Is VOIP a Security Hazard?

An IT Business article by Vawn Himmelsbach with Informatica's President, Claudiu Popa. Following some troubling news with Skype, enterprises check to see if their own IP voice systems might also be at risk - 4/17/2007

Voice over IP is a cheap, convenient method of communications, but unlike the old-fashioned telephone, it's prone to all sorts of security threats.

Last month, a Trojan known as both Warezov and Stration spread over the Internet through Skype. When users clicked on the link, it sent the URL to everyone on the user's contact list.

Skype uses VoIP packet-switching technology, but it's different from VoIP provided by the telcos because it uses closed protocols of its own creation, said Claudiu Popa, president and CSO of Informatica Corp. “It's not as if something comes through and installs itself,” he said. “It's not really a weakness.”

But there's concern over Skype in the corporate world because it's difficult to block – and usually finds a way to get through the corporate firewall. Skype, in turn, has come up with an IT administration document that tells IT staff how to block Skype traffic so they can control their own environment. If employees are using Skype, they could be using so much bandwidth that they impact the normal traffic on the company's network, said Popa. (The Skype end-user licence agreement states that Skype can use bandwidth at its discretion, which is how the network grows.)

Skype sessions are encrypted, so they won't mean anything to a hacker. But at the same time, employees could be siphoning information without the IT manager ever being able to intercept that.

VoIP is a whole different ballgame because it deals with a standard protocol that is open to the entire world, and the possibilities for attack are endless – from identity theft to stealing content to degradation of service.

Someone who hacked into a company's router could listen in to a board of directors' meeting, said Popa, and use that information to buy stocks. “VoIP is a very simple concept – it's built with the building blocks of the Internet,” he said. “Your conversation turns into tiny little blocks. Hackers don't have to learn that much new in the way of network security.”

Not only could they retrieve messages, but they could also send messages and flood a user's mailbox, which is a denial of service attack. They could also impersonate people and leave bogus messages. Most likely, however, they will silently sniff and capture traffic over time to steal information. Number harvesting is another issue, where numbers are stolen and injected into data. When you have an entire database being communicated as an attachment to a VoIP voicemail, said Popa, you essentially render that database useless because you've corrupted the data.

VoIP is based on Internet software, so it has the same issues that any other kind of Internet software has. This is something that people sometimes forget, said Tom Cross, X-Force researcher with IBM Internet Security Systems. It looks like a phone, so people don't think about managing it the same way they would a computer. “It doesn't fit into your thought process,” he said.

About this time last year, a group of hackers sent out a phone number in spam, telling people there was a problem with their bank account and to please call this phone number. “People are accustomed to getting e-mails that say, ‘click on this link,' and people are largely learning not to do that,” he said. “They don't expect this kind of thing happening with a phone number.” Since then, we've already seen a few copycat attacks.

“What's important about that Skype attack is it wasn't really an attack against the Skype technology, it was an attack against people who use Skype,” said Cross. “It was similar to a phishing attack.” And this type of attack could occur over any media. But as VoIP becomes more popular, through Vonage, cable modem-based VoIP services and peer-to-peer technology like Skype, the bad guys are going to target users of those services.

Skype in particular is pretty sophisticated, said Cross, with a lot of anti-reverse-engineering features that make it hard for people to take the software apart and figure out how to attack it – though it's had vulnerabilities in the past. Skype also has sophisticated cryptography, so it's difficult for someone to listen in to a Skype call.

Other VoIP technology varies, and some of it will go out over the Internet without encryption, making it relatively easy for someone to listen in to calls if they control a computer that's in the path of the user and the VoIP service provider.

For the enterprise, there are concerns about data privacy, said Al Huger, vice-president of Security Response and Security Services with Symantec Corp. The goal of the vast majority of Trojans, for example, is to steal data, primarily personal data. “We expect in the future we will see Trojans steal data, as in phone calls,” he said. In the case of targeted attacks against enterprises, the goal is typically to steal intellectual property. With the added benefit of being able to steal telephone conversations, he said, that will make the job a lot easier for intruders.

We'll also start to see attackers targeting VoIP server technologies in the same way they target Web servers and other Internet-facing technologies today. “If it's exposed to the Internet, they can break into it,” said Huger. “They have a gateway to the internal network.”

When the Web was new, it got ravaged because nobody had applied a lot of thought to security. With new technologies, we're seeing that happen again. But in order for people to take advantage of VoIP, they still need access to your network or your customer's network, said Huger. “So the goal here is to keep them off your servers, off your employees' desktops,” he said. “Those things have not changed.”