Data embedded, encrypted and transmitted using RTP would seem to be impossible (given current technology) to detect....
VoIP RTP exfiltration defensive systems are nonexistent as far as I know. This would seem to be a great way to implant something, and the host would be never the wiser. Is there a way to prevent against such attacks?
Data exfiltration is the unauthorized removal of data from a computer or network. Data exfiltration using tunnels is also known as using a covert channel. Using VoIP is a new method for sending data out of a network, but there are many other tools for data exfiltration, including ICMP tunnels, DNS tunnels and HTTP tunnels. All of these tools can be used to transport encrypted data out of a network.
Detecting covert channels is possible, but requires significant effort depending on the protocol. Information security tools could detect various types of data tunnels based on network signatures, protocol analysis and flow data analysis. Application- or protocol-specific tools may be better able to identify anomalies in outbound traffic, but may also be difficult to use for security.
Blocking tunneled data may be more difficult than detection since you might impact your users’ legitimate traffic when misidentifying tunnels. You can block ICMP outbound at your organization’s border, block DNS requests to external servers except for your organization’s DNS servers or use a Web proxy to prevent HTTP tunnels.
VoIP RTP exfiltration tunneling could be blocked with significant effort by delaying delivery for a voicemail until it can be sent though an audio processor looking for encoded data in a voicemail, much like antispam software operates. For high security environments, there may not be a reason to allow outbound network access, but it may be difficult to block all outbound communications without a Faraday cage.
Dig Deeper on Data loss prevention technology
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ...continue reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common...continue reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.