Voice over Internet Protocol: Security, Vulnerabilities and Recommendations - Research Paper Example

Voice over Internet Protocol (VoIP) Security, Vulnerabilities & Recommendations Nesreen Alsayyad May, 2009 Table of Contents 2- Introduction 3- General Vulnerabilities 3.1 Information security 3.2 Software 3.3 Social engineering 4- VoIP Vulnerabilities 4.1 VoIP and the protocols it uses 4.2 VoIP Vulnerabilities 4.3 How VoIP Vulnerabilities are Exploited 4.4 Likely results of an attack 4.5 Possible controls 5- Conclusion 6- Recommendations 7- References Voice over Internet Protocol (VOIP) 1- Abstract Vulnerabilities can be exploited by cybercriminals, whilst social engineering provides an alternative method for attackers to gain access to information assets through exploiting human vulnerabilities. Networking of computers increases risks and therefore requires greater measures of security. Software controls try to prevent the exploitation of vulnerabilities but not all attacks can be contained by technical measures. Many vulnerabilities are due to “poorly designed implementations that can provide inroads to data networks. ‘Mistakes’ such as remaining undocumented open ports, extraneous services etc. can be easily exploited, and denial of service attacks is the most significant specific threat to VoIP. 2- Introduction 2 Background information Computers and networks are an important part of the information systems of many organizations. We are dependent on computers and networks for the provision of services across all sectors of the economy. However, vulnerabilities exist in these information systems. Vulnerabilities in operating systems and application software can be exploited by cybercriminals. Social engineering provides an alternative method for attackers to gain access to information assets, through exploiting human vulnerabilities. Open access and networking of computers increase risks and therefore require greater measures of security. Security is both a technical and a social concern. It relates to confidentiality of information, system integrity, authentication of users, personal safety of people and other social issues. Information security, software vulnerabilities and social engineering will be briefly discussed followed by an in-depth exploration of vulnerabilities associated with the use of VoIP. Included are details of how vulnerabilities work, the consequences of attack, and a look at possible controls. Recommendations are then offered that organizations can take to protect themselves. 3- General Vulnerabilities 3.1 Information security Information that is confidential must not be accessible by unauthorized parties (Kinkus, 2002). And, there must also be protection against unauthorized changes, which is known as integrity. Unauthorized access is a leak of information that could be mildly embarrassing in the case of personal information to outright disastrous in the case of sensitive information. Hacking compromises both confidentiality and integrity of information. Whatever the nature of the information however, privacy is important so that information is protected especially in this Internet age where it is very easy for information on individuals and companies to get transferred and collected. 3.2 Software General software vulnerabilities affect most operating systems and applications including email clients, web browsers and other web applications, and online database software. As these aforementioned ones use the Internet by design, they are more vulnerable than others that can do without the computer being networked. Software design measures that try to prevent the exploitation of vulnerabilities include anti-virus software, authentication systems, data encryption and firewalls. Anti-virus software aims to identify and prevent the presence of computer viruses and similar malicious malware. Encryption works by converting the data “into a form, called a ciphertext, which cannot be easily understood by unauthorized people” (Kissel, 2006) for security purposes. And, a firewall acts as a gateway to limit “access between networks in accordance with local security policy” (ibid). Additionally, the use of honey-pots and intrusion-detection systems for example can help to capture attackers. 3.3 Social engineering Not all attacks can be contained by technical measures. For example, many online breaches of security result either from ‘insider’ attacks, in which internal staff misuse the system, or from users being “tricked into giving away identifying information” (Chen, 2008). This latter type of breach, which exploits human vulnerabilities is a form of ‘software engineering’ and is known as phishing. Phishing occurs when users are tricked “into disclosing sensitive personal information through deceptive computer-based means” (Kissel, 2006). For example, by mimicking a secure website, users may enter their personal details unknowingly thinking it is the original legitimate website they use, and thereby also unknowingly pass these details onto the deceiver. He could then use it to enter the real website and for instance, attack the system or network or transfer funds to his benefit. Software controls are also of little help when the devices used are either unauthorized or infected. For example, if a worker brings his own infected laptop and connects it to the corporate network or inserts an infected USB flash drive into the same, the malware could spread. Or, a hacker could take advantage of an open door provided by a rogue wireless access point (Max, 2006). Similarly to unauthorized devices, using or installing unauthorized software could equally “invite new vulnerabilities into the network” (ibid). These social level vulnerabilities can be averted by appropriate consultation, restricting access to only those parts of the system that concern the staff so avoiding ‘excessive user rights’, prohibiting unauthorized devices, training users to identify and avoid falling victim to social engineering attacks, and continuous data monitoring to check for malware, unauthorized devices, and reveal any vulnerabilities for appropriate action to be taken. 