Many enterprises are rapidly deploying voice over Internet Protocol (VoIP) systems for their organizational telephony needs, and thereby supplanting old-fashioned Plain-Old Telephone Service (POTS). While some organizations have a mature VoIP deployment carefully honed over two or three years, a large number of enterprises have raced to deploy VoIP without carefully considering the security implications.
The rapid deployment of VoIP is entirely understandable, given its potential for cost savings and increased flexibility versus traditional telephony infrastructures. From a monetary perspective, research has shown a significant return on investment for VoIP projects. That means for most organizations VoIP is either here now or coming very soon, so information security professionals need to make sure it is deployed in a secure fashion.
There are several vectors for exploiting VoIP. Areas of greatest concern include sniffing VoIP traffic, undermining specific VoIP system implementation flaws and attacking call manager servers. Let's look at each type of attack and discuss how you can defend your own VoIP infrastructure.
First off, we've got the possibility of sniffing VoIP calls. Because VoIP traffic is typically sent across Ethernet or even wireless networks, it is subject to packet-capture tools that record all packets passing through a given machine's network interface. Attackers can choose from a variety of different sniffing tools to grab VoIP packets,
Even before Wireshark, the first widely publicized implementation of a VoIP sniffer-to-audio file generator was called Voice Over Misconfigured Internet Telephones, or VOMIT for short. While VOMIT was widely used several years ago, Wireshark has since become the most popular tool for mounting this kind of attack. With this functionality, any sniffer that can capture files in the traditional tcpdump-style is effectively a VoIP wiretap, gathering conversations that can be listened to later.
To defend against such attacks, be sure to encrypt the VoIP traffic on your network. Given the potential sensitivity of the information carried in VoIP calls, I strongly recommend that all such traffic be transmitted over an encrypted VPN, which should be part of your overall VoIP architecture.
Another area of concern with VoIP traffic involves undermining specific VoIP implementation flaws, mistakes made by the software developers of the VoIP systems themselves. Historically, several security flaws have been discovered in specific vendors' VoIP products, both in handsets and call management software, including the flaws described here, here, and here. Some of these flaws allow an attacker to send malformed packets to crash a handset or a centralized call manager, resulting in a denial-of-service attack. Other flaws let an attacker shoot certain specially crafted packets to exploit buffer overflow or related conditions to take over a VoIP handset, or even more damagingly, a call management server. If an attacker compromises a call management server, he or she can capture all call traffic or even reroute calls at will. To minimize the chance of this kind of attack, make sure you include all aspects of your VoIP infrastructure in your patch management process, including call manager servers, VoIP gateways, the associated VPN and the handsets themselves.
Beyond specific implementation flaws in the VoIP-specific software on the call manager server, the underlying operating system and auxiliary applications on that server could also come under attack. Some vendors sell their call manager servers and VoIP gateways as "appliance" devices, implying that you simply plug them in, turn them on and they are ready to go. But, the appliance moniker is highly misleading. The underlying operating system is typically a stripped-down version of Windows or Linux, which, if not handled carefully, could be compromised by an attacker.
To secure your call managers and VoIP gateways, you should carefully review their configurations, turning off unneeded services and hardening the underlying operating system. Consider running a tool like Microsoft Baseline Security Analyzer, which can look for rudimentary misconfigurations and security weaknesses. On Linux-based systems, you may want to compare configurations with the recommendations made by the Bastille Linux system-hardening project. Be sure you thoroughly patch the operating systems associated with the VoIP infrastructure as well.
As an additional VoIP security measure, you may want to consider deploying a host-based Intrusion Prevention System (IPS). Now, with hardening, patching and host-based IPS, please be careful. If you alter the call manager server configuration in any of these ways, it could impair functionality and performance. There are many horror stories out there of people who only slightly tweaked the configuration of their call managers and inadvertently broke their ability to handle phone calls. Thus, review your desired security changes with your vendor and test them in a lab environment before rolling them into production, just to make sure.
About the author: Ed Skoudis is a SANS instructor and a founder and senior security consultant with Intelguardians, a US information security consulting firm. His expertise includes hacker attacks and defenses, the information security industry and computer privacy issues. In addition to Counter Hack Reloaded, Ed is also the author of Malware: Fighting Malicious Code. He was also awarded 2004, 2005 and 2006 Microsoft MVP awards for Windows Server Security, and is an alumnus of the Honeynet Project.
This was first published in March 2007