Posted by SecExtra on February 20th, 2008

We got a great piece in today from Dave Gladwin a 25 year veteran of the telecoms industry, the past ten involved in VoIP. Dave is an expert on VoIP security, having authored a number of articles on subjects including network security, lawful interception over IP networks and emergency call handling in VoIP networks. Dave has provided us with a good overview of the security side of VoIP… enjoy.

Voice calls over the internet (VoIP) are great. They are cheap, easy to use, and often all you need is a computer and internet access. VoIP has become increasingly popular among consumers because of its low price and the business market has started to reap the benefits of its flexibility as well. But as subscriber levels continue to rise at a rapid rate, have security implications taken a back seat?

Barriers to security
While VoIP security should be primarily the responsibility of the carrier, for it to be as secure as possible all individuals involved need to take care to protect themselves from threats.

For the next generation of internet users used to buying music online, and using free communication tools such as Instant Messaging and social networking sites, VoIP is a natural extension of their online lives. But the fact that it’s cheap and internet-based ought to be a red light for users regarding security.

VoIP vs. internet security
VoIP calls are set up using a protocol called Session Initiation Protocol, or SIP. It can easily integrate with other applications running over the IP network, and run from end to end of the call. But its openness also means that it is more susceptible to attacks compared with a traditional phone line which is in effect a closed system.

Because VoIP phones or clients are ‘intelligent’ they are more powerful and flexible compared with a normal phone. But this can pose a serious problem for service providers. The malicious VoIP user has direct access to the end-to-end protocol and therefore has the opportunity to manipulate the call.

Types of threats
There are many types of threats, but two in particular worth mentioning – vishing and phreaking. Vishing targets consumers and refers to a hacker using a voice service to “phish” for personal details such as credit card details over an IP connection. The target will receive caller identity details which have been spoofed, or will be played a recording asking them to ring a bogus number where credit card details will be harvested.

Phreaking targets the service providers network and involves hacking into network equipment to make free phone calls. This was once the province of specialist hackers, but with more phone calls moving into the IP world, phreaking is evermore prevalent for the mainstream Internet hacker. Therefore, VoIP is susceptible to the same types of security threats as any communication via the internet.

A good example of exploiting weaknesses in the IP networks is the 23 year-old Miami resident, Edwin Andres Pena who caught the headlines in 2006 with his arrest and subsequent prosecution by the US federal government. The case had little to do with ‘cracking VoIP’ and a lot more to do with Pena’s exploitation of the service providers’ failure to provide basic IT security. Pena was caught in the act of selling discounted phone services by hacking into internet phone service providers and piggybacking connections over their networks. This was a case of weak or default passwords allowing hacking, rather than a result of inherent faults in the VoIP network. This should be a lesson to us all.

VoIP hacking is nothing new, but rather an extension of traditional PC hacking. To protect an IP network from security breaches, the telecoms industry will need to learn from the early mistakes made by internet providers. Security measures on the internet such as firewalls and intrusion detection systems have their voice and multi-media equivalents and need to be applied by VoIP service providers.

Are we ready for VoIP?
At a recent telecoms interconnection conference the message was clear – there is no doubt that VoIP is big business. So security between IP interconnections must be equally rigorous.

The good news is that many service providers have already planned to add the required security to their networks, however, as with the case of internet security there will be good and bad implementations. But some responsibility will have to lie with the consumer. Choosing your VoIP service provider may be just like choosing your bank - a good security record is a unique selling point.