Voice over IP (VoIP) Communication Systems
VoIP is steadily gaining market acceptance in regards to the telephony aspect of enterprise communications. Organisations are moving away from reliance on traditional Private Branch Exchange’s (PBX) and Plain Old Telephone System’s (POTS) toward VoIP solutions.
The benefits of a VoIP-based solution are clear, given that phone calls between two VoIP users on the same system are free and do not carry extra bearer costs to the organisation; other than the use of network bandwidth across the organisations internet connections or their Wide Area Network (WAN).
The convergence of voice and data communications running over the same ethernet infrastructure poses additional security related concerns to network and security managers. This convergence is the integration of voice and data on an organisations network infrastructure. A result of this convergence is that in the event of an attack, both the organisations telephone and data network is at risk.
As has happened with other emerging technologies the speed of advances in VoIP technology has typically outpaced the corresponding security requirement. The most prevalent threats to VoIP deployments stem from the same threats inherited from the data networking environment resulting in a potentially insecure deployment vulnerable to network attack.
VoIP is composed of a family of supporting technologies that enables voice applications to be carried on an IP network across a clients backbone or externally using the internet. Securing a VoIP infrastructure requires planning, analysis and an in-depth and high level of knowledge about the configuration of the chosen VoIP implementation.
Some of the threats to the security of the VoIP network can be summarised as follows:
Vulnerabilities on standard IP systems such as servers, workstations and network equipment can lead to the compromise of the VoIP infrastructure either directly or as a platform for attack. These generic IP network level threats are the same as those faced by all existing IP systems.
VoIP systems are susceptible to the same vulnerabilities as the operating system or firmware that they are based on, these base operating systems could be Linux or Windows derived systems or embedded operating systems such as WinCE, PalmOS and SymbianOS.
Configuration and management of VoIP devices is as important as in a traditional data only network. VoIP devices can be viewed as an extension to the network infrastructure and should be locked down to the least number of services required to fulfil the telephony service.
As VoIP is a relatively speaking, recent introduction to the enterprise network it can be viewed as an immature product and should be considered as such and the applications assessed to make sure they do not add extra risk to the core network infrastructure. VoIP applications could include services such as voicemail and music-on-hold.
VoIP application threats are specific to the design, configuration and implementation of the VoIP service and can result in the disruption of calls or lead to complete loss of service on the VoIP system. Content based threats could include unwanted calls, call flooding and attacks against the voice transport service.
The devices can be located by scanning the network and identifying typical VoIP services and potentially control interfaces. Many VoIP devices such as hard-phones and VoIP servers give a system management facility by offering a web management interface.
Typical VoIP services could include SIP phone extensions, TFTP configuration files and SNMP configuration information.
VoIP Service Disruption (Denial-of-Service):
A DoS attack can be made against any IP-based network service, the impact of an attack can range from degradation to total loss of service for a period ranging from minutes to hours depending on the attack. A DoS attack may have no lasting effect beyond the duration of the attack or it may result in the need to reboot the entire VoIP infrastructure.
DoS attacks are difficult to defend against and are particularly effective against a VoIP services because of the real-time nature of the service and the latency introduced to the network during a successful DoS attack.
A VoIP specific DoS attack may involve SIP or H.323 registration flooding resulting in potential resource starvation as the system struggles to acknowledge and act on the received bogus messages. Other examples of VoIP specific DoS attacks include preventing successful call negotiation, disconnecting current calls or preventing the use of VoIP applications such as voicemail.
Call Interception (Eavesdropping):
VoIP call interception and eavesdropping is a major challenge in the deployment of enterprise VoIP systems. An attacker who is able to successfully watch the VoIP traffic between endpoints potentially has the ability to record and replay conversations without the knowledge of the parties involved in the call.
These type of active attacks though more difficult to engineer can result in significant confidentiality and privacy concerns to VoIP system implementations compared to less intrusive DoS style attacks.
There are a number of proprietary and non-proprietary protocols in existence, there are two main classes of VoIP specific signalling protocols in operation these being H.323 and SIP based systems. Currently Session Initiation Protocol (SIP) is the most commonly used VoIP signalling protocol and gaining acceptance as the standard. SIP performs the signalling functions of setup, teardown and modification of connections in which Real Time Protocol (RTP), transfers the audio data.
Both protocol families have vulnerabilities that are being actively researched and developed into either proof-of-concept or working exploits that take advantage of any of the standards based VoIP service. These threats could take the form of signalling or audio manipulation or a form of VoIP phishing.
For different reasons H.323 and SIP are both vulnerable to encoding scheme based attacks. SIP is a text-based signalling protocol similar to HTTP with the result that malformed SIP messages or SIP message sequences can be constructed by an attacker to aid in the probing and abuse of SIP based VoIP resources. H.323 signalling is encoded as per the ASN.1 PER encoding rules, it is the interpretation and implementation of the H.323 message parsing systems that results in security vulnerabilities in H.323 based VoIP resources.
At the backend of both SIP and H.323 is the Real Time Protocol (RTP) which is the common baseline for both higher level protocol suites. RTP uses the stateless User Datagram Protocol (UDP) part of the IP protocol stack. In order to encode the voice part of a VoIP call a ‘codec’ (enCOder/DECoder) is used, information about the codec to be used by the VoIP system is negotiated by the signalling system (SIP/H.323) during the call initiation. The codec(s) used by a specific VoIP service relate to the method used for compression and the way the audio stream is encapsulated in the RTP transmission protocol.
There are other network protocols which can be used by a VoIP system for signalling and call data which do not necessarily conform to any prescribed standards and are system specific such as Asterisk’s Inter-Asterisk eXchange (IAX2) peer-to-peer signalling and data transfer protocol.
VoIP Security Testing
A key element in securing an existing VoIP implementation is to find any potential vulnerabilities and security issues in the configuration. A VoIP security assessment and penetration test would check the risk and exposure of the system to network attack and find any existing vulnerabilities.
The first step in locating VoIP enabled devices on a network would involve scanning the network range and identifying some well-known VoIP service ports for example:
- SIP enabled devices typically respond to UDP/TCP ports 5060 and TLS over TCP port 5061
- H.323 enabled devices use multiple ports including TCP 1720 and UDP 1719
Having identified the VoIP infrastructure through performing the information gathering and footprinting stage, an assessment would move on to specific VoIP enumeration and vulnerability scanning to find the relevant VoIP-based threats and attacks that may be applicable based on the configuration of the architecture under review.
VoIP system enumeration is primarily concerned with identifying valid extensions, configuration files, SNMP and network traffic for analysis. Targeted application level attacks against a VoIP system could include:
- Attacking VoIP network devices
- INVITE flooding
- BYE call teardown
- RTP injection
- Caller-ID Spoofing
- REGISTER Hijacking
- Public vulnerabilities in VoIP equipment
There are a range of VoIP testing tools and techniques which can be employed to perform a security assessment, these tools would cover assessment areas such as:
- Scanning and Enumeration
- Packet Creation and Flooding
- Signalling Manipulation
- Media Manipulation
Indimon Internet Services
Indimon Internet Services provides remote VoIP security testing using a range of current tools and techniques for the security testing and evaluation of a VoIP architecture. Using proven security testing skills and experience, Indimon Internet Services will analyse a clients VoIP implementation for a range of security threats and inform the client of any identified security vulnerabilities.