VoIP Vulnerabilities, a white paper issued by McAfee Labs, found almost 60 vulnerabilities in voice over internet products, compared to just under 20 vulnerabilities in 2006.
"We can credit part of this increase to better tools for finding VoIP vulnerabilities, yet this upward trend should be largely attributed to the growing number of VoIP installations", the white paper said.
Cisco equipment was by far the biggest source of VoIP vulnerabilities, outpacing competitors Nortel and Avaya Business Communications by a factor of five, the report found.
The white paper gave examples of VoIP vulnerabilities at various levels. Eavesdropping on VoIP conversations is possible when the default implementation of the Real Time Protocol (RTP) used to carry VoIP traffic is not encrypted, for example. Tools such as VOMIT have been published to dump unencrypted traffic between phones and turn it into playable sound.
Replay attacks use recorded control data sessions to send fraudulent instructions to call management software. This can be used to spoof calls that have come from a third party, for example. Other vulnerabilities lead to attacks including denial of service, in which traditional vulnerabilities in IP networks are used to disrupt phone service, such as for example inserting a hang-up command into a traffic stream.
Some of these technical exploits can be used to support attacks such as voice phishing (vishing), in which spoof calls are made from criminals pretending to be employees of legitimate organizations trying to 'confirm' information about the victim.
However, one of the most common attacks is also possibly one of the most damaging, the report suggested: "Toll fraud is one of the most frequent attacks against VoIP. We have seen attackers targeting small businesses - such as in Perth, Australia, where they made 11 000 calls costing more than US$120 000 - to attackers stealing more than 120 million VoIP minutes and making $1.2 million from Verizon and AT&T", it explained.
Comments
Smoothstone IP says:
06 January 2010
Any technology is subject to increasing vulnerabilities, as the "art" of hacking has evolved into a big business. The increasing use of technology to run a business today ensures that any company must not only be on guard but assertive in it's endeavor to protect it's critical infrastructure.
VoIP has seen an increase in the number of vulnerabilities in the past few years, however the rate of discovered vulnerabilities has been mild compared to the adoption rate of VoIP In addition, vulnerabilities in other areas, such as simple Internet browsing, has increased at an alarming rate. IBM X-Force put out a report that vulnerabilities in terms of malicious website infections has increased 508% in the first half of 2009 alone.
The concern over VoIP vulnerabilities is justified, but should be measured against the overall risk of using technology in general - the picture should be viewed holistically. Additionally, many VoIP providers today leave Security as an afterthought, combining both Internet and VoIP network traffic as well as using public network transport as part of the connectivity solution. The existence of the vulnerability itself is not necessarily a problem. But a VoIP provider must be proactive, using the latest security measures, such as MPLS, hardened infrastructures and a well-executed Information Security program, as well as a vulnerability management system.. A well architected network infrastructure utilizing best practice implementation and management standards, ensures any vulnerabilities in VoIP or other technologies is remediated before going into production, while isolating any new vulnerabilities arising in existing production systems.
At Smoothstone, we utilize a secure MPLS network, completely separating VoIP traffic from the public Internet. The customer MPLS data network is secured through SmoothstoneSECURE, which filters traffic for viruses, intrusion attempts, as well as providing web filtering to combat the quoted 508% increase in web surfing risks. Smoothstone also employs a robust vulnerability management solution, ensuring our systems and services maintain a secure profile. SmoothstoneSECURE customers enjoy a hardened and monitored infrastructure which is second to none in the VoIP industry, and represents the standard by which a company should evaluate the adoption of VoIP.
- Randall Frietzsche, Director of Information Security, Smoothstone
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.