Hang up the Phone! Your VoIP is Being Hacked!
Sensational title isn't it?
Pardon the sarcasm, but once again we are being bombarded with sensationalist blog and news headlines about the vulnerability of VoIP. The headlines would have you believe that recording any VoIP call is as simple as installing a utility on your PC. Sorry but, in a secure environment that's just nonsense.
I deem the stories to be counter productive and I question the motives. It's great to raise security awareness, but how about some perspective and some helpful advice? What I don't see in these blog posts and news articles, is any description of the environment or circumstance under which these attacks are possible. Nor do I see any advice on whether protection mechanisms are available.
Several months ago, I bought and read the book Hacking Exposed VoIP since so many security presentations and articles used this book as a reference. It was interesting, and I would recommend it for those who would like to understand VoIP and SIP vulnerabilities. However, what I discovered was that nearly all of the hacks / vulnerabilities described in the book were dependent on the fact that common security best practices had not been implemented or had been compromised.
The latest flurry is related to a monitoring utility named SipTap by Peter Cox at VoIPCode.org.
While it's true that VoIP is vulnerable to a wide variety of attacks, it is also true that nearly all (including this latest one) can be mitigated by sound security practices.
I won't go into a detailed tutorial but I will provide a quick list and some references for you to pursue:
- Secure the IP Phones preventing users from viewing or changing configuration parameters
- Encryption: Signaling, Audio Path and Administrative
- Use Certificates to authenticate humans and components that use the system
- Disable root access for telephony administrators
- Deploy AAA systems and procedures (Authentication, Authorization and Accounting)
- Carefully choose who is allowed to transfer calls to an external destination
- Deploy and maintain virus protection
- Disable all unnecessary services on phones and related systems
- Expire passwords
- Disable passwords following a number of failed attempts
- Impose content and length restrictions to passwords
- Impose rate-limiting mechanisms to thwart DoS attackes
- Deploy security monitoring and alarming systems
- Phones and devices should reject unsigned or tampered firmware
- Reject 802.1q traffic destined to, or from the PC switch port of the phone
- Segment voice and data traffic on separate VLANs (PC phones violate this best practice)
- Install properly configured firewalls (duh!)
- Secure all network devices (physically and logically)
- Phones should ignore gratuitous ARPs
- Perform DHCP inspection
- Implement VPNs for remote access
Enhanced Security for Unified Communications (Cisco)
Enterprise VoIP Security Best Practices (Juniper)
VoIP Security for Dummies (Avaya)
I don't deny for a second that SIP and VoIP have vulnerabilities and that they must be addressed. But, there's no going back to TDM. IP communications is here to stay and the vast majority of risks can be adequately mitigated. Many of the security precautions should already be in place if your network and IT environment is secure.
Rick McCharles
VoIP / IP Telephony Consultant, Toronto
RIC Services
Stumble It!
1 TrackBacks
Listed below are links to blogs that reference this entry: Hang up the Phone! Your VoIP is Being Hacked!.
TrackBack URL for this entry: http://www.ric.ca/mt/mt-tb.cgi/56
» VoIP Security Perspective from IP Communications and Technology
I'm amazed at the viral charateristics of the propagation of stories related to VoIP security risks. I don't really understand why that's the case. Perhaps it's due to the emotion of fear and the basic instinct of defending oneself against... Read More
I am pleased that John Dunn’s Techworld.com write up of my siptap utility has attracted so much interest. Siptap was written as a proof-of-concept, to show that VoIP call eavesdropping is possible. The reaction to John’s article has been fairly equally divided between praise for drawing attention to the problem and accusations of scare-mongering because “in a secure environment that’s just nonsense”.
I am the first to agree that both this problem and a host of other VoIP security problems are solvable, but no amount of security technology will help unless that technology is deployed. Many VoIP networks still lack basic security controls. One of the reasons for this is that many VoIP users simply do understand the security risks, or fully appreciate some of the differences between VoIP and other network applications. The motivation behind Siptap was to demonstrate the need for better use of VoIP security controls. Siptap is a direct result of a discussion between Phil Zimmermann and myself on how to get this message, and specifically the need for encryption across.
Your list of steps to secure your VoIP network makes perfect sense, although our opinions may differ on some of the details. The issue is, that that unless there is greater awareness of the problems, few VoIP network administrators will even ask the questions that lead them to the solution. Until then I think it is important that the security risks are publicised and discussed.
Peter Cox, siptap author
peter@voipcode.org
Hi Peter,
Thanks for your comments. As you probably realize, I am in fact, in favour of disseminating information regarding VoIP related security vulnerabilities.
My peeve is the way in which authors create hype and fear by posting articles with sensational headlines. I see very little critical examination of the facts or any effort to put the risks in perspective. Environment, circumstances, probability, impact and mitigation attributes are rarely discussed.
Also, it is rare to see a distinction being made between consumer VoIP services and what I call enterprise-class IP Telephony. There is a huge difference between the two....well there at least should be!
Thanks,
Rick McCharles
It's really a nice article.VoIP systems employ session control protocols to control the set-up and tear-down of calls as well as audio codecs which encode speech allowing transmission over an IP network .