Oyp Vey!

Dave G. | June 13th, 2006 | Filed Under: Bitching About Protocols, Industry Punditry

So VOIP security is taking the media by storm. No wait, the media is taking VOIP security by storm. I assume that stories like this, and advisories like this and this, begot this.

Like with most emerging threats, it’s hard to predict which way the ball is going to bounce, or if it will even hit the ground. Here is my take:

  1. Toll fraud. I suspect since domestic phone calls are bordering on free, that this will mostly be of the international variety (at least the parts that hurts consumers). I think it will be reminiscent of the cell phone cloning days where people would sell cloned phones or even just the temporary usage of cloned phones.

  2. VOIP Spam. This is going to be annoying. As phone calls are basically free (and when they aren’t, see #1), and US Do-Not-Call lists do not apply to international jackasses, expect more and more telemarketing calls going not only to your home phone, but also to your cell.

  3. VOIP Phishing. This is going to suck. There is actually a blackhat talk or two about this. Combine misleading (let alone spoofed) caller id plus a slick Asterisk IVR plus unlimited free calling and you get a cheap system that will sucker a lot of people out of all kinds of things, including credit and calling cards. Worst of all, people TRUST the phone way more than they do email.

  4. Phownage. Implementation vulnerabilities will abound. This will affect end users, enterprises and VOIP service providers. What happens when Vonage gets hacked? How can they possibly be as battle hardened as the Verizon’s of the world? And how high of a bar is that? The brick and mortar telephone companies have been through it all, and they still have a constant battle with hackers. Eavesdropping and call hijacking will happen, but I suspect it will be the minority of the problems we deal with.

What did I miss? Let me know and I might just buy you a beer at blackhat.

Viewing 7 Comments

    • ^
    • v
    what did you miss? hmm can't think of much more but perhaps this: enteprise VoIP systems end up connected to the traditionl PSTNs at some topological point and from there they can interact directly with the PSTN signalling systems...it's the phreakers wet dream; gaining complete control of a SS7 capable system and talking directly to the CO switches from a standard off-the-self OS like linux or windows.
    • ^
    • v
    It's probably a subset of Phownage, but I suspect we'll also see the usual DoS attacks against providers.

    But more importantly what we'll see is poor architecture/engineering/serious lack of change control at the provider level and have extended outages as a result.

    Another concern is that VOIP providers don't have the same disaster recovery requirements that the PSTN providers have. As VOIP becomes more prevalent in the househld, this could lead to interesting physical issues during major disasters.
    • ^
    • v
    You could _probably_ evade pbx firewalls like SecureLogix by war dialing them and changing your callerid on every call.

    -Daniel
    • ^
    • v
    Check out VOIPSA's VoIP Security Threat Taxonomy for a good overview. To borrow a line from the intro:

    "While some early press accounts have focused on the potential for VoIP spam and VoIP call hijacking, the consensus of learning from this project is that there are many other threats inherited from traditional data networks (worms, DDoS, etc.) that are more likely to occur today."

    There's good discussion regarding many of these threats on the VOIPSEC mailing list.
    • ^
    • v
    Thanks for not trashing the Bizweek piece ;). ISS is taking a lot of media inquiries about VoIP lately, especially with the news hook regarding the Miami toll-fraud case. I think that your assessment is dead-on.

    Wifi was fixed in the enterprise way before it was fixed in the consumer realm--oh wait, I can still hack all my neighbors. Same thing here. Enterprise VoIP can be done correctly, but just like in 2000-2001, enteprises can get crushed by the consumer leper colony.

    Great point about Vonage. What chance do they have we go from maybe a hundred million global VoIP users to hundreds of millions in a couple years all engaging in seamless PSTN to IP or IP to IP calls from all corners of the earth? I hope they are gearing up.

    When you combine in-band signalling as noted in Ivan's comment with an "open-source" phone system when pretty much anyone, or anything can just plug and play, you end up with an target that is just too juicy to pass up. FUD? The cool thing about technology predictions is that they don't take very long to be tested.
    • ^
    • v
    what I wanted to point out is that although most of us are quite familiar and biased towards the traditional data network threats, which VoIP deployment are/will be prone to, the traditional telephony network threats remain valid and, even worse, the PSTNs are now more exposed through a wider attack surface. I've been a telco person in my previous professional life and had to spend substantial amounts of time reverse-engineering or otherwise figuring out all the signalling protocol kludges, patches and obscure implementation features in order to make different CO switches and PBXs interoperate with Unix systems. For that, 10 years ago, I needed expensive equipment (protocol analyzers, telephony cards, etc.) and direct access to digital (T1/E1) trunks, today it is possible to achieve the same using low-cost general purpose systems and open source implementations of SS7, MFC-R2, CCITT-R5, etc. It's scary to think that the guts of the PSTNs, networks founded on the premise of closed access and security thru obscurity, may now be open to scrutiny and exploration by a larger group of people with different motives and goals than those of the phreakers from the 70s/80s and early 90s
    • ^
    • v
    I think that we'll see a lot of Bad People leveraging the ease with which you can use VoIP to exploit bad business/security logic and assumptions in existing phone-based businesses.

    The classic example of this is the ease with which VoIP can be used to produce false CallerID information (yes, I know you can do this in the "traditional" telecom world, too, but VoIP makes it easier). This has been leveraged to bypass the "call from your home phone to authorize" security mechanism to authenticate that a mailed credit card has made it to the intended recipient.

    Another example is the ability to bypass user authentication of voicemail boxes when calling from the box's phone number.

    Or, consider how VoIP makes area code irrelevant--traditionally, an area code allowed someone to assume where a caller was geographically located, and some systems, such as CRM-driven call centers, may make bad decisions as a result.

    The friction between VoIP and the bad security assumptions of the PSTN (as Ivan points out above) will be interesting to see play out. Unfortunately, I think that carriers are mostly trying to fight the battle by lobbying against VoIP, as if that will make the problem go away.

Trackbacks

close Reblog this comment
Powered by Disqus · Learn more
blog comments powered by Disqus