Well, this news is a little old, but I still wanted to post it. Jason Ostrom from Sipera has release his UCSniff tool. There has been a fair amount of press. It is an eavesdropping tool, which incorporates VLAN hopping and targeted MITM attack capability, allowing it to access calls in interesting parts of the network. We are writing about it in the "RTP Attacks" section of the SANS training we are developing. I will try to get one of my guys to post a review of it some time in the future. In the meantime, here are some links with more info:
Here is a link to a paper describing the details for an actual VoIP/SIP attack that occurred recently in Germany. As the paper describes, the attackers were probing VoIP systems, looking for insecure gateways that they could use to enable toll calls. As I have said before, toll fraud is one of the few incentives for attacking VoIP systems. While toll fraud isn't new, IMHO VoIP is making it a more significant problem.
In the security business, it is very uncommon for customers to publically state that they are using specific security products. Here is a cool article from a part of the US Air Force that describes how they use one of our security products. The Air Force uses the term Voice Protection System (VPS), for our voice firewall. Check it out:
I have been working with SANS to upgrade their VoIP security course from 2 days to a full 6 days. I am currently working on a section covering traditional/application security issues. As I have commented before, while VoIP security gets a relatively high level of attention, traditional/application issues (social engineering, toll fraud, harassing calls, FAX spam, non-secure modems) are still very common and in some cases, more of an issue with VoIP. I thought I would discuss some of these issues in a series of posts over the coming weeks. Keep in mind that while enterprises should be addressing VoIP security vulnerabilities, the issues I am describing are currently still much more of an issue for the enterprise.
The first issue I will cover is social engineering. Many enterprises, especially financial, insurance, retail and healthcare organizations are victims of these types of social engineering/identity theft attacks conducted over enterprise phone lines. For example, the attaker uses social engineering techniques to gain basic information about customer financial accounts. The attacker makes multiple calls to a financial call centers pretending to be the consumer account holder, each time requesting a small piece of information about the account. When they gain enough information after a series of calls, they call back a final time to request a funds transfer from the victims’ accouns to one that they have direct access to. If they reach a more experienced agent who refuses the transfer, they simply call again to a different agent to request the transfer. This isn't a terribly sophisticated attack, but is surprisingly common. We have seen it in many of our customers call centers. It occurs, despite the use of sophisticated call center performance monitoring hardware and software. This is true even though call recording is common in call centers.
This sort of attack is sometimes described as a phishing or “vishing” attack (where the “v” indicates that the attack is carried over voice rather than email). I generally think of vishing as an attack where the attacker sends an email or leaves a voice mail, with a 1-800 number to call back, where they attempt to trick the user into disclosing personal information. While users have generally learned not to click on Internet links in phishing emails, they tend to be fooled more often by vishing attacks.
For solutions, user education is always key. Also, these sorts of attacks follow a pattern – usually several short calls from a specific number, often in a small time period (although a more clever attacker would space the calls out and/or mask their number). This really isn’t an attack that PBXs and after-the-fact call accounting systems are designed to detect. SecureLogix's ETM System is designed to monitor for these sorts of patterns in real-time and is a very effective countermeasure for this type of attack.
Finally, here is a link to a recent related article:
I recently attended the Fall Voicecon tradeshow in San Francisco. There are two Voicecon shows a year, one in Fall and one in late winter. The fall show is the newer and smaller of the two, but still worth attending. Bear in mind that SecureLogix is as much a voice management, as voice security company, so we generally spend more time attending voice-oriented shows, than pure IT security shows. We may still attend or present at those, but corporately, we spend more time at shows like Voicecon and the major voice vendor user conferences.
When I attend a major show like Voicecon, I always try to get a sense for where the market is for VoIP security. This certainly isn’t a scientific assessment – more of a feel (I am not aware of any good source of VoIP security market/spending, at least in the enterprise). You have heard me say before that it has been a pretty slow year for VoIP security. In some ways this is a good thing, because we haven’t heard about any major, publisized, critical attacks. We have seen some toll fraud attacks, but that is about it.
My view after attending Voicecon doesn’t change this. It seemed to me that in general attendance was down and security wasn’t a big topic for the conference sessions/agenda. Voicecon normally has two VoIP security tutorials, but that was cut to one. There was a single session on VoIP security, and it was on the last day. I am not complaining, just pointing this out as an indicator. The Voicecon folks are pretty good at arranging the content to what their customers want and it is pretty clear that VoIP security just isn’t a big topic. I think this is a little dangerous, because there are vulnerabilities out there and lack of education is an issue, but we can’t ignore that enterprises in general, aren’t placing VoIP security as a high concern, and they certainly aren't spending a lot of money on this issue.
I also noticed that there seem to be fewer and fewer vendors at the shows who are selling pure VoIP security. There were a couple at Voicecon, but my read after talking to them is that the market is still very tough. Since VoIP is still mainly an internal service, the foundation of VoIP security is to apply good basic data networking practices and address application issues such as toll fraud. It is hard enough to get enterprises to do this, much less deploy specialized VoIP security appliances, inside the network. While this is a good best practice, enterprises just don't view it as a requirement yet. Enterprises generally don’t even use encryption, data firewalls, etc. yet, much less specialized VoIP security devices. I think enterprises will deploy VoIP security devices when they use public SIP trunks, but these are still very uncommon in large enterprises.
Selling pure VoIP security to enteprises is still a very tough business. The companies in that business are doing the right things – they are highlighting vulnerabilities on systems (you could argue they could work more closely with vendors) and publishing tools that highlight issues, but for better or worse, hackers aren’t using these to attack systems. Now I am sure hacks are occurring, some of which are not being disclosed or noticed, but they certainly are not common place. I just don’t see enterprises increasing VoIP security spending until they perceive it to be a real issue. This is will be especially true if the economy worsens.
I will wrap up by saying that this issue hasn't affected SecureLogix yet - we continue to sell application level voice security, which is pretty much the same for legacy and VoIP deployments. We will certainly participate in the SIP trunk security market when that evolves, but are currently content until that market matures :)