Data embedded, encrypted and transmitted out of a network using real time transport protocol (RTP) would seem to be impossible to detect, given current technology. VoIP RTP exfiltration defensive systems are nonexistent as far as one can tell. This would be a great way for attackers to implant malware that a host might never notice. Is there a way to prevent against such attacks?
Ask the expert!
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Detecting data being tunneled out of a network is nearly impossible to do, regardless of the protocol. Data exfiltration using tunnels is a method known as using a covert channel. Using VoIP for data exfiltration is a new method for sending data out of a network, and RTP attacks are an example of this as they use part of the encrypted tunnel to siphon off other data, but there are many other tools for data exfiltration, such as ICMP tunnels, DNS tunnels , HTTP tunnels and many others. ICMP tunneling goes back to Project Loki in 1996. All of these tools can be used to transport encrypted data out of a network.
Detecting tunneled data is possible, but to do so requires a significant effort, depending on the protocol being used. Information security tools may detect various types of data tunneling, based on network signatures, protocol analysis and flow-data analysis. Application- or protocol-specific tools may be better able to identify anomalies in the outbound traffic, but may be difficult to use for security purposes.
Blocking tunneled data may be more difficult than detecting it, since this process might disrupt legitimate traffic when tunnels are misidentified. ICMP outbound can be blocked at an organization’s border, because of blocked DNS requests to connect to external servers for the parent organization’s DNS servers; rather, users are potentially using a Web proxy to prevent HTTP tunnels. VoIP RTP exfiltration tunneling may be blocked through a significant effort by delaying delivery for a voicemail until it can be sent though an audio processor that looks for encoded data, much like the way antispam software operates. For high-security environments, there may not be a reason to allow outbound network access, but it may be difficult to block all outbound communications without a Faraday cage.
This was first published in April 2012