Are VoIP systems prepared for attacks?

The W/32 Skipi.A worm that nagged Skype users in early September was fairly routine by malware standards. It arrived pretending to be a message from another user, offered erotic pictures, infected machines via malicious links, stole information and moved on to other PCs.

What was unique about the worm was its creator's platform of choice — Skype, the communications service owned by eBay with more than 196 million global users. In the long run, the attackers may have inadvertently helped IT administrators by bringing much needed security scrutiny to Skype, as well as to its enterprise-focused voice over internet protocol (VoIP) counterparts.

Consumers looking to cut back on long distance fees are helping Skype rocket in popularity. All the while, corporate decision-makers are exploring the benefits of enterprise VoIP platforms, finding that the integration of communications applications on one device has benefits in user organization, as well as the added benefit of convenience. And many IT officials now believe that expediency outweighs the high cost of the phones themselves, says Dave Endler, director of security research at TippingPoint.

“I believe that it is cost effective, and that you gain a lot more. You're able to integrate your system with your Active Directory, and in many cases your Microsoft Office applications, and you get a lot more integration and a lot more industry convergence with your traditional data network,” he says.
But basic flaws, the maintenance of which is the bane of many IT professionals' workdays, can be exploited in VoIP phones the same way that they can be hacked on a PC. With attackers now more interested in making money or gaining personal information than showing off to their peers, they can take advantage of VoIP phones to launch targeted attacks against the person or business on the other end. Difficulties in authenticating VoIP network users make phishing phone calls over VoIP networks all the more likely, says Cullen Jennings, distinguished engineer at Cisco.

“These sorts of attacks are largely things that existed in traditional phone systems as well. There are issues with being able to authorize. For instance, can someone phone a 900 number and not get caught?” says Jennings.

More a computer than a phone
While corporate rates of VoIP adoption vary, the integration opportunities — especially when accounting for the technology's security implications — certainly can work against companies. VoIP-capable telephones are essentially small desktop computers, so in addition to the problems of authentication mentioned earlier, they also face many of the same exterior threats — denial-of-service attacks, phishing and identity spoofing, for example — that the users of PCs face, says Paul Simmonds, a member of the Jericho Forum's board of management. The Jericho Forum is an international IT security group.

“The problem is two-fold. The phones themselves are substantially more expensive because they're a fully functioning computers. So the base phone itself is more expensive — OK, the exchange isn't — and the replacement lifecycle is probably half of the time of a traditional phone network, because it obviously is more complex and more prone to failure,” he says. “So it's an interesting technology. What people don't take into account is that this is a computer. You need to patch it.”

Additionally, the use of VoIP networks can end up costing corporations more money than they anticipated due to the cost of additional security technologies. Some VoIP technologies are not secure enough to safeguard critical data without security add-ons, says Simmonds.

“With regular VoIP, you need to talk to some sort of VoIP exchange, the protocols being used out of the box are really insecure and there's little authentication built in,” says Simmonds. “If you take a standard, out-of-the-box VoIP, a nice Linksys VoIP phone, it's got web content with default passwords using HTTP, not HTTPS.”

Skype in the workplace

Meanwhile, Skype, intended by its creators to be a home version of PC-based telephone communication, also can be a burden to system administrators when end-users download the messaging platform at work. Asked whether some IT professionals do support Skype, Tim Mather, chief security strategist for RSA Conferences, says “a better way to put it is that it's being tolerated in a lot of places, meaning that IT pros will be tolerant of it, but not support it.”

He adds, “If I'm traveling from point to point, and I want to call back home to a loved one here in the states, I don't have to charge it to my phone card.”

End-user adoption of Skype at the workplace can cause considerable damage to a corporation's bottom line if it is the source of a data breach. A relatively new technology, Skype remains untested by some IT professionals and may still get around many solutions, says Endler.

“You can spoof caller ID very easily. You might be able to know who's calling you within your organization,” says Endler. “Skype is adept at getting through corporate firewalls and having information leaving in a way that you can't monitor it. A lot of people have legitimate concerns over Skype.”

The top five ways
. End-users must demand that VoIP protocols are both inherently secure and open.
. Companies must pledge support for moving to open, royalty-free and documented security standards, and away from proprietary VoIP protocols.
Corporations should audit their products, and replace insecure or proprietary usage.
A secure VoIP protocol should be released under an open source or general public license agreement.
A secure protocol should contain end-to-end encryption, control and configuration of end-devices and mutual authentication.

Source: Jericho Forum position paper, “VoIP in a e-perimeterized world”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.