4- VoIP Vulnerabilities 4.1 VoIP and the protocols it uses Voice over Internet Protocol (VoIP) is a communications technology that uses the Internet Protocol (IP) in place of the traditional analog phone systems. It works by digitizing the voice signals for transfer over the Internet as packets of data. It thus requires a means of converting analog signals into digital signals to be sent over the Internet, and this ability can be in the VoIP phone itself or in a separate ATA box. VoIP calls can be made from either a computer, special VoIP phone or the traditional phone. However, VoIP is still a developing technology as some services like emergency calls and directory assistance may not be available, and the quality of service (QoS) often suffers from latency (i.e. slight delay in the arrival of data). It also usually requires a broadband connection to the Internet, which is restrictive for some. One of the main protocols that VoIP services use is H.323. Others include MGCP, RVP over IP, SDP, SGCP and SIP, which also implement H.323. The H.323 architecture was designed “to support real-time transfer of audio and video data over packet networks like IP” (Batta). In addition, this architecture enables file/image data transfer, communication controls, and controlling connections and sessions. It is the digital signal processor (DSP) that “segments the voice signal into frames” (protocols.com) and stores them as packets, and the coders that make the bandwidth utilization efficient. The structure of the architecture is illustrated in the diagram below*1. Its components include a terminal, gateway, gatekeeper, multipoint control unit, multipoint controller, multipoint processor and the H.323 proxy. This H.323 standard was recommended by the International Telecommunications Union (ITU) to set “standards for multimedia communication over Local Area Networks (LANs)…” (ibid). 4.2 VoIP Vulnerabilities In terms of computer security, a vulnerability is a software deficiency “that can be directly used by a hacker to gain access to a system or network” (CVE, 2007) through violating a reasonable security policy. Therefore, a state of vulnerability exists if the attacker is able to either execute commands as another user or otherwise, access data against the specified data access restrictions, or conduct a denial of service (DoS) attack. VoIP is likely to become increasingly popular because it is both cheaper and more efficient than using traditional telephone lines. Improvements in VoIP are also for example, contributing to making videoconferencing and web-conferencing easier and more widely used. At the same time, this brings to the fore the vulnerabilities of VoIP which must be addressed adequately if the technology is to be established further. For example, many Cisco products typically used for VoIP that were processing H.323 messages contained vulnerabilities so they developed a test suite to target this protocol and identify vulnerabilities, which could be exploited for repeated DoS attacks (Cisco Systems, 2004). DoS attacks are capable of bringing down entire websites or web servers. VoIP servers and phones are now listed amongst The SANS Institute’s (2007) top 20 security risks under ‘network devices’. According to their research, vulnerabilities have been found in such products as Asterisk and Cisco Unified Call Manager besides others, and exist “throughout a VoIP network, from mismanaged and unpatched call proxy and media servers to the VoIP phones themselves”. 4.3 How VoIP Vulnerabilities are Exploited The aforementioned SANS Institute report describes how leveraging onto the vulnerabilities listed, “attackers can carry out VoIP phishing scams, eavesdropping, toll fraud, or denial-of-service attacks”. The vulnerabilities are due to “poorly designed implementations [that] can provide inroads to data networks and researchers are continuing to uncover additional areas for potential attack, such as cross site scripting through VoIP clients”. Given that many VoIP servers interface between IP networks and traditional phone signaling (C7/SS7), “an attacker capable of compromising a vulnerable VoIP server could potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN)”. After examining a number of VoIP related vulnerabilities from documented cases on the packetstormsecurity.org website, it appears that vulnerabilities arise from such ‘mistakes’ as remaining undocumented open ports, extraneous services that can be exploited, leaving important daemons with public read access, hardcoding passwords etc. A few specific examples will suffice: An undocumented open port (UDP/17185) left over from development “may allow an attacker unauthenticated access to the phone’s OS, perhaps yielding sensitive information, creating opportunities for DoS, etc.” Another undocumented port (UDP/9090) was found to provide the phone’s MAC address and software version returned upon connection. An attacker could therefore easily identify these and also obtain “an avenue for DoS. This made the phone users “vulnerable to being redirected to malicious SIP servers”. A particular VoIP phone’s SNMP daemon had default public read credentials and could not be disabled. This could allow “an attacker with access to the phone’s SNMP daemon to read the phone’s SNMP configuration” leading to sensitive information disclosure. The same phone had default user/password credentials meaning that and attacker could telnet the phone “to gain access to the phone’s Vxworks OS using the known default credentials”. Similarly, another Hitachi VoIP phone had an administrator password hardcoded, which is a physical vulnerability. This could allow the same as well as modifying the phone’s configuration. In addition, the http daemon’s default index page disclosed details of the device including MAC and IP addresses and routing information. Moreover, no credentials were required to configure the web server. Another VoIP phone was found to stop working by sending a UDP packet greater than 65534 bytes to port 5060. Likewise, another phone crashed when running a standard nessus scan in safeChecks mode and was vulnerable to disruption to remote access in the absence of a firewall. A Pingtel Java/SIP-based phone was found to contain multiple vulnerabilities including remote access, remote administrative access, manipulation of SIP signaling, multiple denials of service and remote telnet access etc. This could “jeopardize critical telephony infrastructure” and was therefore a “severe risk”. Several Cisco vulnerabilities in H.323 message processing already mentioned. A MultiVoIP gateway had a vulnerability that could cause a DoS due to “a boundary error when parsing SIP packets”. Exploitation caused the device to reboot. In another case, “a remote buffer overflow” was discovered that could “lead to remote code execution”. Another problem is with new protocols such as SIP because they become natural targets besides containing many vulnerabilities to begin with. A simple php script Sip Send Fun (security-scans.de, 2007) demonstrates how vulnerabilities work. It uses netcat to exploit a vulnerability to send a different SIP-Payload to the tested device. 4.4 Likely results of an attack One of the greatest impacts of an attack is DoS. It is “the most significant specific threat to VoIP” (Plewes, 2007). This occurs when “malware-infected computes begin flooding a company’s Web site with so many requests that it becomes unavailable for normal use” (Edwards, 2008). DoS has the potential to “bring a data network to its knees and shut down all applications running on it – including VoIP” (Plewes, 2007). A VoIP dependent or any company for that matter would be out of service until its network is restored. This has obvious repercussions for software damages and the costs of damages could be very high. VoIP also enables people to easily disguise their calling location and through subverting Caller ID blocking can know the phone numbers of callers. The problem is that VoIP use is outside of FCC regulation (FCC, 2008). An emerging security threat is called ‘Caller ID spoofing’ (Future Tense, 2005) where it becomes difficult to identify the person on the other end of the line and in the worst cases when scammers use VoIP similar to e-mail spoofing. More serious are risks from VoIP hacking and evesdropping. 4.5 Possible controls Software control measures could include the following: At the product selection phase, to ensure that the vendors support OS patches as and when released. Patching the OS used to run the VoIP servers with the latest security releases. Changing default passwords on proxies’ administrative login functions and phones. Applying the patches for servers, software/firmware when they become available. Scanning VoIP servers/phones to detect open ports and firewalling those that are not required by the VoIP system. Disabling of all unnecessary services on servers/phones such as http and telnet. Using a VoIP protocol aware firewall or “Intrusion Prevention product to ensure that all UDP ports on VoIP phones are not open to the Internet for RTP/RTCP communications” (SANS, 2007) Using VoIP protocol fuzzing tools to guarantee VoIP protocol stack integrity. Applying separate VLANs to the voice/data networks depending on the converged network and preventing their use to gain access to other core services Separating DHCP and TFTP servers from the data network. Additionally, anti-DoS software is available that can easily detect DoS attacks in its early stages to filter them out. Some multi-level protection software is also available such as Symantec’s Norton Internet Security software, which protects against identity theft, phishing, spam, spyware, bonnets, worms, intrusion etc. and includes a firewall (Norton, 2009). Social control measures should involve raising awareness and providing training besides imposing controls on user access. Creating a harmonious working atmosphere is essential to prevent grudges in employees who may decide to attack the company’s network in revenge. Apart from this, strategies can be used to create a secure working environment such as separating critical services, controlling user rights, and prohibiting unauthorized devices. 