Recently in Security Category

Financial Post Article on VoIP Security

By Rick McCharles on March 21, 2008 7:49 AM |
I was recently interviewed by the National Post to provide some comments on VoIP / Wireless security for an article in the Financial Post.

I'm not sure what's behind it, but when it comes to transporting voice over an IP network, there continues to be a fascination and some paranoia about the security aspects. This despite the fact that references to documented security breaches remain elusive. VoIP and SIP do have security vulnerabilities but as I have stated many times, all of the associated risks can be sufficiently mitigated by following documented best-practices.

When it comes to eavesdropping on voice calls, things were much simpler when I was implementing business voice solutions during the early 80s'. Remember the Butt Set? Despite the fact that all one needed to listen to, andButtSet.gif record calls, was a pair of alligator clips and easily accessed wire pairs, I rarely heard anyone express concerns about voice security.

Intercepting VoIP calls in a properly secured environment, is slightly more complicated. First one needs to either get physical access or to somehow redirect the VoIP traffic. Once that is accomplished, there are software tools that can capture the VoIP traffic and convert the encoded voice back to analogue. In a secure enterprise environment however, that is much more complicated than the Butt Set method of old. And oh yes, I almost forgot. Someone came up with this silly concept of encryption, which when applied to VoIP media streams and signaling, adds considerably to the challenge of eavesdropping!
StumbleUpon ToolbarStumble It!

Cisco Unified IP Phone Security Vulnerability

By Rick McCharles on December 1, 2007 3:50 PM |

Cisco has updated its response to a security vulnerability that could, under the right conditions, allow someone to remotely eavesdrop on audio near a Cisco phone. The attack involves accessing the web server of a Cisco IP phone, and then issuing a command to instruct the phone to go off-hook in speaker-phone mode. Any audio picked up by the remote phone can then be streamed to a remote phone.

In order for the attack to occur the following conditions must be met:

  • The internal web server of the IP phone must be enabled. The web server is enabled by default.
  • The IP phone must be configured to use the Extension Mobility feature, which is not enabled by default.
  • The attacker must possess or obtain valid Extension Mobility authentication credentials.
For those who don't know, extension mobility is a very handy feature that allows an individual to log-into an IP phone. Once authenticated, the IP Phone is configured according to the user's normal extension. The feature allows a single phone to be shared among multiple individuals. It also has great mobility benefits in that an individual can for example, "virtually" move his or her phone to a new work location. For example, if you were going to work in a conference room for the day, you could log into the conference room phone.

Details on how to exploit the vulnerability.
Cisco's Security Response, Document ID: 100252

Once again, I urge industry professionals to counter the fear mongering hype and provide some perspective on the risk and advice on how to mitigate it.

Rick McCharles
VoIP Consultant, Toronto
RIC Services



StumbleUpon ToolbarStumble It!

VoIP Security Perspective

By Rick McCharles on November 27, 2007 8:47 AM |

I'm amazed at the viral charateristics of the propagation of stories related to VoIP security risks. I don't really understand why that's the case. Perhaps it's due to the emotion of fear and the basic instinct of defending oneself against threats.

In general, I believe the spread of the security misinformation is unintentional. Authors, notice an interesting headline and post it with the hopes that it will attract readers. However, I have noticed that in many instances, the story originators are in the business of selling security products or services. To be clear, I am not painting everyone in the VoIP security business with the same brush. Most are responsible professionals with a genuine interest in educating the uninformed about the potential vulnerabilities and risks.

Please refer to my previous posts on the subject:

Hang up the Phone. Your VoiP is Being Hacked
More VoIP Security Hype Nonsense
VoIP: Perceived Risks and Best Practices
Exaggerated VoIP Security Risks

I will continue in my attempts to inject common sense and perspective to counter the security hype wherever I can. VoIP, IP Telephony and Unified Communications can be (and is routinely) deployed securely; it's not rocket science.

Rick McCharles
Telecom Consultant, Toronto
RIC Services








StumbleUpon ToolbarStumble It!

Hang up the Phone! Your VoIP is Being Hacked!

By Rick McCharles on November 23, 2007 1:48 PM | | Comments (2) | TrackBacks (1)

Sensational title isn't it?

Pardon the sarcasm, but once again we are being bombarded with sensationalist blog and news headlines about the vulnerability of VoIP. The headlines would have you believe that recording any VoIP call is as simple as installing a utility on your PC. Sorry but, in a secure environment that's just nonsense.

I deem the stories to be counter productive and I question the motives. It's great to raise security awareness, but how about some perspective and some helpful advice? What I don't see in these blog posts and news articles, is any description of the environment or circumstance under which these attacks are possible. Nor do I see any advice on whether protection mechanisms are available.

