Application

Securing voice over the Net

As VoIP adoption spreads far and wide in corporate India, security threats loom large over companies and need to be tackled, writes Megha Banduni.

Security experts predict that the next level of attacks will target services such as VoIP as well as Internet telephony (Skype). Although Indian usage of these services is yet to gain critical mass, organisations that are already using these services need to watch out.

The motive behind these anticipated attacks is expected to be the same as always, viz., financial gain, identity and information theft. These attacks will be similar to those that we have seen in the past on cellular and landline phones. For instance, attackers may try to compromise a VoIP gateway, launch a denial-of-service (DoS) attack on call management software, exploit a vulnerability in a vendor’s Session Initiation Protocol (SIP) implementation or try to hijack VoIP calls through TCP (Transmission Control Protocol) hijacking and application manipulation. Spammers could flood voicemail boxes with unsolicited messages or interrupt conversations by injecting voice spam in them.

Such attacks against a combined voice and data network could well end up crippling an enterprise, halting communications, resulting in the loss and leakage of valuable information, and revenue and tarnishing a company’s brand.

Skype: under attack

"To head off attacks on voice networks, IT executives need to ensure redundancy in case of power loss. And they will have to physically secure voice servers and other equipment from intruders" - Rajendra Dhavale Consulting Director, CA

It isn’t only VoIP that’s under siege. Skype is perhaps the most popular of peer-to-peer Internet telephony services and it competes against open VoIP protocols such as SIP, IAX, and H.323. The advantage of Skype is people using its service can talk to others on the Internet.

Skype isn’t VoIP, it’s Net telephony—Skype uses the public Internet, VoIP works over a closed user group (CUG). Also Skype is a P2P (Peer-to-peer) application while VoIP applications follow the client-server model. A Skype user directory is entirely decentralised and distributed among network nodes, which means that the network can scale up easily without a complex and expensive centralised infrastructure being necessary.

Says Rajendra Dhavale, Consulting Director, CA, “All Skype traffic is encrypted by default and the user cannot turn it off. It uses openly available, strong encryption algorithms and the user is not involved in the encryption process and therefore does not have to deal with the issues of public key infrastructure.”

Spamming VoIP

The latest threat on VoIP application is Spamming over Internet telephony (SPIT). “SPIT is a type of spam or solicitation made over VoIP. This means that spitters can now send annoying, repetitious advertisements similar to the spam choking our e-mail inboxes but in pre-recorded voice format. Not only can they send you voice messages, but they can also take over your VoIP network and send messages to other users that appear to originate from you,” explains Dhavale.

Adds Patrik Runald, Senior Security Specialist, F-Secure Corporation, “Just as spam arrives in an e-mail inbox, spam over VoIP arrives on your IP phone. The spammer has control of computers infected with malicious code such as bots and uses them to call random numbers around the world and when someone picks up the phone plays one or more pre-recorded messages.”

Dhavale is quick to point out that telemarketers, prank callers, and other telephone system abusers are likely to target VoIP systems increasingly, particularly if VoIP starts to ease out conventional telephony. The biggest reason for this is the underlying technology that is driving VoIP i.e. SIP.

“SIP has received significant support from major vendors, and is showing signs of becoming industry standard for voice, video and other interactive forms of communication such as instant messaging and gaming. Since it is becoming a standard, attackers are targeting this technology,” says Dhavale.

"When protecting against risks common to voice and voice-related systems, it’s important to focus on privacy via secure connectivity, protection via threat defence systems and control by means of trust and identity systems" - Ranajoy Punja VP, Marketing, Cisco Systems India and SAARC

Spam isn’t the worst threat either. Many security companies have identified DoS and Quality of Service (QoS) degradation as the biggest threat to a VoIP network.

According to Ranajoy Punja, VP, Marketing, Cisco Systems India and SAARC, “One of the most common threats is a DoS attack, which shuts down an application or server. These attacks are often made against routers, Web servers and mail servers but they can also target call-processing servers in IP telephony networks.”

Runald of F-Secure feels that the most common threat is the loss of confidential information due to someone eavesdropping on the conversation or not speaking to the person you think you’re speaking. “The other threat is someone hacking into the phone system and making calls in your name, essentially hijacking the phone lines and DoS attacks where the phone system becomes unavailable because someone is overloading it with data traffic,” he adds.

Eavesdropping through interception and duplication is another significant threat. In eavesdropping, access can be gained through any access point to a voice network (particularly if there are wireless access points on the same network that supports the VoIP service). Once access has been gained, network sniffers can be used to intercept IP traffic.

