Top 14 VoIP vulnerabilities

The new book “Securing VoIP Networks,” the vulnerable side of VoIP

The top VoIP vulnerabilities, drawn from the new book “Securing VoIP Networks,” by authors Peter Thermos and Ari Takanen, takes a tough look at the weak side of VoIP.

How are VoIP networks weak and vulnerable to attack and catastrophic failure? Securing VoIP Networks, the new book by Peter Thermos and Ari Takanen, looks at VoIP infrastructure and analyzes its vulnerabilities much as the Open Web Application Security Project did for Web-related vulnerabilities and Mitre did with its Common Weakness Enumeration dictionary for software. And it’s about human failings, too, not just technology problems.

Here are the top VoIP vulnerabilities explained in Securing VoIP Networks:

1. Insufficient verification of data: In VoIP implementations, this can enable man-in the-middle attacks.

2. Execution flaws: Standard databases are typically used as the backbone of VoIP services and registrations. Implementation has to be paranoid in filtering out active content such as SQL queries from user-provided data such as user names, passwords, and Session Initiation Protocol (SIP) URLs. The majority of problems relating to execution flaws result from bad input filtering and insecure programming practices.

3. String/array/pointer manipulation flaws: Malformed packets with unexpected structures and content can exist in any protocol messages, including SIP, H.323, SDP, MGCP, RTP, and SRTP. Most typical malformed messages include buffer-overflow attacks and other boundary-value conditions. The result is that the input given by the attacker is written over other internal memory content, such as registers and pointers, which will let the attacker take full control of the vulnerable process.

Web vulnerabilities

Experts say most Web applications can be hacked. Here are the top ten vulnerabilities that could put your Web site at risk.
  1. Cross site scripting
  2. Injection flaws
  3. Malicious file execution
  4. Insecure direct object reference
  5. Cross site request forgery
  6. Information leakage and improper error handling
  7. Broken authentication and session management
  8. Insecure cryptographic storage
  9. Insecure communications
  10. Failure to restrict URL access

SOURCE: OWASP (the Open Web Application Security Project)

4. Low resources: Especially in embedded devices, the resources that VoIP implementations can use can be scarce. Low memory and processing capability could make it easy for an attacker to shut down VoIP services in embedded devices.

5. Low bandwidth: The service has to be built so that it will withstand the load even if every caller makes a call at the same time. When the number of subscribers to a VoIP service is low, this is not a big problem. But when a service is intentionally flooded with thousands of bot clients, or when there is an incident that results in a huge load by valid subscribers, the result might be a shutdown of the whole service.

6. File/resource manipulation flaws: These are typical implementation mistakes, programming errors from using insecure programming constructs that result in security problems. These flaws include insecure access to files.

7. Password management: The only identifier a VoIP consumer has is the telephone number or SIP URL and a possible password for the service. The passwords are stored in both the client and server. If passwords are storied in the server in a format that can be reversed, anyone with access to that server (or proxy or registrar) can collect the username and password pairs.

8. Permissions and privileges: Resources have to be protected both from the operating system and platform perspective and from the network perspective. VoIP services running on the platform have to consider the privileges they run with. A VoIP service does not necessarily require administrative or “root” privilege to run.

9. Crypto and randomness: In VoIP signaling, confidential data needs to be protected from eavesdropping attacks. The most common vulnerability in this category is to fail to encrypt at all, even if the encryption mechanisms are available.

10. Authentication and certificate errors: Users and devices need to be authenticated. Also, other services, such as device management, exist in VoIP devices that need user authentication. Registration hijack in SIP is a flaw in which the registrar system does not authenticate the user or device, but lets attackers spoof registration messages and reregister themselves as the valid user.

11. Error handling: One example of error handling in SIP implementations is how incorrect registration is handled. A register  message with an invalid telephone number can result in a “404” error code, whereas a valid telephone number would result in a “401” error. This will let the attacker narrow down the attack to try a brute-force attack on valid accounts only, or to harvest for valid accounts for Spam over Internet Telephony (SPIT).

12. Homogeneous network: An unpredicted vulnerability in many network infrastructures is a wide dependence on a limited number of vendor brands and devices variants. If an entire network depends on one specific brand of phone, proxy or firewall, one automated attack such as a virus or worm can shut down the entire network.

13. Lacking fallback system: When the VoIP network is down, as it eventually will be, there has to be backup systems that the users can fall back to. This requires careful planning for the infrastructure.

14. Physical connection quality and packet collision: if you have packet loss in your data infrastructure, you’re probably not ready for VoIP. Network latency and jitter should be minimal. All bottlenecks in the communications will immediately be revealed when VoIP is introduced, even if those weren’t readily apparent with traditional data communications.

Securing VoIP Networks, is published by Addison-Wesley. Peter Thermos is CTO at Palindrome Technologies and Ari Takanen is founder and CTO at Codenomicon.

Learn more about this topic

VoIP requires strict attention to security practices


Researchers flag VoIP exploits at Black Hat


VoIP security services taking hold


Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.