VoIP wiretapping widespread, warns Scanit

Technology Uncategorized

Security specialist Scanit says web phone installations in corporate environments have little or no protection against VoIP wiretapping…

“Throughout the Middle East, the installations we have seen have not had strong security controls in place,” Scanit engineer Sheran Gunasekera explains.

“Primarily, the reason for this has been the fact that the system integrator or implementer had not paid much attention to the security of the entire setup.”

It is possible, Scanit (www.scanit.net) says, for an internal employee of the organisation, to intercept voice conversations and re-route calls outside of the firm’s network.

According to Sheran, a high percentage of installations he has audited had no encryption on the voice stream.

There can be several reasons that a corporation or service provider will run an unsecured implementation, he explains.

“The most common reason in large companies is because no-one understood how to secure the system.  Staff lacked adequate skills and understanding of the security aspects of the implementation itself.  They relied on the vendor or system integrator to set the whole system up.”

In turn, the vendor’s focus was on functionality of the system rather than security, Sheran says, and so a working system with no security was deployed.

So, how does a hacker find and exploit unprotected web calls?

“When a user first starts up his VoIP, it looks for a SIP Registrar – comparable to a traditional telephone exchange – to register and identify itself on the internet, by way of an IP Address, and to show the user is now contactable,” Sheran explains.

“If a SIP Registrar is set up with no consideration given to security, it is possible for a malicious user to imitate a legitimate registration request. The Registrar itself will assume that this is a legitimate registration request because all the fields will be filled out correctly. The only difference is the fact that the destination IP address has changed."

It is comparable to changing your mailing address when your name and other details stay the same, he says.

"If no steps are taken to verify the new address provided, then your mail will be delivered to this new address, which could be owned by someone else.”

There are several safeguards to prevent this, like using encryption and strong authentication for requests with the SIP Registrar.

The owner of the VoIP deployment (normally the corporation or service provider) will run one or many SIP registrars and it is the sole responsibility of the party that owns the VoIP implementation to ensure that it is secure, Sheran says.

“If it is a corporation, then the corporate IT security teams will have to ensure this. Security becomes a more serious issue when VoIP service providers are involved.  This is because the service is sold to end-users.  There is a greater potential for abuse due to the varied user-base that the VoIP implementation is exposed to.”

In order to intercept Real-time Transport Protocol streams (or RTP, a standardised packet format for delivering audio over the web), a hacker needs to be physically connected to the network where other users make and receive VoIP calls. 

RTP streams are usually encoded with a specific codec.  Popular tools like WireShark are able to detect when an RTP stream is traversing a network.

Sometimes if the Voice traffic is not segregated from the data, it is sufficient to run a 'sniffer' like WireShark in order to capture the RTP streams. A program called Cain & Abel even allows direct saving to a .WAV file for playback.

An attacker can capture any sound that travels over a VoIP conversation. 

This may be an entered PIN, confidential information relating to either financial or personal matters can be captured and listened to.  Information such as confidential financial transactions with regard to mergers or acquisitions or personal information that can be used to blackmail people is also included.

According to Sheran, the threat of your VoIP calls being intercepted is made higher still by the low skills levels required to tap into such conversations.

“With the availability of these tools, you do not need to be very highly skilled.  You just need to have a basic understanding of how VoIP works and a little bit of network knowledge,” he says.

Some commercial VoIP services have taken commendable steps to ensure the privacy of their users’ calls, Sheran says.

“Skype, for example, uses proprietary protocols for both signalling and for voice streams.  It is significantly harder to sniff Skype traffic due to the encryption used in the protocol.”

An example of an unprotected line Scanit engineers uncovered was while they were performing an internal audit for a large Middle-Eastern bank.

“Their VoIP implementation used Virtual LANs to segregate specific voice streams for different departments.  By connecting to a completely different VLAN reserved for consultants of the bank (with no access to other critical infrastructure servers) we were able to hop onto different VLANs and capture traffic from the senior management VLAN.  We captured a significant amount of voice streams from the CEO’s office,” Sheran says.

The security outfit puts the number of unsecured VoIP calls that could be exploited by hackers at 70 per cent.

“Within the region we work in, I can say that we are looking at high percentage figures of insecure VoIP calls,” Sheran says.

“Nearly three quarters of the corporate deployments we have audited have been exploitable from the inside.”

Security experts around the world are rising to the challenge that unsecured VoIP networks pose.

Phil Zimmermann – the legendary author of PGP, a program that offers the common email user military-spec encryption – told the Defcon hacker convention in the US this summer "point-and-click wiretapping" is being used "by organised criminals on the other side of the world".

His response was to release Zfone, his own privately-developed software, which scrambles VoIP conversations from end-to-end.

Taking matters into his own hands was a necessary step to protect his own VoIP conversations against eavesdropping. But not everyone supports such proactive measures.

The Bush administration this year used a 1994 surveillance law to demand ISPs provide backdoors for government wiretapping of VoIP calls, citing terrorist and drug criminal usage.

"Encrypting VoIP is now more important than ever because computer networks are not nearly as safe as the public switched telephone network," Zimmermann says.

However, even if the software you use to make VoIP calls offers a high level of encryption, the hardware connecting your system to the web may already have opened them up to eavesdropping.

The FBI drafted legislation in July to force makers of networking gear to build in backdoors allowing them access to all data going in and out.

Sooner or later, and despite the best efforts of security companies to protect VoIP users from hackers, such a loophole will also leave the door open to hackers.

Concerns are being expressed from all sides…

The Federal Deposit Insurance Corporation (FDIC) warned earlier his year: "If improperly implemented, VoIP can pose significant risks to financial institutions.

"Therefore, management should perform a comprehensive risk assessment before implementation to ensure the confidentiality, integrity and availability of voice communication using VoIP technology."

Among FDIC's recommendations is a caution against using ‘soft phones’; that is VoIP via desktop computer, using headphones and calling software, and pushing home the need for VoIP-ready firewalls.

As VoIP deployments are gaining steam in enterprises of all sizes, tech analysts IDC estimate that revenue for network and premises-based VoIP services will grow from $2.9 billion to $6.9 billion over the next five years.

The electronic gold rush associated with VoIP means "companies eager to tap into its ROI without fully considering the security risks stemming from weaknesses in VoIP applications, operating systems, and structure and supporting services spells a huge opportunity for hackers," says David Endler, director of security research at 3Com.

Cisco Systems has sold millions of VoIP phones, and research firm Gartner predicts that in four years, 30 per cent of US homes will use only VoIP or cellular phones.

It is unsurprising that security is left playing catch-up.

"The problem lies in the session-initiation protocol, the leading signalling protocol for VoIP," Chris Rouland of ISS security explains.

"SIP is similar to HTTP and SMTP; it's lightweight and easy to use. It's basically taking the world by storm, and it's inherently no more secure than existing protocols that have been completely taken over."

The sooner businesses can protect themselves and their customers from the threat of having their VoIP calls intercepted the better, because, as Gregory Lebovitz, technical director and solutions architect at Juniper Networks points out, there's nothing stopping them from running riot at the moment.

"No anti-intrusion or firewall currently supports all VoIP protocols and technologies," said Lebovitz, "and if they claim to, they're lying."

For a more detailed look at Scanit’s research on this topic, read its White Paper: VoIP Security – Does it exist?