VoIP - Vulnerability over Internet Protocol
by Wil Allsopp - consultant at Secure Test - Monday, 22 March 2004.
Having discovered the vulnerabilities with regard to DoS attacks, tests then moved on to see whether the ARP spoofing attacks, specifically data interception, were possible. Any fan of spy films will know that telephone tapping is perfectly possible on traditional PSTN based phones. Since this usually requires a hardwire tap to be set into the PBX, however, this becomes a question of the physical security of the core infrastructure. Initial tests on VoIP phones, however, have shown that where data is not encrypted, it is relatively easy to intercept, listen-in on or record conversations on any phone, from any other phone point on the network. Worryingly, most of the commonly used VoIP phones do not encrypt traffic by default and currently, many do not even support the necessary protocols to make this possible.

Initial tests on the Cisco 7900 have proved that it is possible to carry out an ARP attack on a target phone which draws the data stream through the attackers' computer. As any conversation is transmitted in the clear using standard RTP (Real time Transfer Protocol), this can easily be decoded, listened in-on and recombined in real time, leaving the victim(s) none the wiser.

As researchers found it relatively simple to develop a tool to automate this process, it can safely be assumed that such tools are freely available on the Internet. This means that where VoIP handsets do not support the secure RTP protocol necessary to protect traffic (as with all current Cisco phones) it should be assumed that all communications could be intercepted.

All of the attacks outlined above are difficult to guard against as they work using the very essence of convergence; that you do not physically segregate the data network and the phone system. Even where separate IP networks are used, you can simply plug a PC in to the telephone network via the phone port. As one of the major advantages of VoIP is computer telephony integration (ie. screen pop-up with call information and multi-channel CRM systems) most hardware phones contain a built in switch to allow a PC and a phone to occupy the same port.

Looking beyond this, the increased sophistication of an IP based telephone network even makes it easier to create Trojans to carry out these and other attacks remotely. Secure Test most recent studies suggest that once a network has been infected, this makes is perfectly feasible to tap VoIP calls and carry out DoS attacks remotely from outside the company network.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th