Wednesday, May 14, 2008

Net Telephony Vulnerable to Hacking

The popularity of net telephony or Voice Over Internet Protocol (VoIP) communication has allowed many people to break free of land-line or cellular phone service. However, a series of security issues are forcing companies to take steps to protect the identities and privacy of customers:

A new type of identity fraud, which sees hackers tapping into voice-over IP telephony accounts, has been highlighted by a VoIP equipment maker.

Usernames and passwords from voice-over IP (VoIP) phone accounts are selling online for more than stolen credit cards, Newport Networks has found.

The information allows someone to use the telephone service for free.

Net telephony fraud is still in its infancy, with eavesdropping on calls being the most common security flaw.

But the move into stealing usernames and passwords which are routinely sent across the network when a call is made, is a worrying new trend thinks Dave Gladwin, vice president of products at Newport Networks.

"It is still at an embryonic stage but as voice adoption increases it becomes more of a problem and needs addressing," said Mr Gladwin.

The details are not sent as plain text but are encoded in such a way as to be "easily captured and unobscured", said Mr Gladwin.

Security issues are nothing new in the VoIP world. As far back as 2002, companies were being told of vulnerabilities:

But some security organizations are cautioning users about the dangers of unsecured VOIP services. For instance, in an August 2001 paper on its Web site, the Bethesda, Md.-based SANS Institute warned of privacy- and authentication-related issues stemming from VOIP services and urged users to apply the same precautions they've used to protect their data services.

"With the convergence of the voice and data worlds, the real similarities of the security concerns will become apparent," the SANS report said, urging users to take measures such as encrypting voice services, building redundancy into their VOIP networks, locking down their VOIP servers and performing regular security audits.

The security issues involved range from lack on encryption to network vulnerabilities:

Shawn Merdinger, an independent security consultant based in Austin, Texas, has worked with Cisco Systems Inc. He's tested around a dozen WiFi VOIP handsets and deskphones and says that security problems range from potential denial-of-service attacks to more serious issues that allow "deep access" to the device that lets a remote attacker read sensitive information on the phone.

You can see his postings on many of the devices tested, along with some workarounds here. In the wake of Merdinger's findings, Cisco Systems Inc. have issued firmware upgrades for the devices in question.

Such threats are inevitable. So it's up to vendors to forestall them, according to analyst Paul Stamp, of Forrester Research Inc.


Here's a Top 5 list of enterprise WiFi VOIP security issues, and some ways to guard against them:

Widespread deployment equals a security headache: Because of the "ubiquity of deployment" in many enterprises, attacks can spread quickly and be targeted to take down multiple devices at once. IT managers should stay up to the minute with phone upgrades, and consider running phones over a separate physical or virtual LAN as a defense against these attacks.

Many points of attack: As the phones get more sophisicated, so could the points of entry for malicious attacks increase. Bluetooth, email, client Web browsers, SMS, WiFi, media players, and image viewers could open back doors for hackers. Though users can use open-source and commercial tools to continually test their phones and networks, they'll ultimately have to rely on vendors to do proactive testing on these devices.

Targeting phones in public environments: For example, a Bluetooth scanner could be hidden at the entrance to a major airport or train station and be used to grab user data. It may be best to keep Bluetooth and other wireless features swicthed off when not needed.

Rogue again: Meanwhile, at the office and on the road, users and IT departments will have to keep their guard up and scan for rogue access points. Hackers will set up access points to specifically target WiFi phones in the corporate space as well as at hotels, conferences, and other places business people like to congregate. Good device authentication and encryption can help provide protection here.

Targeted attacks: Targeted attacks on specific voice-over-wireless networks could also be an issue, albeit one that the victims may try to downplay. "There will be targeted attacks on VoIP networks [from hackers or competitors] that will be kept quiet if there is no legal requirement for disclosure or obvious public knowledge," Merdinger says.

The BBC story cited above highlights a common problem facing the net telephony industry--a lack of security:

"90% of carriers don't offer a secure VoIP service," said Mr Gladwin.

He estimated it would cost around [est. $4-6] £2/£3 per subscriber for service providers to instigate the additional level of security needed.

"Most of the software out there has the capability of running in secure mode if the service providers would accept it," he said.

Due to the fact that "hacking" a VoIP phone or network requires some sophistication, there is some comfort in the fact that the overall number of subscribers have relatively little to fear because of the fact that net telephony is relatively uncommon. Some companies have already initiated security upgrades and fixes:

VoIP provider Skpe said its service, unlike some of its rivals, offered end to end encryption.

"It doesn't matter whether I'm on an open wireless connection, there is no way someone could get hold of my username or password," said Jonathan Christensen, general manager of audio and video at Skype.

He accepts there are security issues facing the industry, especially for providers that use "less robust security mechanisms" but he questions how big a draw a free VoIP account would be for net criminals.

This is a view shared by Jupiter analyst Ian Fogg.

"I have not seen security issues with VoIP as a big issue. This is partly because such services aren't that mainstream and therefore have not been targeted by criminals in the way that e-mail and online banking services have," he said.

Some companies have already begun investing heavily in security

Georgia Tech Information Security Center is collaborating with BellSouth and Internet Security Systems for a two-year program to study security issues with VoIP technology. The group said it planned to explore issues such as voice spam, modelling of VoIP traffice, mobile phone security, security of VoIP applications running on user agents, as well as a security analysis of VoIP protocols and implementations.

BellSouth and Internet Security Systems each committed $300,000 for the research program, and will have access to the resulting intellectual property.

“As communication services migrate to Internet-based platforms, it is important that the security and dependability users expect in the current public switched networks be maintained with these new converged technologies,” the group said in a statement.

No comments: