In the early days of VoIP, there was no big concern about security issues related to its use. People were mostly concerned with its cost, functionality and reliability. Now that VoIP is gaining wide acceptance and becoming one of the mainstream communication technologies, security has become a major issue.
The security threats cause even more concern when we think that VoIP is in fact replacing the oldest and most secure communication system the world ever known – POTS (Plain Old Telephone System). Let us have a look at the threats VoIP users face.
Identity and service theft
Service theft can be exemplified by phreaking, which is a type of hacking that steals service from a service provider, or use service while passing the cost to another person. Encryption is not very common in SIP, which controls authentication over VoIP calls, so user credentials are vulnerable to theft.
Eavesdropping is how most hackers steal credentials and other information. Through eavesdropping, a third party can obtain names, password and phone numbers, allowing them to gain control over voicemail, calling plan, call forwarding and billing information. This subsequently leads to service theft.
Stealing credentials to make calls without paying is not the only reason behind identity theft. Many people do it to get important information like business data.
A phreaker can change calling plans and packages and add more credit or make calls using the victim’s account. He can of course as well access confidential elements like voice mail, do personal things like change a call forwarding number.
VishingVishing is another word for VoIP Phishing, which involves a party calling you faking a trustworthy organization (e.g. your bank) and requesting confidential and often critical information. Here is how you can avoid being a vishing victim.
Viruses and malwareVoIP utilization involving softphones and software are vulnerable to worms, viruses and malware, just like any Internet application. Since these softphone applications run on user systems like PCs and PDAs, they are exposed and vulnerable to malicious code attacks in voice applications.
DoS (Denial of Service)
A DoS attack is an attack on a network or device denying it of a service or connectivity. It can be done by consuming its bandwidth or overloading the network or the device’s internal resources.
In VoIP, DoS attacks can be carried out by flooding a target with unnecessary SIP call-signaling messages, thereby degrading the service. This causes calls to drop prematurely and halts call processing.
Why would someone launch a DoS attack? Once the target is denied of the service and ceases operating, the attacker can get remote control of the administrative facilities of the system.
SPIT (Spamming over Internet Telephony)
If you use email regularly, then you must know what spamming is. Put simply, spamming is actually sending emails to people against their will. These emails consist mainly of online sales calls. Spamming in VoIP is not very common yet, but is starting to be, especially with the emergence of VoIP as an industrial tool.
Every VoIP account has an associated IP address. It is easy for spammers to send their messages (voicemails) to thousands of IP addresses. Voicemailing as a result will suffer. With spamming, voicemails will be clogged and more space as well as better voicemail management tools will be required. Moreover, spam messages can carry viruses and spyware along with them.
This brings us to another flavor of SPIT, which is phishing over VoIP. Phishing attacks consist of sending a voicemail to a person, masquerading it with information from a party trustworthy to the receiver, like a bank or online paying service, making him think he is safe. The voicemail usually asks for confidential data like passwords or credit card numbers. You can imagine the rest!
Call tampering is an attack which involves tampering a phone call in progress. For example, the attacker can simply spoil the quality of the call by injecting noise packets in the communication stream. He can also withhold the delivery of packets so that the communication becomes spotty and the participants encounter long periods of silence during the call.
VoIP is particularly vulnerable to man-in-the-middle attacks, in which the attacker intercepts call-signaling SIP message traffic and masquerades as the calling party to the called party, or vice versa. Once the attacker has gained this position, he can hijack calls via a redirection server.