| Admin
| Siemens Mod 30
Quote: How secure is VoIP?
Tuesday September 13, 2005 (12:01 PM GMT)
Topic: Networking & Connectivity
By: Jeffrey L. Vagle
Phil Zimmerman, the inventor of Pretty Good Privacy (PGP), the application often credited with the introduction of cryptography to the masses, recently announced his intent to provide PGP-like software to ensure the privacy of voice over Internet Protocol (VoIP) communications. VoIP, or Internet telephony, enables the routing of voice conversations over IP networks (e.g. the Internet) and is currently offered for use through newer companies, such as Vonage and Lingo (and some not-so-new companies, like Verizon and Comcast). You'd be well within your rights to ask, "If VoIP isn't currently secure, how can it be offered to companies and individuals as a legitimate service? And if it is secure, why all the fuss?"
Click here to find out more!
As with any software or network security issue, there are no simple answers to these questions. Yes, security mechanisms do exist that address at least a subset of the major VoIP threats, and yes, there have been no real attacks against VoIP networks to date. However, VoIP is a relatively new technology, and as with any increasingly complex system, new problems will emerge as adoption grows. Further, as we should all know by now, absence of exploitation does not prove the absence of vulnerabilities, but only the absence of interest or opportunity.
A VoIP primer
VoIP is a general term referring to phone service over computer networks -- transforming an analog signal generated from your voice, digitizing it, and transmitting it over an IP network (e.g. the Internet). It includes any software, hardware, or protocol relating to this technology. There are many examples of VoIP technologies in use today, including commercial offerings from companies such as Vonage and Verizon, which require the use of analog telephone adapters (ATA) to allow the use of standard telephones on IP networks; software implementations (called softphones), which require only a PC and a set of headphones, such as Skype; and open source applications that provide full PBX functionality, such as Asterisk.
Figure 1 shows some examples of VoIP using PCs, IP telephones, softphones, and standard (analog) telephones. It is even possible, through VoIP provider gateways, to place VoIP calls to analog phone users on the standard public switched telephone network (PSTN).
VoIP Examples
Figure 1: Example VoIP Architecture
Although widespread VoIP usage has arisen only over the past few years, the ideas behind VoIP could be characterized as a novel application of old concepts. Packet switched data networks have been around for some time now, and the use of these networks to send voice traffic back and forth was an idea waiting to happen.
Multiple protocols for handling VoIP traffic have been developed, such as the Real-Time Transport Protocol (RTP), H.323, and the Session Initiation Protocol (SIP). The National Institute of Standards and Technologies (NIST) has published a white paper that provides an excellent overview of these protocols, including detailed security analyses of each.
Voice as data security issues
Many of the potential security vulnerabilities of VoIP come not from the specialized protocols, software, or hardware per se, but from the fact that VoIP systems often operate in, on, and through existing networks, computers, and operating systems. This means that VoIP inherits the whole tangled security mess inherent to the Internet. Potential risks range from the relatively straightforward and mundane, such as denial of service (DoS), to the more exotic and potentially costly, such as eavesdropping.
It wasn't too long ago when traditional telephone companies were forced to fend off the occasional attack on their networks, despite the fact that these networks were basically closed off to most mere mortals. Once the telephone cord disappeared beyond the faceplate in the drywall, the details behind the operation of the public switched telephone network were jealously guarded and remained a mystery to most users. Switches were kept behind locked doors, manuals were considered sensitive materials, and access to telephone company inner sanctums was tightly controlled.
This is not the case with the Internet. Protocols are publicly available and free for random scrutiny by anyone with a passing interest in such things. Servers are by necessity accessible, although usually not arbitrarily so. And the inherent complexity behind key pieces of software, such as operating systems, protocol stacks, and applications, gives ample opportunity for unwholesome examination, the fruits of which are then quickly shared using these networks, servers, and software.
In effect, we're forced to deal with the same old security issues we we might encounter with any networked application. This means we can use the same crusty mnemonic we use for assessing and categorizing any other computer security risk, namely CIA: confidentiality, integrity, and availability.
Availability
When it comes to VoIP security risks, the lowest hanging fruit (at least from the attacker's perspective) is system availability. VoIP denial of service (DoS) attackers don't have to muck about with the breaking of cryptographic codes, stealing of passwords, or clever (mis)use of protocol stacks. All you need to do is prevent VoIP network packets from reaching their correct destination in a timely fashion.
Availability is crucial to any telephony system. If you've ever made an overseas call, or watched a CNN satellite-enabled conversation between the anchor in the studio and the reporter in some remote location, you know how painful even a little bit of network latency can become in a conversation. Existing PSTN networks pride themselves on what's often referred to as "five nines" availability -- meaning the network is up and functioning as it's supposed to 99.999% of the time. Anything less than this is considered unacceptable. Why would consumers then expect anything less from their VoIP service?
