Collaboration Security, Mark Collier, robocalls, SecureLogix, TDoS, Telephony Denial of Service
Harassing calls, UC Security, Unified Communications Security, Voice Over IP Security, Voice Security, VoIP Security
SecureLogix just released our 2013 Voice and Unified Communications State of Security Report. Rod Wallace and myself authored the report. The report covers the most significant voice and UC threats. the report describes the threats and why they have recently and continue to become more severe. The report is also unique in that it presents real-world data collected from several hundreds assessments and managed service engagements, using our technology, on enterprise voice and UC networks. We present trending data and santized attack examples for each threat.
Here is a link to the report. Please give it a read and let me know what you think:
As I have reported, the FTC has a challenge and $50,000 award for whoever can come up with the best solution to the issue of robocalls. Here is a link to an article that gives a good summary of the challenge so far. Basically that they have gotten a lot of ideas, but no real solutions. It is a very tough problem. Solutions could be built and would be somewhat effective, but the major smart phone vendors have made it increasingly difficult to control calls on their devices, it would be difficult to put any sort of countermeasure on everyones home phone, and the service providers neither can nor want to solve this problem.
Here is a link to a petition to the FCC, from a bit-time spammer, to request that service providers do not block political voice SPAM and texts. This is laughable. Enterprises, businesses, and consumers absolutely need the ability to block this crap.
The FTC held a recent summit conference and has created a challenge to the industry to identify solutions to unwanted robocalls. We have all received these unwanted voice SPAM, voice phishing/vishing, and other types of harassing calls on our mobile phones, home phones, and enterprise desk phones. I included links to several videos on the FTC web site that describe the issue, steps the FTC is taking, along with a discussion of the challenge to industry:
Check out our webinar on threats to contact centers. Telephony Denial of Service (TDoS), social engineering and fraud, harassing calls, voice SPAM, voice phishing (vishing), and traffic/call pumping are all discussed:
While VoIP and UC specific attacks get a lot of media attention
and indeed present quite a few vulnerabilities, the real threat lies with
voice-application attacks. The means of attack is not an IP scan, malformed
packet, or flood of packets; rather, it is malicious calls exchanged between
the Public Voice Network and the enterprise. As I have said before, the Public Voice Network has become much more hostile and it is so much easier for attackers to originate inbound malicious call attacks. Also, attacks such as toll fraud, which involve outbound calls, continues to be an issue and are getting worse.
Some of the types of malicious calls and their impact on the network include:
Harassing calls - calls that harass or threaten users, attempt to sell produces/services, and trick users into calling a number to gather personal information
Call pumping - artificially drive traffic into 1-800 contact centers to share revenue.
Social engineering/fraud - calls that attempt to trick agents into performing illicit financial transactions
Telephony Denial of Service (TDoS) - so many calls, that the target site is overwhelmed and can't process legitimate calls.
Toll Fraud - cause the enterprise financial loss through long distance abuse and toll fraud.
Modem access - either to a key computing resource or outbound to an ISP,
creating a backdoor into the enterprise data network.
Some of these issues affect all parts of the enterprise. Certain issues either only affect contact centers or are certainly more acute in contact centers. TDoS is an example of an attack where it can affect any part of the enterprise, but is more acute in contact centers because of the value of calls and the ease of which an attacker can set up an attack (all they need is a 1-800 number).
Hosted IP is a VoIP deployment where the service
provider hosts the IP PBX and other voice application servers. The enterprise
simply deploys IP phones and softphones. This deployment offers the classic
advantages and disadvantages over an enterprise-deployed IP PBX. However,
unlike classic Centrex, Hosted IP can be delivered, expanded, and reduced much
more quickly and cost effectively.
From a security point of view, Hosted IP offers
some advantages because the enterprise does not need to worry about securing
the complex IP PBX, its devices, services, and supporting applications. This requires effort and expertise. However, the enterprise should still be concerned about threats such as
eavesdropping and possibly malware delivered to softphones from the service
provider. Also, the enterprise will now have many connections open to the
service provider, which they will need to secure, especially if the Internet is
used to deliver the Hosted IP service.
More importantly, the enterprise is just as
vulnerable to voice application attacks, such as toll fraud, social
engineering, harassing calls, voice SPAM, voice phishing, and TDoS, but now depends upon the service
provider to address these threats. I included a figure below to illustrate this:
Here is an article about a proposed bill that may add tougher penalties for caller ID spoofing. Maybe this will help, but as I have said before, laws and penalties only affect legitimate businesses. Good luck stopping a hacker generating lots of voice SPAM or voice phishing/vishing calls.
Here is another article talking about how automatically generated (robodialing, robocalls) marketing and SPAM calls are on the rise. As I have pointed out before, I am getting more and more of these on my enterprise phone and iPhone.
The article talks about the "do not call list" and questions whether or not it is effective. In general, I would say that this list is effective in preventing legitimate companies from making SPAM calls. However, just like email SPAM, it does nothing to stop illegitimate, fraud, voice phishing, SPAM calls from individuals or groups that don't care about the "do not call list".
The "do not call list" is not a solution to this issue, especially the problem of automatically generated calls. An issue that will only get worse. You are just flat out going to see more scams and they are going to be calling you more often. Period. It is going to get to be just like email SPAM.
As I have said before, it is not about enterprises and consumers using VoIP or it being a security issue - its about the attackers having SIP and VoIP, and the ability to to cheaply, easily, and automatically generate lots of calls.