VoIP technology introduce tremendous advantages for the telecommunication industry and changed the way we communicate in our life.
VoIP is everywhere today, applications running on your smartphone to your telco provider barebone network or interconnections.
VoIP has also earned a place among the trusted technologies an enterprise will choose to deploy in order to provide advance features to end users or a way to cut down costs.
But we used to overlook an important aspect of VoIP, security. Pay no attention to security and soon you will regret.
VoIP cost, functionality and reliability are of course important concerns but security should be a major issue too and you should be aware of the voip security concerns.
VoIP security issues
- Identity and service theft
- Voip phishing
- Denial of Service Attacks
- Spamming over Internet Telephony
- Man-in-the-middle attacks
Identity and service theft
Identity and service theft is a type of hacking that steals service from a service provider or use of service while passing the cost to another person.
Encryption should be in the list of musts when planning for VoIP. Without encryption, user credentials are vulnerable to theft.
Similar to how someone can use a network sniffer to get access to your data, a black hat hacker can obtain critical information about VoIP service such as call detail records, voicemal messages etc.
This subsequently can lead to service theft or reveal of business critical data.
Encryption is again the top priority in the list to prevent that.
Voip phishing involves a party calling using fake identity and trying to get access to confidential and critical information. For example, someone can call you using the phone number of your bank’s local branch asking your details for your bank account.
While enterprises can do nothing about preventing that, user should be cautious and examine carefully the person requests such information.
What is important here is that VoIP service providers should apply security rules and validation mechanisms to prevent fake identities.
Viruses and malware
VoIP applications exists for many platforms such as your smartphone, your tablet, your desktop even your browser (see WebRTC) and thats the beauty of VoIP. But similar to the damage that a virus can do to your network, a virus or a malware can get access to your VoIP service and abuse it.
Recently I had to deal with a customer case where one of the users (somehow) downloaded a firefox add-on which was actually a malware and the sole purpose of it was to scan the local network for SIP gateways in order to get access to them. The result was an invoice of 5 digit figure which compared to other cases can be considered as a light case.
Secure your network and never underestimate the damage that can be done if you take lightly virus and malware.
DoS (Denial of Service)
Denial Of Service attack can result to the halt of your VoIP service and thus loses in aspects such as profits, reputation, trust etc.
For SIP DoS can be done by looding a target with unnecessary SIP call-signaling messages, thereby degrading the service.
To prevent DoS attacks a Session Border Controller (see SBC) can be deployed. Think of SBC as a firewall for VoIP.
Spamming over Internet Telephony
Similar to email spamming, VoIP spamming means sending VoIP traffic to a VoIP service without against their will. This can result to service disruption, which sometimes can turn to DoS or even to phishing over VoIP.
Session Border Controllers can help to prevent spamming over VoIP.
When the attacker, using a fake identity, can intercept VoIP traffic and get in the middle pretending to be a trusted party, we have a man-in-the-middle attack (for more see man-in-the-middle-attack)
Man in the middle attack will result in the attacker to get access to encryption keys, username and passwords etc.
Strong security policies and encryption should be applied to prevent man-in-the-middle attacks.
VoIP should concerns should be a major topic when designing and deploying VoIP services. The two important things to keep in mind for VoIP security:
Imagine what will happen if you deploy your new web application open to the Internet without taking care of the firewall and security holes. Just open a well known service such as SSH, open and check the logs, you will see SSH connect attempts from everywhere in the world.
Or imagine that your bank did supported secure and encrypted links but nevertheless you had to use their internet banking service.
Similar to a firewall, Session Border Controller is a VoIP firewall preventing DoS, toll fraud, enforcing encryption, hiding topology etc.
Together with SBC, a public VoIP service should be encrypted both at the signalling and the media stream.