SecureLogix just released our 2013 Voice and Unified Communications State of Security Report. Rod Wallace and myself authored the report. The report covers the most significant voice and UC threats. the report describes the threats and why they have recently and continue to become more severe. The report is also unique in that it presents real-world data collected from several hundreds assessments and managed service engagements, using our technology, on enterprise voice and UC networks. We present trending data and santized attack examples for each threat.
Here is a link to the report. Please give it a read and let me know what you think:
We are starting another year and it is time again for all those “year in review” and “predictions” posts and articles. I made some predictions for 2007, but they were so damn bad, that I decided to take a year off. This year though, I think I will give it another try. First I am going to summarize VoIP/Voice security news for the year of 2008. I will write a “2009 predictions” post shortly. This is just a quick summary, for a more exhaustive review of the year, I would recommend you read though this blog and/or great sources like the BlueBoxPodcast and VoIPSA Blog
As I stated at the New York Interop conference in October, I think it has been a pretty boring year for VoIP security. Now I am not saying that VoIP or voice security is boring, just that there wasn’t a lot of interesting change or news in 2008. There were very few publicized VoIP attacks, the rate of vulnerability disclosure didn’t increase dramatically (aside from VoIPShield’s disclosures), there were some new testing/attack tools released, vendors are slowly improving their system security, but enterprises still aren’t dramatically improving the security of their VoIP systems and/or using some of the features that the vendors make available. I saw no signs that spending for pure VoIP security is up. I do think spending for application (legacy/VoIP) was up slightly (makes sense – this is where the attacks) are. Finally, the general VoIP “chatter” on blogs, at conferences, etc. was down.
There were a few publicized attacks in 2008, but I don’t believe any were really debilitating to the affected enterprise. I am sure some attacks did occur, and were just not detected or perhaps detected, and not disclosed by the enterprise. Of the attacks that were publicized, most of them involved good old-fashioned toll fraud. Some of the affected enterprises had VoIP, some had circuit-switched networks. To my knowledge, all had circuit-switched access to the public network. Toll fraud is one of those attacks that doesn’t go away with VoIP. It is also one of the few types of attacks that is worth perpetrating, because there is a potential financial gain. One of the reasons why VoIP-specific attacks are still uncommon is that there still isn’t a lot of incentive to attack the systems. Certainly a disgruntled insider/competitor could disrupt operations with a Denial of Service (DoS) attack, listen in and distribute key phone calls, or steal voice mail messages, but there isn’t a lot of financial incentive here. Toll fraud does involve a financial incentive and is in my opinion, the biggest threat to voice and VoIP networks. DoS attacks in its many forms is the greatest vulnerability, but fortunately, attackers aren’t exploiting this vulnerability.
We performed several VoIP security assessments in 2008 and detected only one attack (although it was significant, it involved a toll fraud attack of $250,000, which was in fact pretty debilitating to this particular small enterprise). We are working with two potential NEW customers, each of which had toll fraud attacks, one to the tune of $250,000 and the other $60,000. We also did many application security assessments, where we instrument the trunks to the public network, and we continued to find all sorts of issues/attacks, including toll fraud, social engineering, harassing calls, and unauthorized outbound modem calls. VoIP security, even in a slow year like 2008, gets a lot of press, and the systems do have a lot of vulnerabilities, and enterprises should apply good basic data networking security to their internal/campus systems, but they would be better served addressing the issues above before they “waste” money deploying firewalls, IPSs, and specialized VoIP security devices inside the network.
I included a few links to some actual attacks. Again, most of them are toll fraud (if anyone has a link to an attack article, please let me know):
In 2008, I did not see any increase in VoIP SPAM or SPAM over Internet Telephony (SPIT).
There were quite a few new vulnerabilities identified in 2008, but not significantly more than in previous years. The major vendors, Cisco, Nortel, Avaya, all disclosed quite a few vulnerabilities. Avaya generated the most, but many of these are for underlying operating systems or support software.VoIPShield also announced quite a few vulnerabilities, for the three vendors above, along with Microsoft. VoIPShield’s initial disclosures generated a lot of complaints, both from the equipment vendors, and VoIP security experts, who pointed out that VoIPShield was exaggerating the number of discrete vulnerabilities. VoIPShield’s more recent disclosures are cleaner and they report that they are working more closely with the vendors. Most of the disclosures lacked enough information to understand the details of the vulnerability and as far as I know, no exploits have been provided. While I am sure the equipment vendors aren’t crazy about VoIPShield’s disclosures, I suspect that they have improved the security of the relevant systems.
