VoIP: A New Era in Threats, Part 3

Countermeasures and Penetration Testing

In our previous two posts on this topic we discussed the threats to using VoIP. The following post discusses ways you can mitigating these threats.

If VoIP is to successfully replace PSTN some measures need to be taken in order to approach the reliability that PSTN offers. It’s somewhat unrealistic to demand PSTN’s 99,999% availability for VoIP, since IP based systems are exposed to larger threat pool than public switched ones, but there are actions available that can significantly reduce phishing and spoofing threats involved with VoIP. 

Software Updates

Keeping software up to date is an appropriate way of limiting the probability of phishing and spoofing threats. This goes for any software needed to keep the service up and running, as well as the software needed for end devices. VoIP servers are often run on operating systems which may have vulnerabilities.  By making sure that the operating system is up to date vulnerabilities can be avoided. The provider should also take end users’ safety into consideration. VoIP phones can include flaws, exploitable by attackers, so keeping the software up to date reduces the risk as newly discovered threats are often corrected through patches.  Many users are unaware of the risk involved with outdated software making them vulnerable in the process. Service providers can inform users of these threats and/or monitor any software updates by major VoIP telephone vendors and forward them to users through a website, newsletters, or email, for example. 

Anti-virus systems

Every computer system benefits from having a strong anti-virus system in place. Worms and viruses are getting more complex and attackers are constantly figuring out new ways of infecting users.  Many VoIP threats benefit from having the victims’ computer infected with a virus before the attacker carries out the threat. Cyber-criminals release new viruses daily and since VoIP is getting more attention new VoIP viruses are likely to be developed and released in the future. VoIP providers and users should therefore always have a strong and regularly updated anti-virus system in place. 

Addressing Eavesdropping 

Preventing eavesdropping requires strong network security and enabling proper encryption and authentication on the devices being used. Strong network security is a wide concept and is not directly related to VoIP; as such we have left that out of this article. Encryption and authentication can be implemented by many different techniques. The level of encryption and authentication depends on the importance of information being protected. For regular users, open source encryption software or VoIP phones with built in encryption may suffice. Other clients, such as corporations or companies, may demand stronger protection. In that case, there are number of options available. For example, the user can choose to encrypt the signaling messages, media stream or both. The following highlights setup possibilities for this process.

In Setup 1, signaling messages are encrypted, protecting them from message spoofing and compromise of sensitive information. The media stream is however unprotected so it’s vulnerable to eavesdropping and spoofing.

In Setup 2, both the signaling message and media sessions are protected so message spoofing, compromise of information and eavesdropping are prevented.

Setup 3 is the inverse of Setup 1 so now eavesdropping and spoofing are no longer threats but the VoIP system is susceptible to message spoofing and call hijacking. 

As was stated above, the level of protection depends on each user. Service providers can offer technical advice and setup assistance to bigger clients in order to find appropriate level of encryption needed in each case. 

Addressing Interception and Modification

Threats in this category all involve some sort of ID spoofing, where the attacker causes the victims phone to display a number which is not that of the actual originating station. Unfortunately, there is no effective way to prevent caller ID spoofing. The best solution so far is not to trust caller ID at all. Distrusting caller IDs will however only work in certain circumstances. If the receiver is not familiar with the caller he has no way of confirming his credentials. 

The risks of ID spoofing attacks can be limited by proper use of firewalls, configured to filter out the unwanted contact. Intrusion detection/prevention systems are also available but just like the firewalls they limit interception and modification attacks, but cannot prevent them completely. 

Penetration testing

In order to conduct penetration testing on your VoIP system, it is vital to begin with a risk assessment. This risk assessment should examine the risk of classical internal network infrastructure attacks, as well as examine the threats listed above. 

When conducting a penetration test on a VoIP system, you should evaluate the different VoIP components from a security perspective and the components capability to maintain the confidentiality, integrity and availability of the environment and related traffic to the VoIP system. Specific areas that should be examined are authentication mechanisms, potential for interception, interruption and manipulation of the information exchanged between the client and the VoIP server. 

Conclusion

If Voice over IP is to be a successor to PSTN work must be done to enhance its security. PSTN has been in place for over a century so clients are used to a certain level of security and reliability. These users have come to expect the same security performance of VoIP.  

This article has shown that this is not the case today. VoIP is susceptible to a larger number of phishing and spoofing threats, but all hope is not lost since there are indeed measures that can be taken in order to increase security for both VoIP users and providers. This is however far from a perfect solution to the problem, as most of these measures require a combination of time, money and IT knowledge to be successfully implemented. This may not be an issue for service providers and large companies, but the general customer cannot be expected to take such drastic measures only to achieve a properly secure telephone service. 

Currently there is little to no legal framework regarding protection of transmission in VoIP. Therefore providers are not obligated to provide any form of security to clients, thus telecommunication regulators should bring VoIP under a legal framework. Providers also have social responsibilities they need to honor since their destiny is intertwined with the users as there will not be a need for VoIP providers if the general public rejects the system. Providers therefore need to uphold social obligations such as providing clients with appropriate security inform them of main threats and maintain help centers, among other measures

Service providers will not be directly affected by most of the threats to VoIP, since they have the resources to defend against most of them. Their biggest concern will be the security of the average customer and finding ways to avert users getting exposed to these threats. Next time you utilize VoIP, be wary of the information you share, for you do not know if that information will end up in the wrong