VoIP is susceptible to the same types of attacks that threaten other network applications, but there are some potential new ones that focus directly on VoIP. David Endler, chairman and founder of the VOIP Security Alliance and director of security research for TippingPoint, spoke with Network World Senior Editor Tim Greene about VoIP security issues and what you can do to protect your assets.
What new VoIP threats do you see out there?
We saw the first voice phishing attack. It looks much like the traditional e-mail phishing attack except that, instead of tricking or inducing your victim to click on a spoofed link to take them to a Web site, you're actually tricking them to dial a phone number that takes them to a spoofed automated attendant.
If I can trick you into calling a number that you think is Bank of America, and I can mock up a VoIP system fairly easily with free tools, then I can ask you to enter in your account info and your PIN number and even some other verification like your Social Security number or your billing ZIP Code. Then the hacker can go in and reconstruct those tones after the fact and use them to access your account.
These aren't new scams, it's just voice over IP makes it a lot easier to perpetrate them in a widespread manner.
What can be done to combat voice phishing?
What you could do if you have a constant feed of these voice-phishing numbers is program them into your PBX as restricted numbers. So that way your users wouldn't necessarily be able to call these numbers back despite falling for the e-mail come-on.
Another thing is user education.
What other new threats have you seen?
The rest of them are more mischievous or not necessarily as financially motivated. Things like redirecting someone's incoming calls to yourself might become a problem. It requires some knowledge of what you are doing.
Registration hijacking is the way you would do that. The way these phones work is when I take my VoIP phone and plug in, the PBX knows that I am where I am basically by my IP address, and all incoming calls to me go to my office phone.
But if I go on the road and I take my phone or I use the softphone on my laptop, I'll want incoming calls to go there. Wherever I am, the phone will register. Registration hijacking is tricking the PBX into thinking that someone has moved and then having all their calls directed to the wrong IP address.
What can you do about that?
There are a lot of best practices there. Enabling encryption and authentication on the VoIP side helps. That way you can't necessarily spoof messages to the PBX as easily.
What other VoIP attacks are out there?
There's something called an invite flood, which is more for a [Session Initiation Protocol]-based network, making someone's phone ring off the hook. It's like a flooding attack that's on the application side. You obviously don't know which phone calls are legitimate and which calls are bogus.
What is the benefit of encrypting VoIP?
For instance, if you're not using encryption in your voice conversation, then it's possible for an attacker to actually add background noise to your conversation. It may not sound that bad, but you can potentially do some mischievous things there. For instance, if you're a disgruntled call-center support worker and you wanted to add some expletives to the background of your co-worker's phone call, if you wanted to add some inappropriate sounds when the CEO is calling home to his wife -- these are the types of things we are talking about.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment