WireChatter.com » Security

VoIP Security – Dan York, The Black Bag Security Review

admin — Mon, 02 Mar 2009 14:00:50 +0000

Dan York gives a great Podcast (delivered here in a powerpoint presentation) about VoIP Security. It is an enjoyable anecdotal talk, where he sets up a story and tells the pitfalls that can begall an unsuspecting ‘sysadmin steve’ who inherits a VoIP system. Really, the intent here is that there are a number of potential security holes in VoIP that at the very least you need to be aware of. If your phone calls and what you say don’t need to be ‘private’ then you probably don’t need to worry too much!

| View | Upload your own

Basic VoIP security threat tutorial, ARP poisoning

admin — Mon, 23 Jun 2008 19:49:43 +0000

Image via Wikipedia

A very basic tutorial from techcentric.org on how to STOP VoIP security threats , CAIN, ARP and MITM attacks. Explains that an ARP Poisoning attack is a man in the middle attack (intercepting data in this case VoIP packets).

They recommend that you use SKYPE instead of SIP to avoid man in the middle attacks; or download ZPhone, it works with most SIP clients, or put your VoIP calls on VPN.

See the SIP protocol diagram (right)more information on what is happening during a SIP based VoIP call

Not the most insightful tutorial and a few people have commented that there were a few inaccuracies or that it was too basic, I thought it was a great tutorial for a ‘first timer’ trying to get a handle of what is going on with VoIP security threats. I would definitely need more details from here though.

VoIP Security Threats – Video, Peter Cox

admin — Fri, 02 May 2008 05:50:10 +0000

Peter Cox(?) a security consultant specializing in VoIP security has a great Podcast primer on VoIP security examples. He states that there are really three categories of VoIP Security Threats:

IP level Threats – shared with the web and email and others, common knowledge to many people already
Protocol and application specific threats, based on the way the SIP protocol is designed and is implemented, these VoIP security vulnerabilities can result in misdirected calls, terminated calls, and general call disruption
Content related VoIP Security threats, the interfere with the media stream (the voice or video call)

The most serious is a application level flooding attack, the works by running a script that sends a bunch of calls to an extension in rapid succession and hangs up once answered. It would make a phone unusable, no effective calls in or out.

Imagine also that the attacker injected content into a call, ring the phone and then play a recorded message – Telephone or VoIP SPAM! the last thing we need

Another set of threats revolve around the need of SIP phones to register with an IP/PBX. these kind of VoIP attacks can come in and de-register phones and extensions and render people unable to receive calls

VOIP Security Concerns

admin — Tue, 15 Apr 2008 18:05:56 +0000

VoIP uses the Internet for sending and retrieving VoIP data. This makes it vulnerable to hackers. For individuals who use VoIP this may not be a problem, but businesses don’t want their information to leak. For this reason VoIP services are dedicated to making their service as secure as possible.

Hackers may ty to tap your call and retrieve all sorts of information. They can retrieve conversations, but also VoIP phone numbers or user identities. When they retrieve this information, they can use your VoIP to make calls themselves. Some hackers may even record your call and use your voice to make calls.

There are a few ways to avoid these security problems. The first is encryption. Encryption works in the same way as when sending credit card information. The data is sent over a safe connection. Another way of averting security issues is by separating VoIP data and other Internet data by using a so-called VLAN (Virtual Local Area Network). The call quality may suffer under these measures. But both methods are an option if calls are to be kept secret.

Viruses sent with VoIP data could also be a risk factor, although this threat hasn’t been seen yet. Viruses don’t only overload the network, but they also reduce the quality of calls.

Another issue is SPIT – Spam over Internet Telephony. Instead of receiving e-mails you receive calls from companies that try to sell you their services and products.

How secure is my VoIP? Certain services maintain security through encryption or the use of a VLAN (Virtual Local Area Network). There are certain things consumers can do themselves.

A firewall will protect your computer from malicious attacks.
All downloads should also be checked for viruses or other threats.

: Image via Wikipedia

VoIP hardware on the other hand can be unstabilized or shut down if it receives certain types of data.
Certain Internet phones are sensitive to data piracy. For individuals these security issues may not be of importance. But businesses have sensitive conversations over the Internet. They have their own gateways and equipment, which makes them an easy prey for DOS attacks (Denial of Service) and other assailments.