5- Conclusion An organisation’s network connectivity, especially to the Internet poses numerous risks. VoIP systems are therefore not immune to these, and it is essential that both software and social security measures be taken. Software controls include VoIP specific measures listed as well as general Internet security software. In particular, as DoS attacks are an emerging threat, anti-DoS software should be used. Important VoIP communications should be encrypted Besides software, social control measures have also been discussed, which are just as important as deploying software controls due to human vulnerabilities. In short, all potential vulnerabilities must be identified and addressed. VoIP specific vulnerabilities such as phishing and eavesdropping can be controlled in this way. Open ports and possibilities for buffer overflows were identified problems at the design stage. A firewall is absolutely essential to control access between the corporate network and the Internet. Thus, there are vulnerabilities and extensive threats but all can be prevented by suitable security technology and procedures. 6- Recommendations VoIP specific measures must include: Deployment of an intrusion and detection system Implementation of anti-DoS safeguards “such as security technologies and extra server and connectivity power” (Edwards, 2008) Also, a major recommendation to help gauge the security level of a software is the use of Vulnerability Assessment Assurance Levels (VAAL) “as a useful way of communicating the extent to which as security analysis has been performed on a product” (Christey, 2007). This would be similar to food labeling and provide valuable information to consumers. This would consider access constraints, frequency of feature usage, potential severity, vector depth detailing the code path containing the vulnerability, manipulation complexity, ubiquity, and level of effort undertaken to uncover the vulnerability. It is important to remember that even if the organization uses mainly VoIP, it is not only this service they should be protecting. The fact that they utilize a global public network requires that the whole range of general Internet security and social engineering controls are implemented. So this means for example using anti-virus, encryption and firewall software, and safety measures to control human vulnerabilities. The latter are simple and cost-effective measures, whilst Internet security software provides general protection, and VoIP specific measures are essential for organization making significant use of VoIP. 7- References Batta, Suruchy. (n.d.). VoIP and H.323 Protocol Standard. Infosys Technologies Ltd. Retrieved May 28, 2009 from: http://www.networkdictionary.com/files/VOIPandH323ProtocolStandard.pdf. Chen, Dr Peter. (2008). Electronic Engagement: A Guide for Public Sector Managers. Managing Risk. Chapter 4: Implementation. Retrieved May 27, 2009 from: http://epress.anu.edu.au/anzsog/engage/mobile_devices/ch04s06.html#d0e5189. Christey, Steve. (2007). Unforgivable Vulnerabilities. The MITRE Corporation. August 2, 2007. Retrieved May 27, 2009 from: http://www.mitre.org. Cisco Systems. (2004). Cisco Security Advisory: Vulnerabilities in H.323 Message Processing. Document ID: 47843. Retrieved May 28, 2009 from: http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml. CVE. (2007). Vulnerability. Retrieved May 28, 2009 from: http://cve.mitre.org/about/terminology.html. Edwards, John. (2008). DoS Attacks Take Aim at Small Business. Network Security Journal. Retrieved May 29, 2009 from: http://www.networksecurityjournal.com/features/DoS-attacks-011708/. FCC. (2008). Voice Over Internet Protocol (VoIP): FCC Consumer Facts. Retrieved May 28, 2009 from: http://www.fcc.gov/cgb/consumerfacts/voip.html. Future Tense. (2005). Caller ID spoofing an emerging VoIP security threat. Retrieved May 28, 2009 from: http://www.publicradio.org/columns/futuretense/2005/03/08.shtml. Kinkus, Jane F. (2002). Science and Technology Resources on the Internet: Computer Security. Retrieved May 28, 2009 from: http://www.istl.org/02-fall/internet.html. Kissel, Richard. (2006). Glossary of Key Information Security Terms. National Institute of Standards and Technology (NIST). NIST IR 7298 Available from: http://csrc.nist.gov/publications/nistir/NISTIR-7298_Glossary_Key_Infor_Security_Terms.pdf. Max. (2006). Excessive User Rights and Unauthorized Devices Attacks. Best Security Tips. Retrieved May 28, 2009 from: http://www.bestsecuritytips.com/xfsection+article.articleid+32.htm. Network Dictionary. (2009). How Does VOIP using H.323 Protocol Work? Retrieved May 28, 2009 from: http://www.protocols.com/pbook/VoIPFamily.htm. Norton. (2009). Norton Internet Security 2009 + Norton Online Backup. Symantec Corporation. Retrieved May 29, 2009 from: http://shop.symantecstore.com/. Packet Storm. (2009). Archive search results for VoIP. Retrieved May 27, 2009 from: http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=VoIP&type=archives&%5Bsearch%5D.x=25&%5Bsearch%5D.y=4. Plewes, Anthony. (2007). VoIP Security: VoIP threats to watch out for: A primer for all IP telephony users. Retrieved May 29, 2009 from: http://www.silicon.com/research/specialreports/voipsecurity/0,3800013656,39166244,00.htm. protocols.com. (n.d.). Voice Over IP. Retrieved May 28, 2009 from: http://www.protocols.com/pbook/VoIPFamily.htm and http://www.protocols.com/pbook/h323.htm. SANS Institute, The. (2007). SANS Top-20 2007 Security Risks (2007 Annual Update). Retrieved May 28, 2009 from: http://www.sans.org/top20/#n1. security-scans.de. (2007). sip send fun v 0.22. security-scans.de. Retrieved May 28, 2009 from: http://www.security-scans.de/index.php?where=ssf. VOIPSA. http://www.voipsa.org/ Read More