01.30.06
VoIP Security Threats
Cisco Systems recently published a security alert and a fix for its Cisco CallManager product, a piece of call-processing software that works with Cisco’s IP telephony solution. According to the alert, all versions of CallManager are vulnerable to Denial of Service attacks, which could result in interrupted VoIP services or servers rebooting. The Cisco report says that versions of CallManager “do not manage TCP connections and Windows messages aggressively,” and leave known ports vulnerable to Denial of Service attacks. The vulnerability could also allow a user with read-only privileges to gain full administrative access to the system.
In addition to deploying the free software fix available from Cisco, users should also secure the CallManager through standard best practices to minimize the possibility of a successful attack. In the advisory, Cisco noted that there have been no known attacks to date based on the vulnerability.
The widespread use of VoIP in general has given rise to a whole new wave of threats and potential threats. In addition to DoS attacks such as the one described by Cisco, VoIP systems from all vendors are potentially vulnerable to the same sorts of attacks that take place on the Internet, including hacking, theft, viruses and even spam. Although VoIP attacks have not been the primary focus of hackers to date, attacks that have taken place have been focused on stealing service, or altering configurations. V-bombing, or launching huge numbers of voicemails into the system to cause a crash, is also a favored technique of VoIP hackers.
VoIP users, both at the corporate and household level, should also be aware of call spoofing. In this attack, an attacker spoofs the system’s caller ID to make it appear that a call is coming in from a trusted source. The attacker then uses social engineering methods to trick the call recipient into divulging private account information. And while not yet a major threat, Spam over Internet Telephony (SPIT) represents a potential threat; using SPIT, spammers turn to VoIP to spread thousands of voice messages to Internet phones at the same time.
Regardless of what type of VoIP equipment you have and which vendor it comes from, you can protect your VoIP environment and preserve its benefits to your enterprise through adhering to good security practices. One recommended practice is to segment voice and data traffic through virtual LANs, to prevent an attack on the data network from spilling over into the voice network. VoIP systems should also be connected to firewalls with intrusion prevention systems, integrated anti-virus and anti-spyware software. Another recommended practice is using access lists to control access to the VoIP device. And as always, security and software patches for all VoIP hardware and software should always be up to date.