Punja says, “VoIP softphones and other software are vulnerable to worms, viruses and malware, just like other Internet applications. Since these softphones run on PCs and PDAs, they are exposed to malicious code in voice applications.”

Another security threat that analysts foresee is that of calls being redirected to a hacker or taken over by malicious sites. Call tampering is also emerging as a threat. Here an ongoing phone conversation is tampered with—the attacker can simply spoil the quality of the call by injecting noise packets into the communications stream.

Tackling threats

Enterprises need to protect their data and VoIP environments by implementing a combination of anti-virus, firewalls, intrusion detection systems (IDS), encryption and virtual private networks (VPNs). Perhaps the most important measure to be taken is the separation of voice and data traffic.

Unmesh Deshmukh, Director, Specialist Sales and Services, Symantec India elaborates, “The current implementations of code signalling, message delivery, and code protocol fall short of ensuring adequate call party authentication, end-to-end integrity, and confidentiality. VoIP converts voice signals from the telephone into digital signals (data packets) that travel over the Internet. If left unprotected, this traffic is vulnerable to threats such as spying, theft, and data manipulation.”

“When protecting against risks common to voice and voice-related systems, it’s important to focus on privacy via secure connectivity, protection via threat defence systems and control by means of trust and identity systems,” says Punja.

He adds, “Privacy by means of secure connectivity can be achieved through technologies such as IP security (IPSec) and SSL VPNs. Protection through threat defence systems—technologies such as firewall and intrusion prevention systems—can be used to combat threats from both internal and external sources. For control using trust and identity systems, access control servers and the Network Admission Control (NAC) programs can be used to enable organisations to control information access.”

Runald of F-Secure believes, “Call tampering has to be addressed by the protocols used by VoIP systems with strong authentication to verify that you are talking to the party that you’re thinking you’re talking to.”

Dhavale believes that IT executives need to account for voice encryption, authentication, VoIP-specific firewalls, and the separation of voice and data traffic while deploying VoIP systems.

Solutions and strategies

With the anticipation of mass attacks in the offing, vendors have come up with various solutions and strategies to counter these.

Pranesh Babu K, General Manager, Technology, Sify Enterprises says, “An anti-SPIT solution is as good as the anti-spam software used to protect e-mail systems. It resides on an application server and monitors traffic. It restricts unwanted calls by using algorithms that monitor how many calls are made, the time and patterns of these calls, who is making them and so on.”

Cisco’s approach incorporates multiple elements that ensure the security of a converged (voice, data, and video) network. For threat defence it addresses network and system protection with technologies such as firewalls and IDS. Connectivity is secured with the help of IPSec, SSL VPNs and Voice and video-enabled VPN (V3PN) ensure that sensitive data, voice and video communications are secure and intact as they are transported across public and private networks. Trust and identity management solutions help companies identify, and then permit or restrict, both people and machines (such as IP phones) that have access to network resources.

Symantec’s IM Manager provides Instant Messaging Security, Management and Compliance Archiving solution for enterprises.

According to Deshmukh, “Organisations should employ defence-in-depth strategies, that emphasise multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated anti-virus, firewalls, intrusion detection, and intrusion protection systems on client systems.”

Suggests Runald, “For a home user it would be a good idea to change the default setting in Skype so that it doesn’t allow phone calls from anyone who is not on your contact list. Enterprises need to think through the security implications while implementing VoIP-based systems. Don’t think of the VoIP system as just normal phone systems. Think of them as any other computer software / hardware and realise that they have to be secured and patched accordingly.”

“To head off attacks on voice networks, IT executives need to ensure redundancy in case of power loss (most traditional phone networks already require backup power supplies, but the systems will need to be beefed up when VoIP is deployed). And they will have to physically secure voice servers and other equipment from intruders,” adds Dhavale.

So far we haven’t seen any significant attacks on VoIP or IP telephony networks in India. This is largely because the technology hasn’t been fully deregulated and therefore adoption remains lukewarm. In six months to a year, vendors expect these threats to materialise en masse in the Indian market.

Some feel that it’s too early for the Indian users to bother about securing Internet telephony at least. Babu of Sify says, “Internet telephony in India is legalised only for carriers and it is used for making outgoing calls. Nobody in India is offering incoming calls through Net telephony. Since this is a one-way process, threats are not a major concern as of now.”

Babu believes that the day when incoming calls will be allowed in India, the security risks will grow correspondingly.