Sure, the CTO of BorderWare was trying to scare us. After all, his company makes security equipment. But Andrew Graydon made a lot of sense and had me shaking my head in sadness when he presented at the second VoIP Consortium event in February.
According to Graydon, Voice over Internet Protocol (VoIP), and especially related technology called Session Initiation Protocol (SIP), combines the security flaws of two very insecure Internet protocols: HTTP, which is what transports Webpages, and SMTP, which is what transports email, and, unfortunately, spam, which is now 67 percent of all email.
VoIP is the process of sending telephone calls over an IP network such as the Internet. VoIP equipment digitizes callers' voices and turns them into a data stream. Unfortunately, much of the information used to establish and maintain a VoIP call via SIP is transported in clear text and it easy to spoof, fake, or alter.
One of the simplest vulnerabilities concerns caller ID. In a SIP session, the caller ID comes from the From field, just like in an email. You probably have spam sitting in your spam filter or your email box right now that purports to be from PayPal or your bank or some other reputable person or business. That's possible because SMTP headers, which contain information about the email message such as whom it's from, are transported in the clear, and thus can be hacked. It's not even that hard to do.
So when you get a phone call on your POTS (Plain Old Telephone Service) phone purporting to be from, say, Bill Gates, it ain't necessarily so. On most VoIP/SIP equipment, you input the From information yourself. Unbelievable.
There is already a big problem with miscreants who prey on elderly or vulnerable adults, pretending to be from the bank or the mortgage company and needing confidential information such as passwords or Social Security numbers. Imagine how much easier that will become if the bad guys simply buy VoIP phones! The caller ID would say "Wells Fargo" or "PayPal" or whatever the crook wanted.
Another vulnerability concerns what are known as Denial of Service (DoS) attacks. No, this isn't a flashback from the bad old days of DOS-based PCs; DoS attacks attempt to bring down a server or a service by pelting it with repeated or malformed requests. Eventually the service becomes so busy dealing with the bogus requests that it denies service to legitimate users, and may ultimately crash, or worse, fail in a way that allows entry to a hacker.
It is trivially easy to flood a VoIP system with SIP requests for service, Graydon said. In fact, it happens inadvertently on a regular basis on large VoIP-based networks. All it takes is an interruption in VoIP service, like when the VoIP server goes down. When the system comes back on line, every VoIP device peppers the server with SIP registration requests so that they can resume service. Unless the equipment or network is architected correctly, the server can go right back down again, smothered by thousands of simultaneous requests.
Luckily, Graydon's company sells SIPAssure SIP Firewall, a device that takes care of these and other security threats (whew!). There are others in the market as well, and we'll be hearing more about this topic for sure as VoIP becomes more widespread. You can hear Graydon discuss VoIP security threats on this podcast.
Lest we think this is the only emerging threat to our communications capabilities, Graydon also mentioned two new acronyms that represent new classes of threats:
SPIM – Spam over Instant Messaging
SPIT – Spam over Internet Telephony
So now you have two new things to worry about!
rate
email
print
link to this page
Comments: 3
And unauthorized access to live calls because of a poorly designed protocol is even scarier than legitimate businesses recording your voice.