VoIP Threats, Vulnerabilities Abound
Andrew R. Hickey
Whether their purpose is malicious, for financial gain or just to prove it can be done, VoIP systems are a nut that hackers and exploiters can't wait to crack. And as VoIP continues to proliferate into 2008, those threats will only get stronger and more sophisticated, according to Sachin Joglekar, vulnerability research lead for Sipera VIPER Lab, a research team bent on identifying ways VoIP can be exploited.
Joglekar said word of some VoIP threats started to spread in 2006, with toll fraud and vishing -- a VoIP version of phishing -- taking center stage. By 2007, those threats and vulnerabilities began to manifest further. And in the coming year, by many accounts, exploits used to bring down VoIP systems and scam their users will continue to expand, with many exploits being used in conjunction with another to form an attack powerhouse of sorts.
The biggest VoIP threats and vulnerabilities of 2007 -- remote eavesdropping, VoIP hopping, vishing, VoIP spam, toll fraud and the Skype worm -- will again make headlines in 2008, Joglekar said.
Tim Hebert, president and CEO of Warwick, R.I.-based solution provider Atrion Networking, said VoIP threats have evolved and grown from a "what if?" scenario into a full-blown "what now?" situation. While Hebert said he and his clients have been lucky enough to ward off attacks, he's not resting on his laurels just yet.
"We haven't had any issues with them. Knock on wood," he said. Still, Hebert said he has seen some clients that Atrion has inherited from other VARs that were ripe for the picking due to poorly designed VoIP networks.
"VoIP is on the early edge, but it's moving from early adopters to the early majority," Hebert said. "There will be more and more threats. It's definitely going to grow."
Mike Cotrone, owner of Greensboro, N.C.-based solution provider Confiance IP Solutions, agreed that the threats are real, but said VoIP security is not yet on many companies' radar screens.
"Anything is possible when dealing with IP," he said. "It's definitely a risk that is out there. If you have a weak link in the chain, anyone can sniff anything off of your network."
While Cotrone noted that he's heard no mention of VoIP threats and vulnerabilities from his customers, he said in many cases it will take one massive outbreak for the reality of VoIP threats to hit home. Still, he said, he recommends customers use VoIP encryption to stave off threats.
"I don't know if there's a true understanding of VoIP-based attacks," he said.
Sean Johnson, business development manager for Hayes Computer Systems, a Tallahassee, Fla.-based solution provider, said VoIP vulnerabilities and threats aren't something he's encountered too often. Johnson said he has, however, been hired by clients who were hung out to dry by previous VARs.
"VoIP vulnerabilities overall aren't something we've had to deal with so far," he said, adding they can be avoided by putting VoIP on separate VLANs, behind a firewall and using intrusion prevention. "The reason people may be scared is they're not implementing the proper security with it. If you get into that kind of situation, you're wide open for an attack on that VoIP system."
Rany Polany, president of PWT-IT Solutions, a San Jose, Calif.-based systems integrator and managed service provider, said the trick is to stay one step ahead of potential threats and vulnerabilities.
"We actually deal with it all the time," he said. "A major portion of our revenue is designing and building VoIP systems."
A key to staying ahead, Polany said, is a strong security policy.
"Security policies need to be in place," he said. "When we're dealing with IP, there needs to be a security assessment across the entire network. When moving toward a fast IP environment, any VoIP system needs to have security and policy implemented into that network."
Hebert said tightening up operating systems and ensuring the VoIP network is locked down is essential. He added that the growing variety of attacks will serve as an eye-opener, especially since each attack has different intent.
"Half of the attacks out there are just for the challenge of doing something. There's always someone out there racing to be the first to do it," he said. "The other half are either malicious or for monetary gain."
But with VoIP deployments increasing in number, Hebert said he expects to see a shift from the "proving it can be done" phase.
"There's going to be a large element that is purely malicious, looking to sabotage or take down a call system," he said.
"VoIP is going to be looked at as one more tool in [a hacker's] arsenal," he said. "People trust their phones and someone is going to try to exploit that trust."