I included links to the vendor’s advisory pages, along with a link to VoIPShield’s disclosure summary page:
2008 saw the release of a number of new VoIP testing/attack tools, because as we all know, we just don’t have enough VoIP testing/attack/tools J. Actually some of the tools released this year did introduce some new capabilities. Some of the most interesting are (PS, my apologies to any authors of other cool tools that I messed up and omitted):
Call Monitor – http://www.securelogix.com/voipscanner/index.htm- We consolidated all of the tools we developed for the Hacking Exposed: VoIP book, provided upgrades for several tools, and included a number of entirely new tools. Perhaps the most interesting is the Call Monitor, that allows you to see, teardown, and time the manipulation of audio for VoIP calls.
ucsniff - http://ucsniff.sourceforge.net/- This tool combines the capabilities of several existing tools and allows targeted eavesdropping on calls “anywhere” in the network. We have played with it – its cool.
In 2008, I think the state of enterprise VoIP security improved, but not significantly. Most of this is simply because the major vendors continue to get better at securing their default configurations (but more work needs to be done). However, because the focus is on getting VoIP to work properly, many available security features, such as encryption, are just not being used. I think enterprises have been somewhat lucky, but as long as VoIP is mainly an internal/campus application, with limited incentive to attack it, the relatively weak security won’t be exploited and just won’t change. Also, I don’t think enterprises are doing enough to address the application issues that I described above, which again don’t go away with VoIP.
In 2008, enterprises continued to investigate using SIP for communication to the public voice network. However, very few are using it yet in operational networks. Note that I am not talking about using SIP or some other VoIP protocol for tie trunk replacement/toll bypass. When enterprises start to use SIP trunks, there is a possibility that they will see attacks, but when you consider most of these trunks are dedicated circuits and that the service provider will have Session Border Controllers (SBCs) on their side of the network, I don’t think we will see a lot of attacks. I definitely think enterprises should deploy SIP application firewalls/IPSs on these circuits, but I don’t think these devices will see a lot of attacks (which means enterprises shouldn’t pay an arm and a leg to secure something that is supposed to save them money in the first place).
In 2008, we started to see more scanning to identify enterprises that are using SIP over the Internet. There was been a lot of good discussion on VoIPSAs security list - VoIPSec. As described in one of the articles I provided earlier, the scanning is “probably” designed to look for ways to perpetrate toll fraud (but this is a guess). I have talked to several of the service providers offering these “Internet-based” SIP trunking and there isn’t a lot of security being used. No TLS, no SRTP, just a nice port 5060 open on the firewall. I am not aware of widespread attacks against these services, but it may occur this year. This should develop into a good market for the SIP security vendors, but a small company, using all VoIP and SIP, probably won’t be willing to pay a zillion dollars just to secure SIP, which again, is supposed to save money.
In 2008, I don’t believe VoIP security spending increased much at all, despite there being more VoIP deployed. I suspect many enterprises will slow their VoIP/UC deployments and are going to be even more reluctant to spend money on pure VoIP security.
Finally in 2008, I sensed/witnessed a decrease in general VoIP security discussion, blogging, sessions at conferences, attendence in sessions, book writing, etc. Maybe all of us in the VoIP security business got real jobs :), or more likely there just wasn't enough to talk about.
I will be generating my “2009 predictions” post shortly…
VoIPShield recently released an extensive list of VoIP vulnerabilities on their Vulnerabilities Research page. Its a fairly long list. The vulnerabilities are not described in a lot of detail, no exploits are given, nor are any detailed countermeasures described. Some of the vulnerabilities have been addressed by vendors, while others are pending. I will try to review this in more detail in the future. In the meantime, Dan York did a nice review that you can read at:
Here are a couple of very similar presentations by the folks at esentire on some relatively minor vulnerabilities with Nortel's Unistim protocol and the some of the IP phones that implement it. Its good to see some research into issues with proprietary (but common) protocols.
Cisco disclosed that the Cisco Unified Communications Manager (CUCM), formerly CallManager, contains a heap overflow vulnerability in the Certificate Trust List (CTL) Provider service that could allow a remote, unauthenticated user to cause a denial of service (DoS) condition or execute arbitrary code. Here is a link to the vulnerability:
Here is an article summarizing vulnerabilities with the Snom 320 SIP phone. A lot of the vulnerabilities have already been disclosed, but this article summarizes them. Note that when we wrote the Hacking Exposed: VoIP book, we also discovered that you could enable a packet capture on the Snom 190 SIP phone and then save/download the resulting packet capture file. I don't know if you can do this on a Snom 320 SIP phone.