Hello, I am calling to tell you that you've been hacked

Tue, 18 Nov 2008 15:12:43 -0500

When one year ago I looked at the long term VoIP and UC security trends I discovered that most of the VoIP security research and attention was devoted to the signaling protocols and their vulnerabilities. SIP, Skinny, UNIStim and H.323 are being fuzzed, reverse engineered, spoofed and dissected in hundreds of ways. In the process we discovered a lot of vulnerabilities, fixed most of them and made these protocols more secure. And that's a good thing.

But I knew we were missing something. This something is another family of protocols (Real-time Transport Protocol (RTP) and its sister protocol Real-time Transport Control Protocol (RTCP). These protocols are used to carry actual content of voice calls, video or audio over IP networks.They have a few interesting properties that warrant closer look at them from the security point of view.

First, they are ubiquitous. VoIP and UC vendors use different signaling protocols in their products - standard SIP and H.323 or proprietary Skinny and UNIStim. But all of them are using standard based RTP/RTCP to carry voice, video and audio. The list of common applications using RTP/RTCP is very long. Some of them are deployed in very large numbers: Microsoft Communicator, any VoIP softphones and hardphones, Live Windows Messenger, wireless VoIP and video clients and QuickTime. We are talking about hundreds of millions of end-points.

Secondly, after signaling protocol establishes a connection between calling parties, in most cases RTP/RTCP is carried between endpoints in peer-to-peer mode thus bypassing PBX/Call Managers/softswitches.

Thirdly, the ports used by RTP/RTCP are assigned dynamically during the signaling phase.

Fourth, RTP is a binary protocol carrying information in real-time. Since VoIP and video are sensitive to delay, packet loss and jitter it is very difficult to analyze the content of RTP streams fast enough to not cause QoS to deteriorate.

Let's put it all in the context of VoIP and UC security. I asked my research team to look closer at RTP and RTCP implementations. Well, now we know that RTP/RTCP implementations have security vulnerabilities, some of them very serious. It is quite feasible that some of the exploits could be used to create massive attacks on telecommunication and business infrastructure as a part of cyberwarfare or they could be used selectively to steal information and penetrate enterprise security through a simple phone call.

Your laptop running a softphone could be taken over by someone simply calling you and exploiting a specific RTP vulnerability. And this attack could traverse PSTN networks. Even transferring sensitive data from inside of the enterprise is possible within the RTP streams.

In most cases RTP works in the peer-to-peer mode bypassing any centralized applications and devices. In many organizations any peer-to-peer traffic is simply blocked but this is not possible if VoIP or UC infrastructure is implemented.

And let's don't forget about SPAM over Internet Telephony (SPIT). It is basically an equivalent to email SPAM but with a twist. Anti-spam applications have full access to email headers and the content so they can analyze the entire message and make an appropriate decision in non real-time. While in the case of SPIT we can easily analyze the signaling protocols but it is almost impossible to do it for RTP streams. Imagine buffering a conversation, analyzing the speech against certain rules and keywords (not everyone in the world speaks English), making a decision and inserting the content back into the RTP stream. All that in real-time for thousands of conversations at the time.

Securing RTP is our next challenge. Let's start working on it now.

]]> Tags: Related tags: signaling protocols, skinny unistim, video audio, security, protocols, protocol

VoIP and UC security - Is it important?

Tue, 18 Nov 2008 09:57:09 -0500

I've been involved in VoIP and UC security for a number of years now and lately, people have been asking me one simple question; "Why are VoIP and UC security not perceived as important as data network security?"

Good question!

Unfortunately there is no simple answer. First, given their emerging nature, there is a lack of knowledge and understanding of VoIP and UC technologies. It is true that VoIP or UC are new technologies that combine the old communication mediums such as voice and video with the newer networking technologies such as IP and 3G networks. For many years these two different worlds co-existed, rarely crossing well defined demarcation lines. Converged networks are changing all of this, but we know it is much easier to change technologies than it is to change people. The result is that we have IT folks that understand very well data networking and applications, but they are not really VoIP or UC experts. Then we have the telecommunications experts that could configure your entire PBX in no time, but their knowledge of IP networking and applications is fairly basic. Then we have the IT security professionals who know a great deal about how to secure data and IP networks, but securing a VoIP and UC network falls outside their area of expertise.

VoIP and UC security have yet to be widely addressed from a regulatory compliance perspective, and as a result, many organizations do not include guidance relating to their framework and processes. Most of the organization have a strong framework and processes in place to deal with security issues for data networking and applications, but VoIP and UC are not yet part of this framework.

Risk assessment and risk management practitioners have just started to focus on VoIP and UC security as demonstrated by the increasing number of firms including them as part of the risk assessment analysis they do for securing any IT infrastructure. There is recognition now that it is almost impossible to properly secure converged enterprise networks, including VoIP and UC, without a proper strategy that looks beyond the data centric model used in the past.

Making the business case for VoIP and UC and coming up with an ROI is difficult. Adding requirements for proper security could make them unacceptable to business decision makers given the perceived extra costs. Also, VoIP and UC vendors are not interested in putting sales at risk so they either avoid talking about security entirely, or try and assure customers that their solutions are fully secure.

I would think that IT security groups should be proactively implementing VoIP and UC security infrastructures using well known processes and methodologies developed and proven for data networks and applications. The reality, though, is that there are not very many VoIP or UC security incidents reported that have had a major impact on businesses besides a couple of toll fraud type attacks, PBX/Voice mail hacking and few SIP DoS attacks. A number of organizations, including my company, VoIPshield Systems, have published a number of VoIP and UC vulnerabilities that potentially could be used to attack the VoIP and UC infrastructure.

I should note that perhaps the bottom line here is that there is not a significant enough level of "pain" in the market to elevate the importance of VoIP and UC security to the level similar to something like bank card fraud, or email security, etc.. As it's stands today, while VoIP and UC security are gaining in awareness and importance for future budgeting purposes, relatively few organizations have it as their number one priority for IT security related investments.

Back the original question "Is VoIP and UC security important?" If history can be used to predict future, I think that we will start to see VoIP and UC security appear as part of the security mainstream when the number of "painful" events that disrupt business operations increases and causes measurable damage. When downtime, lost sales, information theft or negative influences on brand equity start to cause real financial loses, both mind share and budgets will focus more on VoIP and UC security risks.

]]> Tags: risk assessment, risk management, unified communications security, voip security, voipshield Related tags: networking applications, security important, framework processes, security, number, networks

Related Entries TrackBacks | Comments | Tag with del.icio.us | VoIP and UC Security Blog Home | Permalink: VoIP and UC security - Is it important?