How to Detect and Guard against VoIP Security Vulnerabilities
As with any technology or set of network protocols, hackers are always going to figure out how to break in. VoIP is certainly no different. In fact, given what’s at stake, there’s certainly a lot to lose.
VoIP-related systems are no more secure than other common computer systems. VoIP systems have their own operating system, they have IP addresses, and they’re accessible on the network. Compounding the issue is the fact that many VoIP systems house more intelligence which makes VoIP networks even more hackable.
On one hand, VoIP systems have vulnerabilities including
On the other hand, two major security weaknesses are tied specifically to VoIP. The first is that of phone service disruption. Yep, VoIP is susceptible to denial of service just like any other system or application. VoIP is as vulnerable as the most timing-sensitive applications out there.
The other big weakness with VoIP is that voice conversations are not encrypted and thus can be intercepted and recorded.
The VLAN barrier can be overcome in Cisco and Avaya environments by using a tool called VoIP Hopper.
Unlike typical computer security vulnerabilities, these issues with VoIP aren’t easily fixed with simple software patches. These vulnerabilities are embedded into the Session Initiation Protocol (SIP) and Real-time Transport Protocol (RTP) that VoIP uses for its communications.
Refer to www.packetizer.com/ipmc/h323_vs_sip for additional details on H.323 versus SIP.
Scanning for vulnerabilities
Outside the basic network, OS, and web application vulnerabilities, you can uncover other VoIP issues if you use the right tools. A neat Windows-based tool that’s dedicated to finding vulnerabilities in VoIP networks is SiVuS. SiVuS allows you to perform the basic ethical hacking steps of scanning, enumerating, and rooting out vulnerabilities. You can start by downloading and running the SiVuS installation executable.
After SiVuS is installed, load the program and you’re ready to get started.
You can use Component Discovery to search for one or two specific VoIP hosts, or you can scan your entire network.
After you find a few hosts, you can use SiVuS to dig deeper and root out DoS, buffer overflow, weak authentication, and other vulnerabilities related to VoIP. Use the following steps:
Click the SIP Scanner tab and then click the Scanner Configuration tab.
In the Target(s) field in the upper-left corner, enter the system(s) you want to scan, and leave all other options at their defaults.
At this point, you can save the current configuration by clicking Save Configuration in the lower-right corner of the window. This action creates a template you can use for your other hosts so that you don’t have to change your settings each time.
Click the Scanner Control Panel tab and either leave the default configuration or select your custom configuration in the Current Configuration drop-down list.
Click the green Scan button to start your scan.
When SiVuS finishes its tests, you hear a busy signal signifying that testing is complete.
Remember, odds are good that the bad guys both inside and outside your network can see these vulnerabilities just as easily as you can.
You can also use SiVuS to generate SIP messages, which come in handy if you want to test any built-in VoIP authentication mechanisms on your VoIP hosts. SiVuS’s documentation outlines the specifics.
Capture and record voice traffic
If you have access to the wired or wireless network, you can capture VoIP conversations easily. This is a great way to prove that the network and the VoIP installation are vulnerable. There are many legal issues associated with tapping into phone conversations, so make sure you have permission.
You can use Cain & Abel to tap into VoIP conversations. Using Cain’s ARP poison routing feature, you can plug in to the network and have it capture VoIP traffic:
Load Cain & Abel and then click the Sniffer tab to enter the network analyzer mode.
Click the Start/Stop APR icon.
Click the blue + icon to add hosts to perform ARP poisoning on.
In the MAC Address Scanner window that appears, ensure that All Hosts in my Subnet is selected and then click OK.
Click the APR tab to load the APR page.
Click the white space under the uppermost Status column heading.
Click the blue + icon and the New ARP Poison Routing window shows the hosts discovered in Step 3.
Select your default route or other host that you want to capture packets traveling to and from.
In the right column, Ctrl+click the system you want to poison to capture its voice traffic.
Click OK to start the ARP poisoning process.
Click the VoIP tab and all voice conversations are “automagically” recorded.
Here’s the interesting part — the conversations are saved in .wav audio file format, so you simply right-click the recorded conversation you want to test and choose Play. Note that conversations being recorded show Recording . . . in the Status column.
There’s also a Linux-based tool called vomit that you can use to convert VoIP conversations into .wav files. You first need to capture the actual conversation by using tcpdump, but if Linux is your preference, this solution offers basically the same results as Cain, outlined in the preceding steps.
Countermeasures against VoIP vulnerabilities
Locking down VoIP can be tricky. You can get a good start by segmenting your voice network into its own VLAN — or even a dedicated physical network if that fits into your budget. You should also make sure that all VoIP-related systems are hardened according to vendor recommendations and widely accepted best practices (such as NIST’s SP800-58 document) and that software and firmware are fully patched.