VoIP: A New Era in Threats, Part 1

Over the last decade VoIP has become increasingly popular, with service providers gaining millions of subscribers each year. However, VoIP is an inexperienced platform, which translates into millions of subscribers being exposed to new phishing and spoofing threats annually.

Are you exposed to these threats?

Voice over Internet Protocol (VoIP) has quickly gained popularity over Public Switched Telephone Network (PSTN), specifically as a result of dramatic cost reduction associated with VoIP for both users and service providers. However, with the reduced cost comes exposure to phishing and spoofing threats which are unprecedented to the telecommunications industry. Over the next few weeks we will post a three blog series, were we briefly examine these threats to both VoIP users and services providers. We present the most critical threats, focusing on those that can be categorized as phishing and spoofing. We conclude by discussing means to mitigate these threats and measures that can be taken to conduct penetration test on VoIP platforms.

Phishing and Spoofing Threats of VoIP

The following describes the phishing and spoofing threats to VoIP users and service providers. These threats include:

• Social Threats
• Eavesdropping
• Interception and Modification
• Service Abuse

This article discusses the threats categorized as Social Threats and Eavesdropping.

Social Threats: Social threats are commonly defined as threats that focus on ways to manipulate social context between communication parties so that attackers can misrepresent themselves as a trusted party and convey false information to target the user.

Misrepresentation:Misrepresentation can be defined as an assertion by words or conduct that is not in accord with the facts. As can be seen in the figure, the attacker claims to be User A by presenting false information to User B (the victim). This is done in order to gain access to otherwise unreachable information, call logs, files and for phishing purposes. The attacker may misrepresent his identity, authority, rights or content in order to fulfill his achievements.

Unwanted Contact: Unwanted contact is any contact that either requires prior affirmative consent for incoming calls or bypasses a refusal of consent for outgoing calls. Harassment, extortion and unwanted lawful content fall under this category. 

Eavesdropping: Eavesdropping is when an attacker intercepts a data stream between two or more users without altering the data. The attacker does however gain access to the conversation between the users.

Traffic Capture: In traffic capture, the attacker can capture ingoing and outgoing traffic and access the information for analysis. The attacker however cannot alter the traffic in any way.  

Number Harvesting: Number harvesting is the unauthorized collection of caller identification, usually in the form of phone numbers. The attacker monitors incoming and outgoing calls in order to build a database of legitimate IDs. The databases can be used for other attacks such as spam over internet telephony (SPIT), toll fraud calls and denial of service (DoS) attacks.

Reconstruction: Reconstruction is commonly defined as any unauthorized extraction of any portion of a media session without consent of the owner, for example monitoring, recording, storage and reconstruction.

This concludes our first blog on VoIP: A New Era in Threats. Stay tuned for blog post number two in this three series blog were we cover threats that are categorized as Interception and Modification as well as Service Abuse