, and hangs up. Next day you find out that a large sum of money is missing from your account. Later you find out that the number you called didn’t belong to the bank, it was a fraudulent number and someone had stolen your bank card number and pin, using which they were able to access your account.

This is just one of many possible scenarios.

VoIP service is fairly inexpensive, especially for long distance, making it easy to make fraudulent calls. Secondly, because it is Internet-based, criminals can use software programs to create phony automated customer service lines anywhere in the world. They can be located thousands of miles away from their target area, and victim’s jurisdiction won’t apply to them.

HOW TO PROTECT YOURSELF:

If you have a question concerning your account or credit/debit card, you should contact your bank using a telephone number obtained independently such as; from your statement, a telephone book, or another independent means.

To give example from my very recent personal experience, last week I got a similar message from my bank, asking me to call a 1-800 number regarding some security issue with my bank card. I called that number and while the lady on the other side was asking me security related questions, all of a sudden I realized that it could be a vishing attempt. So I asked her how to know if I was calling a genuine number. On this she asked me to call the number on the back of my bank card. I hung up and called the number on the back of my bank card. Thankfully it was not a vishing attempt, but you get the idea, how you should deal with this situation. It could be a vishing attempt.

4. Eavesdropping

Listening to other people’s phone conversations

Hackers capture VoIP packets in the same way as data packets using a packet capturing tool — and they can do it from anywhere in the world. They reconstruct VoIP conversations and play them, using free tools available for download on the Web specifically made for this purpose.
Here is a list of freely available tools, whose actual purpose is not eavesdropping on VoIP calls, but those who want to misuse them, they serve them equally well:

Packet Capturing Tools: Ethereal/Wireshark, Angst, pcapsipdump.

VOMIT: Voice Over Misconfigured Internet Telephones. It converts a phone conversation into a .wav file.

VoIPong: It detects VoIP calls on a network and creates .wav files of conversations.

Oreka: It records VoIP RTP sessions. Also runs on Windows.

Cain & Abel: A popular sniffer that can capture and crack passwords; it captures many types of traffic along with VoIP calls. It extracts audio conversations that use the SIP and RTP protocols.

VoIP administrators can take advantage of these same tools for penetration testing of their own networks.

If your VoIP service is from your cable company, then you are almost safe, because your voice never goes over the Internet. It travels from your home, over the cable all the way to the company’s VoIP servers. Only an inside corrupt employee of that cable company can do eavesdropping. But if you are with one of smaller VoIP companies, who rely on the Internet to provide you VoIP service, then you are an easy target and you never know when someone is eavesdropping on you. Same is true with cell phone calls. So in this regard cable companies and land-line based phone companies have an upper hand.

HOW TO PROTECT YOURSELF:

Unfortunately you can’t do anything other than using land-line or VoIP from a cable company to make calls where security could be a concern. But here are some advices for the VoIP administrators of ITSPs (Internet Telephony Service Providers) which if they implement, can provide similar or even better security to their customers. VoIP does have means to provide security, but last many years engineers were more focused on improving VoIP calls quality, and now that this issue is out of the way, they are focusing seriously on security related issues:

Keep the VoIP network separate from the data network, if not possible physically, then using VLAN.
Use authentication to ensure that those connecting to the VoIP network from the outside are really who they purport to be.
When possible use TLS for SIP. This won’t stop them from capturing RTP, but at least they’ll not be able to point and select their victims.
Use encryption so that if hackers manage to capture VoIP packets, i.e. RTP packets, they won’t be able to easily decipher them.
Use VoIP-aware firewalls and an intrusion detection system/intrusion prevention system (IDS/IPS).
Be aware of how VoIP hackers operate.
Implement standard security measures, and use the hackers’ own tools to test your VoIP network.

5. Call Hijacking

Redirection of an entire calls

If in VoIP registrar’s database IP address of a legitimate party is replaced with that of the attacker, this will cause the VoIP server to send calls intended for the original called party to the attacker instead.

See the following example.

You call your bank using its genuine phone number. You identify yourself by entering your account number on your phone’s keypad. You answer the usual security questions. And then the call is cut off.

Guess what, your bank had never received your call, it was instead directed to a call hijacker, who is now probably calmly transferring the contents of your account to the Cayman Islands.

HOW TO PROTECT YOURSELF:

Again, there is nothing much you can do other than using secure communication, i.e. land-line, VoIP from your local cable company, or an ITSP who provides security (they don’t exist yet).

Some considerations for ITSPs are as follows:

Encrypt of the call-signaling packets, e.g. use SIP over TLS
Use IPSec on the VoIP network.
Use ZRTP protocol to encrypt VoIP Packets.

6. Injected Messages

Fake SIP and IAX messages

I guess this has more to do with annoying the VoIP service provider and cause inconvenience to its customers, than to cause financial damage to the customers. It’ll however can cause financial damage to the VoIP provider if its customers start leaving it, and also result in a bad reputation.

In this type of security attack, attacker inject spoofed messages into the signaling channel of a call. For example: SIP BYE message or IAX HANGUP message. Based on the type of the message, call gets disconnected, redirected, put on hold etc. And again, it is really easy to do using tools like sip-kill.

HOW TO PROTECT YOURSELF:

Again, unfortunately, as an end user you can’t do much but as a VoIP administrator of an ITSP you should do the following:

Encrypt protocols so no one can monitor the signaling channel.
Authenticate all packets.

7. SPIT or VoIP Spam

Spam over the Internet Telephony

Attacker calls you and give impression as if they are calling from your bank or financial institution. They mostly leave voicemail, asking to return their call or go to a website and provide with your credit card or banking information. If you trust the caller, call back, or go to the website and provide your financial information, you loose you money.

A SPIT can easily clog your voicemail box because of SPITers ability to generate thousands of VoIP calls easily. The Voicemail systems need improvement to filter voicemails, like SPAM filters do for emails.

———-

References:

http://blogs.techrepublic.com.com/security/?p=255

http://www.fbi.gov/page2/feb07/vishing022307.htm

http://www.ic3.gov/media/2008/080117.aspx

http://www.voip-news.com/faq/voip-security-faq/

http://www.asteriskvoipnews.com/voip_security/voip_scams_phishing_and_denial_of_service_attacks_and_what_you_can_do.html

http://nsl.cs.columbia.edu/projects/sos/

http://securitypodcasts.itproportal.com/security/news/article/2008/11/28/whos-line-call-hijacking-and-disruption/

http://www.voip-news.com/feature/voip-scams-phishing-dos-011107/

SPIT or VoIP Scam

1 person likes this post.

Unlike

Subscribe to this author's posts feed via RSS

The World of VoIP, Asterisk and Linux

Recent Posts

Categories

Archives