Several months ago, I bought and read the book Hacking Exposed VoIP since so many security presentations and articles used this book as a reference. It was interesting, and I would recommend it for those who would like to understand VoIP and SIP vulnerabilities. However, what I discovered was that nearly all of the hacks / vulnerabilities described in the book were dependent on the fact that common security best practices had not been implemented or had been compromised.

The latest flurry is related to a monitoring utility named SipTap by Peter Cox at VoIPCode.org.

While it's true that VoIP is vulnerable to a wide variety of attacks, it is also true that nearly all (including this latest one) can be mitigated by sound security practices.

I won't go into a detailed tutorial but I will provide a quick list and some references for you to pursue:

  • Secure the IP Phones preventing users from viewing or changing configuration parameters
  • Encryption: Signaling, Audio Path and Administrative
  • Use Certificates to authenticate humans and components that use the system
  • Disable root access for telephony administrators
  • Deploy AAA systems and procedures (Authentication, Authorization and Accounting)
  • Carefully choose who is allowed to transfer calls to an external destination
  • Deploy and maintain virus protection
  • Disable all unnecessary services on phones and related systems
  • Expire passwords
  • Disable passwords following a number of failed attempts
  • Impose content and length restrictions to passwords
  • Impose rate-limiting mechanisms to thwart DoS attackes
  • Deploy security monitoring and alarming systems
  • Phones and devices should reject unsigned or tampered firmware
  • Reject 802.1q traffic destined to, or from the PC switch port of the phone
  • Segment voice and data traffic on separate VLANs (PC phones violate this best practice)
  • Install properly configured firewalls (duh!)
  • Secure all network devices (physically and logically)
  • Phones should ignore gratuitous ARPs
  • Perform DHCP inspection
  • Implement VPNs for remote access
Here are some excellent references:

Enhanced Security for Unified Communications (Cisco)
Enterprise VoIP Security Best Practices (Juniper)
VoIP Security for Dummies (Avaya)

I don't deny for a second that SIP and VoIP have vulnerabilities and that they must be addressed. But, there's no going back to TDM. IP communications is here to stay and the vast majority of risks can be adequately mitigated. Many of the security precautions should already be in place if your network and IT environment is secure.

Rick McCharles
VoIP / IP Telephony Consultant, Toronto
RIC Services



StumbleUpon ToolbarStumble It!

More VoIP Security Hype Nonsense

By Rick McCharles on March 5, 2007 2:30 AM | | TrackBacks (1)
An article posted on March 05, 2007 in COMPUTERWORLD has for a title:

"Enterprises must avoid IP telephony for teleworkers or face attack" Link Here

According to this article, allowing Teleworkers to work with VoIP will expose your enterprise to a multitude of dire consequences such as:
  • Hackers stealing usernames and passwords
  • Placing users vulnerable to a very real attack
  • Hackers recording conversations
  • Hackers gaining access to your online banking
Whatever the motivations for these sensationalist articles, they do nothing to educate the public about the real risks associated with VoIP and how to mitigate them.

Avoid IP Telephony for Teleworkers? Sure, ignore one of the most important benefits of IP Telephony in case some evil VoIP hacker posts all of your private conversations on CNN, empties all of your bank accounts and bankrupts your organization!

The fact is, that VoIP can be, and is routinely, deployed and used securely; even by Teleworkers, imagine that.

There are risks associated with VoIP and IP Telephony. For enterprise most of these risks are associated with network infrastructure. If an enterprise's security policy and implementation is full of holes, then it is vulnerable to attack not only for VoIP but all the other applications that run over the infrastructure including email. How many companies encrypt their email? Very few, yet we're not bombarded with a constant stream of doom articles on how corporate email is at serious risk and we should prevent remote employees from using it!

In almost every instance, the VoIP sky-is-falling articles are not able to produce even a single documented event that demonstrates how a particular vulnerability was exploited.

As usual, I make the distinction between Consumer based VoIP services and Enterprise-Class IP Telephony. The former has the potential for more security concerns and weaknesses.

On the enterprise side, there are plenty of sources that describe best-practices and tools to deploy VoIP securely:

- A PDF Document by Juniper
- VOIPSA (An organization dedicated to VoIP security without the hype)

A Google search on the subject will yield hundreds of related sources.

Perhaps the authors contributing to all this hype should also do a little research.

Rick McCharles
www.ric.ca


StumbleUpon ToolbarStumble It!
« Resources | Main Index | Archives | SIP »

About this Archive

This page is a archive of recent entries in the Security category.

Resources is the previous category.

SIP is the next category.

Find recent content on the main index or look in the archives to find all content.

Security: Monthly Archives

RIC Services
Powered by Movable Type 4.01