Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

VoIP is the next big hack

VoIP urgently needs protection, says Peter Cox.

Article comments

Sticking your head above the parapet and talking about security threats on Voice- Over-IP (VoIP) networks is a dangerous business. Peter Cox discusses his proof-of-concept VoIP hacking tool.

A recent Techworld news story on SIPtap, a proof-of-concept demonstrator I wrote to illustrate the problem of VoIP call eavesdropping, resulted in a flurry of postings accusing me of scaremongering. Most of the negative comments fell into one of three categories. Firstly that the eavesdropping threat would work only if encryption and other security controls were turned off; secondly that the issue of VoIP security was well understood; thirdly that securing VoIP network is really just the same as securing any other IP application. One posting included the comment:

“Many of the [VoIP] security precautions should already be in place if your network and IT environment is secure.”

On the plus side, the article generated as many positive comments thanking me for highlighting the eavesdropping threat.

So what is the reality? Are such stories just hype or are there a set of threats and risks unique to VoIP protocols and applications that merit special attention? To answer this it is necessary to draw some comparisons between VoIP and other network applications.

VoIP as its name suggests runs on an IP network. This means that it shares a common set of security threats and vulnerabilities with other IP applications such as web and email. These threats and vulnerabilities include all the IP network level threats that web masters and email administrators deal with on a daily basis; threats which are addressed with standard network security technologies and good network design.
In addition to this set of network level threats VoIP applications also face a set of protocol and application specific threats and a set of content related threats.

The protocol and application specific threats stem from the design and implementation of the protocols and the services that VoIP applications deliver. VoIP protocols are complex. This is partly because VoIP aims to provide a real time communication service on an IP network and partly because VoIP protocols have to provide an interface to the standard phone system and mirror some of the features and facilities we have become dependent on after a lifetime’s use of both fixed and mobile phone services.

In addition virtually all VoIP applications provide a rich set of non-voice services such as video conferencing, presence services (providing information on a person’s availability and indicating the best contact options) and even Instant Messaging and paging services. Protocol and application threats include a range of flooding attacks and call disruption threats. Disruption threats include call termination attacks were a malicious attacker can simply cut-off a call and hijacking attacks where an attacker can take over a call. Many of these VoIP application specific threats have no direct analogue in any other network application.

Content related security threats affect the “content” of a VoIP call; a person to person call, a voice conference call or a video call. The threats in this category include simple unauthorised call monitoring or eavesdropping (as demonstrated in my SIPtap utility) and hijacking or injection threats where an attacker takes over a call or injects a voice or video stream to obscure or replace the original conversation. While VoIP content related threats have their analogues in email and web, for example email spam and malicious or inappropriate web content, the technologies behind a VoIP hijack or injection are clearly different from those technologies responsible for email spam and malicious web content.


Share:

More from Techworld

More relevant IT news

Comments




Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *