Amol Sarwate
Amol Sarwate
It seems that every new form of information technology brings out new forms of attack, or at the very least a new vector for older attacks. Unfortunately, voice over IP technology will be no exception, especially since market research firm AMI Partners shows that VoIP spending reached $3 billion in 2006, up 26 percent from the previous year.

Whether it's to eavesdrop, bring down a company's telecommunications system, or steal minutes, attacks against VoIP systems already are underway. Last year, 23-year-old Robert Moore was charged with hacking into more than 15 VoIP telecommunication companies and stealing more than 10 million minutes for resale. Authorities say that Moore and a partner made more than $1 million from their scheme.

The de facto VoIP standard is the Session Initiation Protocol (SIP). Since SIP messages are text-based, they're easier to process than other VoIP protocols, and because SIP is so similar to many other IP-based protocols, it's susceptible to many of the same types of attacks.

Here is a sample of the more notable SIP attacks:

  • The “BYE” session attack. The SIP BYE request is used to terminate (“tear down”) established sessions. It's possible for attackers to use the BYE request to kill existing sessions.
  • The “CANCEL” attack: SIP cancel requests are used to rescind a user's preceding request. Attackers can use this command to wreak havoc on calls, such as cancel INVITE requests from callers.
  • The “REFER” eavesdropping attack: The REFER SIP extension, through the use of an arbitrary URI reference, makes it possible for an attacker to eavesdrop on communications and even engage in man-in-the-middle attacks.
  • The “UPDATE” DoS attack: The SIP UPDATE gives users various capabilities, including muting or placing calls on hold. Attackers can submit fake UPDATE messages to corrupt session parameters and create a DoS situation.
  • The “INFO” attack: The INFO command is a way to transmit application-specific information through the SIP signaling path. If this pathway isn't encrypted, attackers may be able to obtain unauthorized access to the call, launch a DoS attack, or play mischievously with billing data.

Aside from the familiar DNS, DoS, and eavesdropping attacks, VoIP also is susceptible to traditional viruses and worms. And, of course, there's always some variation of Spam—only over VoIP it's known as SPIT, or Spam over Internet Telephony, which increasingly will target VoIP networks. Because VoIP is so cheap, expect SPIT from telemarketers, prank callers, and fraudsters to become a growing problem.

As deployment of VoIP increases, attacks against these systems no doubt will increase. Unfortunately, there are no simple solutions to tighten security of VoIP networks. Many of the best practices for securing networks and applications hold true.

As is the case with securing most IT resources, tightly configure your VoIP systems and disable all unnecessary SIP services. Also, make certain that proper levels of authentication are in place. To limit the attack surface of your VoIP system, make sure traffic can be encrypted whenever it's feasible. You could consider using a virtual private network to enable legitimate users to connect to your VoIP network from untrusted networks and hotspots. The same VPN also could be used to shield your VoIP communications on your internal network from the Internet via your data network.

Additionally, you'll want to consider using a specialized SIP scanner, and conduct your own penetration tests, to test VoIP servers and phones for potential security gaps. It's also a good idea to create custom VoIP and SIP rules and signatures for attacks within your IDS. An excellent resource for SIP tools is found here. You'll find VoIP tutorials and presentations, sniffers, VoIP fuzzers, and other tools to check VoIP-related codes.

-Amol Sarwate is director of Qualys' vulnerability research lab