DoS attacks against a VoIP network can result from forced CPU over-utilization on VoIP hardware, exploitation of software/protocol flaws through packet manipulation, or the outright hijacking of servers on the network. As I mentioned earlier, VoIP packets are at the mercy of the network they travel on. But as we'll see later, it's also possible to negatively affect VoIP performance and availability by trying to secure the system from these attacks.
SPIT
Spam over Internet telephony (SPIT) is a potentially nasty security thorn in the side of VoIP providers and users. You'll notice I used the qualifier "potentially" here, as it's not yet a widespread problem as of this writing. However, unsolicited shotgun-style marketing that manifests itself in such forms as email spam and blog spam costs almost nothing to produce. Given another avenue to a population of potential consumers, and the spammers will jump all over it.
We all know how annoying it is to watch your email inbox fill up with solicitations for hair (or other body part) growth elixirs, easy mortgage terms, and weight loss tablets. Now imagine the levels of frustration possible when you start receiving audio messages on your VoIP-enabled telephone for all of these products. It wouldn't take much of this to turn off even the most dedicated VoIP user, and VoIP providers know this.
Confidentiality and eavesdropping
Even if we're only making pleasantries with our friends or relatives, chatting about nothing in particular, we recoil at the thought of someone quietly listening into our private conversations. There may be nothing to hide, but it's nobody else's business, gosh darn it. The confidentiality of our conversations -- and in a VoIP network, our data -- is highly valued.
As with any packet-based network, VoIP data is broken up into discrete packages, labeled, and shipped off to their final destination. While en route, these packets may pass through many servers and networks, most of which are out of the user's immediate control. Unauthorized parties could be steaming open the envelopes of the data flying by. This "packet sniffing" doesn't have to happen in a live, as-it-happens sense either. Your data may be copied as it flies by, stored, and then later replayed.
This is more than a theoretical scenario. The unfortunately named Voice Over Misconfigured Internet Telephones -- or VOMIT -- application provides the ability for the user to replay captured unencrypted VoIP packets. VOMIT targets packets generated by Cisco IP telephones, but this does not mean that VoIP packets using alternate protocols are safe. Additional examples are not hard to find. The concept is fairly straightforward, and it takes only one successful attacker to publish his toolkit to a large audience of salivating script kiddies.
This is not a new problem. Most everyone who's made an online purchase, especially those who have been burned by the loss of sensitive (e.g., financial) data, knows the value of data encryption. It sounds like an easy solution, but as we'll see later, it brings with it its own set of problems for VoIP.
It should also be noted that most confidentiality breaches in Internet commerce are not suffered due to packet sniffing, but more often occur when the server on which the financial information is stored is compromised, a much easier job for most attackers.
Integrity
Not only do we want our private conversations to remain private, we also expect that the words we speak will reach our partners intact. Maintenance of data integrity poses a direct threat to VoIP networks, just as it does with any IP network. However, this is usually an indirect threat to the end user.
The common attack scenario on the integrity of VoIP data would probably not result in the alteration of the voice data directly. Any changes to this data would more likely result in a denial of service rather than an unrecognizable change in audible information (although this is not, by any means, an impossible feat). By altering packet data to spoof either the infrastructure or the end units or terminals, an attacker could direct packets to an untrusted machine for later perusal, thus enabling a confidentiality breach.
Since VoIP operates on IP networks and is vulnerable to many of the same security risks as these networks, it makes sense that we begin to secure VoIP systems using the same principles that we apply to IP networks and their infrastructure.
VoIP quality of service
Because users expect VoIP to perform at least as well as their standard PSTN telephones, quality of service (QoS) should be a main concern when planning VoIP system security. It's just as possible that availability problems can arise from security measures as from any DoS attack.
Network resources, such as bandwidth and CPU processing time, are finite quantities on any network. If a server cannot create and process packets fast enough, it can induce delays in packet transmission, known as jitter. User expectations for the quality of connections don't allow for the sort of lag time that other applications like email do. This means that any mechanisms introduced to a VoIP system that add overhead to the network, however useful or necessary they might seem, may erase any perceived added value over standard telephony. Such CPU- and bandwidth-intensive schemes as encryption have to be carefully planned before being considered in a VoIP network.
Network latency is yet another potential hazard to be avoided when planning VoIP system security. Delays in the transmission of VoIP packets caused by firewalls or other security measures can spell death to the overall usefulness of the system. Even worse is the outright loss of packets by the network. While this may be handled gracefully by other, less time-sensitive applications, loss of data in a VoIP network is no mere annoyance.
Mind your network
When it comes to securing VoIP, start at the bottom: the network itself. A properly designed network allows for the appropriate use of such equipment as firewalls and gateways, and it should also give you the opportunity to plan for bandwidth allocation.
In fact, it's a good idea to logically separate your VoIP network from your data network as much as possible. If you're planning VoIP over a corporate network, this is a must. Clever use of subnets will mean less logical intermingling of data and VoIP packets, which in turn means fewer potential points of vulnerability.
However, if you're just using Skype on your home PC with nothing but a router and cable modem, you may not have much wiggle room. Just remember that your softphone -- the software application that acts as the telephone on your computer -- is only as secure as the operating system it's running on. In fact, if you're especially concerned about VoIP security in an environment where you may be affecting more than just yourself, you may want to reconsider the use of a softphone altogether. The inherent risks that softphones present, due to their reliance on potentially insecure operating systems, make them prime candidates for attack in a networked environment.
Many networks provide wireless access to their endpoints. If yours is one such, you should ensure that you've done all you can to secure your wireless network. This includes such items as restricting SSID broadcasts, limiting access by using MAC address filtering, and using Wi-Fi Protected Access (WPA) encryption rather than Wired Equivalent Privacy (WEP) encryption.
Make sure your firewalls have been properly configured to allow VoIP packets through. Use stateful packet filters to ensure the integrity of connections, keeping unwanted packets out of the conversations. When it comes to allowing access to any server, router, or PBX, make sure you use strong authentication techniques before letting anyone touch these machines. Physical security is a must, and if you must allow remote management of these servers, require the use of SSH. PSTN telephone companies rely on the fact that access to their equipment is, for the most part, subject to very strong access controls. This is a harder job for VoIP systems, but you should still make every effort to keep the infrastructure under lock and key as much as possible.
VoIP encryption
To avoid any prying eyes (or ears) from inspecting the contents of your VoIP conversations, use data encryption in your VoIP system. There are many ways to go about this, and choosing the right process can be tricky and requires careful planning.
A potential obstacle to certain encryption schemes in VoIP is resource management. You need to carefully manage finite resources such as CPU cycles and bandwidth in a VoIP network, since packet loss, latency, and jitter will render any VoIP system useless. Encryption, if applied indiscriminately, can put a major load on any network or CPU.
Standard VoIP protocols, such as SIP and RTP, already provide for encryption, and proprietary products like Skype are beginning to offer encryption support as well. When selecting VoIP hardware or software, however, you should ensure that encryption protocols have been implemented in their respective packages. If your VoIP system is a heterogeneous mix of proprietary and open-standards-based equipment, be prepared for interoperability issues. If this is the case, it may be necessary to implement IPSec tunneling of VoIP traffic, if not at the endpoint level, then at the router level. Again, you'll need to carefully manage your CPU and bandwidth resources when applying such measures.
Another obstacle to VoIP encryption, especially when applied to its widespread use, is key management. To use public key encryption to ascertain the identity of callers, you verify their certificates. There are a number of ways to implement this, but certificate verification usually requires the involvement of trusted third parties, not to mention some sort of well-known protocol for communicating. Because of all this added infrastructure, it's difficult to coordinate the widespread use of any public key infrastructure (PKI) or certificate scheme in VoIP.
If your VoIP system comprises only you and a small group of friends, then the problems of PKI coordination probably don't apply. However, if VoIP is to replace standard PSTN telephony, Balkanization due to competing PKI schemes is not an option. There are protocols in place that address this issue, but many VoIP users, either explicitly or implicitly, choose not to utilize encryption in their networks, probably due in large part to the lack of any perceived threat. It's just not worth the hassle right now.
This perception will change, of course. Meanwhile, Zimmermann's scheme promises the ability to verify certificates without the use of a third party, thus reducing some of the complications associated with standard PKI deployment, but it will require all parties taking part in the encrypted conversation to have a copy of Zimmermann's software running on their machines.
Conclusion
Although momentum is growing behind the widespread use of VoIP, there are still emergent aspects to this technology, including the security behind it. There are many common-sense approaches you can take when securing VoIP communications, some more straightforward than others. However, as with any approach to network security, careful planning is key.
The Voice over IP Security Alliance (VOIPSA) has organized to provide a common approach to VoIP security issues. It remains to be seen how successful it will be in this effort. Meanwhile, tread lightly when deploying and using VoIP, be aware of the risks, do what you can to mitigate them, and maintain an appropriate state of vigilance. | -itmanagersjournal.com |
09-13-2005, 10:02 AM 
Similar Threads 
Linear Mode
