VoIP (Voice Over IP) Security

From Computing and Software Wiki

VoIP (Voice over Internet Protocol) is a protocol used for the transmission of voice data across the Internet. IP telephony treats voice as another form of data that is compressed and optimized for network traffic and is vulnerable to attacks traditional data would be on the network. VoIP security is akin to network security; voice data traveling the network will look like any other normal data.

Corporations generally place VoIP concerns on the voice quality, latency, and quality of service above the overall security when VoIP telephony is actually more vulnerable to certain attacks compared to the traditional phone system. The most common threats found in the VoIP environment include eavesdropping, theft of services, and denial of service attacks.

Contents 1 Introduction 1.1 Components 1.2 VoIP Protocols 1.2.1 H.323 1.2.2 Session Initiation Protocol 2 Attacks 2.1 Eavesdropping 2.1.1 Data Encryption 2.2 Theft of Services 2.2.1 Authentication 2.3 Denial of Services 2.3.1 Packet Filtering 3 Recommendations 4 References 5 See Also 6 External Links

Introduction

To greater understand VoIP security, a general overview of VoIP systems is useful.

Components

A typical VoIP system includes four components:

VoIP system Components

Component	Description
Data Network	Must be high performance to avoid choppy communication QoS (Quality of Service) standard to prioritize voice traffic over data traffic DiffServ Layer 3 QoS mechanism 802.1p Layer 2 QoS mechanism
IP Handset	Handset has to be IP enabled so audio stream can be digitized to be transmitted on the IP network
Call Server	Application running on dedicated workstation Provides all call signaling Provides all call control functionality Core operating code of a PBX (Private Branch Exchange) transferred here
Gateway	Voice connectivity between IP network and public carrier network Can be taken over by hackers to make free calls

VoIP Protocols

Voice is connection oriented, hence communication between two parties must be set up first. Two of the most common protocols used are H.323 and Session Initiation Protocol (SIP).

H.323

H.323 is a standard to promote compatibility in video conference transmissions over IP networks. (cite)

H.323 has four main components:

1. Terminal
2. Gateway
3. Multipoint Control Unit (MCU)
4. Gatekeeper

Session Initiation Protocol

SIP is a peer-to-peer standard protocol for multimedia conferencing over IP. SIP exists on the application layer used to initiate, maintain, as well as terminate a call. SIP contains 3 components:

1. User agent client or user agent server
2. Proxy server
3. Redirect server

Attacks

There are three main types of attacks that the VoIP environment are susceptible to including eavesdropping, theft of services, and denial of service attacks.

Eavesdropping

Eavesdropping on VoIP calls involves third parties monitoring the call signal packets in which the hacker may learn of confidential information such as name, passwords, and other personal information. This is especially significant to businesses as corporate sensitive information may be revealed.

VoIP eavesdropping is easier accomplished that eavesdropping the traditional telephone line through physical wiretap since the hacker must physically place the wiretap. Since VoIP calls send data across the network, the hacker can sniff for packets anywhere along the network.

To eavesdrop a call there are 3 simple steps:

1. Understanding how IP Telephony works.
2. Obtain tools.
3. Connect the tools into the IP network.

A typical eavesdropper would:

1. Perform a side channel attack based on the fact all IP Telephony implementations use Real Time Protocol(RTP) to transfer packets.
2. Download, install, and run Fireberd DNA-323 to capture and replay voice packets.
3. Connect to the IP network the VoIP conversation is taking place on.

Data Encryption

The most effective countermeasure to eavesdropping is data encryption. As seen in class, there are many data encryption methods, some more effective than others. However, all methods introduce overhead which can greatly effect the quality of the conversation by causing large packet loss and packet jitter. Here are some common ways of implementing data encryption for VoIP:

• Using software such as Zfone
• Using VoIP clients with built in encryption such as Skype

Skype comes with its own propriety encryption method. Some other common methods include: Data Encryption Standard(DES), Triple DES (3DES), Advanced Encryption Standard (AES)

• Using a Virtual Private Network (VPN)

Theft of Services

One of the great things about VoIP is the fact that you can take it anywhere in the world that has internet access and use it. Unfortunately, this also benefits the hacker so that he or she may steal access to your VoIP services and then possibly do criminal activities with them. Also known as VoIP "phreaking", the hacker can steal your VoIP services through two common ways:

• Spoofing
  • Accomplished through changing the header data in the voice packet so it looks like it comes from a different source
  • Hacking into SIP changing SIP registrar information
• Man in the middle attack (MITM).
  • Accomplished through monitoring traffic, recording it and/or changing it

Authentication

The most effective countermeasure to theft of VoIP services involves implementing authentication. Fortunalty, VoIP protocols include some form of authentication. Specifically, the H.235 component of H.323 facilitates 3 types of authentication:

1. Symmetric encryption
2. Subscription based
3. IPSEC

Subscription based is much more CPU intensive than symmetric encryption and requires the sharing of a secret key before communication can begin. Alternatively, H.235 may allow IPSEC to handle the authentication. SIP also provides 3 different types of authentication:

1. Basic authentication
2. Digest authentication
3. PGP authentication

However, all three are challenge-response based.

Other authentication methods include but not limited to:

• Public key authentication with certification
• Diffie-Hellman key exchange
• UNI-OSP from Cisco

Denial of Services

There are two main types of denial of services attacks in the VoIP environment including:

1. Exploiting software bugs to bring down servers
2. Distributed bandwidth attack

Before a DoS attack can take place, the hacker must first use a sniffing program to look for vulnerable hosts. As discussed in class, a port scanner is useful to identify those hosts. In a distributed DoS (DDoS) attack, once the vulnerable host is found, a program sometimes called a bot is installed on the computer and awaits for instructions. The hacker can the send a message to all bots to bombard a target with traffic effectively disabling it.

Packet Filtering

Denial of service attacks are hard to defend against because of the nature of the attack; The attack is hard to distinguish from normal traffic. The method to defend against DoS attacks used today is mainly packet filtering. The packet filter must look for suspicious packets and block them before reaching the target. There is still a great amount of work that can be done in this area.

Recommendations

Although a network cannot be completely immune to attack, here are some recommendations to secure your VoIP network.

1. Do not user shared media devices (ie hubs) on networks
2. All VoIP traffic should be encrypted
3. VoIP servers with confidential information should be treated as a confidential database
4. Build redundancy into VoIP network.
5. Make sure firewall is VoIP aware

References

1. http://www.eetimes.com/showArticle.jhtml;jsessionid=ERU1FKTFCHUJUQSNDLPCKH0CJUNN2JVN?articleID=16505939

See Also

External Links

--Chenc8 13:29, 13 April 2008 (EDT)