New VoIP phones invite old security threats

By migrating telephones to the internet, we expose ourselves to online attack, writes Karlin Lillington

By migrating telephones to the internet, we expose ourselves to online attack, writes Karlin Lillington

Firewalling your phone? Downloading security patches for your handset? It may sound amusing and unlikely, but according to security experts, phone networks are moving steadily towards becoming internet based rather than copper-wire based, and therefore will be increasingly at risk for internet-style security problems.

Already, many major telecommunications carriers are moving significant portions of their phone-call traffic to voice over internet protocol, or VoIP, networks, with major global carriers predicted to be all-VoIP by 2010.

Ireland is said to have about 20 per cent of its networks running on VoIP.

READ MORE

Businesses are moving internal phone systems to VoIP because of significant cost savings on calls and because of the additional capabilities of internet-based phone systems, while consumers are adopting VoIP through services like Skype and Vonage.

"Pretty soon, it's going to be pretty difficult not to get VoIP," says Andy Clark, head of forensics for computer security company Detica. Speaking to an international, industry-insider audience at the recent annual Cosac security conference at Killashee House, Co Kildare, Clark said the installation of a VoIP system in his office "raised all sorts of questions in our minds about IP security".

Clark's concern chimes with increasing international awareness that, while VoIP may bring many benefits, it also raises some concerns.

Security company Symantec has noted that it believes VoIP exploits are set to take off in the coming year as more such systems are switched on.

In the US, the Federal Communications Commission (FCC) questioned how carriers will handle emergency calls, since the easy transferability of numbers when using VoIP can make it impossible to trace the location of a call. For example, an Irish traveller in Hong Kong using a VoIP connection would appear to be in Ireland.

In response, the FCC now requires VoIP carriers in the US to offer what it calls E911 services, or enhanced 911 (911 is the US emergency number). This enables wireless handsets to report their true location to emergency services if needed.

Another concern is that during a power outage - likely in many emergency situations - VoIP networks will also go down, unless there is a back-up generator or battery power source the network and handsets can switch to.

Clark outlined a number of potential security vulnerabilities in VoIP services. Firstly, so-called "soft phones" - software that allows for computer-based internet calls - and VoIP handsets both use a browser interface, he says, with browsers already a known security problem on PCs.

"There will likely be a default user ID and password for every phone, too," he says, adding that such defaults mean many people won't know they need to change them or won't bother to, making phones easily accessible to hackers and making it easy to divert calls to another phone.

Because the browser interface displays calls made and received, this is potentially easy information to access too, he says.

As for threats and attacks that could be made on VoIP systems?

"Everything that's already in the IP space" is a threat, he says. These include everything from spamming to denial of service (DoS) attacks, where an attacker would try to flood a system with calls, jamming the entire network. The latter could pose a serious threat for a corporation, Clark notes, as without phone access, business would virtually cease.

Some internet threats have already made themselves known on VoIP. There have already been "phishing" attacks on VoIP networks - which are known as "vishing" - where an e-mail encourages a recipient to dial a number to access their bank account. The number connects to an automated call over VoIP that tries to get the caller to state a password and account number. The software needed to carry out such an exploit costs under €10.

Caller ID can be spoofed as well, to make it appear someone else is making a call - perhaps again a trusted holder of confidential information, such as a bank.

Some readily available programmes, such as Ethereal, used to monitor and check for vulnerabilities on VoIP networks, could also allow hackers to capture and record VoIP calls, or even inject sound files into a network to fake a call or part of a call.

While networks can be encrypted to encode and protect conversations, most people are unlikely to want to turn on that capability and create another layer needing management, he says.

Old-style copper-wire telephone networks are subject to passive wiretapping, Clark says, "but they didn't have a 'broadcast' type protocol that could be compromised easily. VoIP systems are subject to passive wiretapping for content too, but they're also open to protocol [ internet] based attacks with more far-reaching consequences."

Secure firewalls and up-to-date patching will be part of business and consumer defences against misuse of VoIP systems, Clark says. But, he adds, more awareness is needed about the potential issues with VoIP because soon, "there won't be any option but VoIP".