While Voice over Internet Protocol (VoIP) security may not be the highest priority for many IT security professionals or network administrators, experts are warning that the threat to VoIP communications is increasing.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.
Patrick Park, network engineer at Cisco and author of Voice over IP Security, said attackers have many different methods and tools for manipulating and intercepting VoIP communications.
A common denial of service (DDoS) attack could cripple a company for hours, but more sophisticated methods exist, Park said. Eavesdropping techniques, call pattern tracking, data mining and data alteration are among the more sophisticated threats to voice and video used in the workplace.
Park, who worked previously as a VoIP security engineer at a VoIP service provider, said he once monitored a VoIP attack originating from Jamaica that eventually overwhelmed the company servers and caused a service blackout for more than an hour. While DDoS attacks are the most common and least sophisticated, more savvy attacks are possible as the threat rises from insiders who have more networking knowledge.
"It's not happening often, but whenever it happens the impact is very serious," Park said. "Whenever servers are compromised or some network is affected, the impact is very serious and that's the biggest problem."
Using sophisticated software, an attacker also has the ability to alter messages or media after intercepting them in the network, Park said. The attack could be used as part of a corporate espionage scheme, but it takes more work because a person must know specific information about the network traffic.
"An attacker can see the entire signaling and media stream between endpoints at the intermediary, injecting or replacing data," Park said.
Despite some attacks increasing in sophistication, some VoIP security tools help automate the process and could be used by an attacker, said Dan York, best practices chair for the Voice over IP Security Alliance (VOIPSA).
"Tools bring VoIP attacks into script kiddie land," York said. "Some that will make it as easy as capturing all voice streams out there and putting them into mp3 files."
A program called SIPtap, created by UK-based VoIP expert, Peter Cox, can monitor multiple VoIP call streams, record them and turn them into .wav files. UCSniff, developed by Jason Ostrom, provides a number of tools to assess the security of VoIP calls. The software package has several tools that could be used by an attacker to eavesdrop on calls.
Still, York said until VoIP yields a profit for attackers, the threat of large-scale attacks are minimal. As more companies add VoIP to their call centers, the threat level could rise. There is a solid case for a risk for smaller, focused attacks, he said.
"We'll be seeing more and more people doing interconnection in the next three to five years and that's when it could get interesting," York said.
Most people worry about eavesdropping, but the process of listening in on a phone conversation is difficult, Park said. Despite tools available to attackers that can sniff packets, Park said, the hacker would need to have the tool located in the same broadcasting domain as the IP phone or would need to be on the same media path. Media packets are often encrypted, making intercepted packets useless, he said. The other option an attacker would have is to compromise an access device, such as a switch or router, and forward or duplicate the media packets to a capture device.
"Most VoIP service providers use encryption, either signal or media encryption," Park said. "End-to-end full encryption is the most common way to provide message confidentiality and integrity between communication end points."
York said more work needs to be done. More service providers need to use encryption from premise equipment out to IP networks and on to the PSTN.