http://www.tmcnet.com/it/0802/0802gr.htm BY ANDREAS M. ANTONOPOULOS & JOSEPH D. KNAPE August 2002 With all new technologies there is a security 'honeymoon' during which the technology is below the hacker's radar because of lack of widespread use. As a technology becomes more prevalent, and critical to organizations, its security will be probed and cracks will be found very soon. Internet telephony has now reached the critical mass of adoption and maturity that makes it not only a viable target but also a valuable one, as it becomes part of business critical applications. Whether the intent is to disrupt or profit, it will not be long before the first victims appear. Beyond the monetary risks, there is also a very serious privacy threat as we have become accustomed to government regulation that at least protects our privacy from everyone outside government. Legacy telephony has long enjoyed a level of protection through law, boundaries of physical security, and plain old obscurity that delegates it to a separate category of hacking. Apart from a few exceptions, telephony hackers or 'Phreakers' as they are dubbed, were a breed of their own with very specialized tools and techniques. Very few hackers were adept both in the world of computers and in the world of telephony. The telephony landscape and its relation to society is rapidly changing. When the phenomenon of 'convergence' between telephony and Internet started, it also brought closer the world of the phreaker and the hacker. VoIP brings all this to the next level. Unfortunately, the security inherent in VoIP solutions is equivalent to that of the early Internet: Non-existent. CONVERGING NETWORKS, CONVERGING THREATS With the convergence between voice and data, the critical barrier to would-be attackers quickly crumbles. The physical separation of the two networks and the relative security of voice networks were primarily enforced by federal laws and proprietary infrastructures, which are less effective as the networks converge. From a legislative perspective the transformation of the telephony landscape is of great concern: The current laws do not protect security or privacy; nor do they allow law enforcement access for wiretaps. Where the Internet spreads, it brings with it disrupting influences of new models and paradigms. In telephony the disruption is just starting, but the changes are going to be more staggering than we can imagine. Since IP is the underlying protocol used for the transmission of voice data, a VoIP network will be susceptible to the same security problems inherent in any IP-based network. Additionally, there is an added level of complexity in VoIP networks because of the challenges that must be met by VoIP technology in order to achieve useful levels of service for transmitting speech in an efficient and effective way. The most important threats in a converged world of ubiquitous VoIP are: * Eavesdropping from anywhere in the world (Privacy). * Social engineering (Authenticity/Integrity). * Disruption of voice communications/Denial of service (Availability). * Resource Theft (free calls for all). VIRTUAL WIRETAPS Eavesdropping on a telephony network requires either physical access to the wiring, or access to the digital backbones of the telephone companies. In a converged network, all the eavesdropper need do is compromise the security of the data network (or the endpoints) and he or she can access the voice streams. Such a 'virtual wiretap' is much more insidious than a physical wiretap, because it is almost impossible to detect. The copying of bits does not impact the original stream in any way. Therefore, unless one can control the access to the data network, the voice data is vulnerable. In many ways, we have grown used to an 'expectation of privacy' on telephone networks. This will no longer hold true unless we take steps to ensure our privacy with sophisticated security measures. Furthermore, the 'virtual wiretap' can be effected from, and the sound transmitted to, anywhere in the world. In fact I could hire someone to tap into your network and send me the audio, from anywhere in the world: Outsourcing meets wiretaps. For me to be able to listen in to your conversation, I would have to be able to decode the audio stream. With most current protocols, this is trivial. Encryption, however, would put an insurmountable obstacle in my path. Encryption is a well-developed technology, which has been applied to many different communications solutions. In the cellular phone market the term 'digital' has become synonymous with 'private' as the encryption has been sold as a product feature. There are two barriers to the application of encryption in VoIP. The first, as ever, has to do with standardization of the protocols. In order for encryption to be effective it must be very simple to use; in effect it must be transparent to the user. This requires standardization of the VoIP protocols (still in the early stages) and the encryption mechanisms. Because of the necessity to allow for upgrading of the encryption standards as they become obsolete or easy to 'crack,' it is important to have an open architecture that allows for 'negotiation' of suitable encryption algorithms between the end-points at runtime. This can be implemented in a similar way to the current support for multiple voice codecs with runtime negotiation. Encryption has become hugely popular as a means to leverage the Internet for corporate communications. Virtual Private Networks (VPNs) allow companies to transfer data between offices securely. An alternative to 'native' support of encryption within the VoIP protocols is the use of VPN tunnels in order to 'wrap' the voice stream. Unfortunately, this is quite difficult in practice. VPN devices and software are not currently designed to accommodate real-time traffic. As a result, they tend to add unacceptable levels of jitter and latency to the VoIP communications. Although just about bearable in small installations (1-2 voice streams), they become unwieldy in larger applications (VoIP between branches of a company, over VPNs for example). SOCIAL ENGINEERING Another important threat for VoIP networks is the ability to 'enhance' social engineering attacks. Social Engineering is the practice of using social skills and deception to exploit human vulnerabilities rather than system vulnerabilities. A common example is persuading someone in a company to give you their password by pretending to be an administrator in their IT department. Imagine how much easier it would be to persuade someone that you work for the company, if you can make their VoIP phone display the origination of the call as 'IT Helpdesk.' Or imagine how simple it would be if you could disguise your voice electronically to be identical to that of their boss. Software that allows digital impersonation has already been demonstrated; albeit crude, it is only a matter of time before it is sophisticated enough to be indistinguishable from the real person. The saving grace is that with current technology, it is unlikely this can be done at real-time without significant expenditure. Nevertheless, pre-recorded messages that sound like someone else are within the capabilities of desktop systems. And don't forget, your grace period diminishes by half every 18 months according to Moore's law. In order to protect against this kind of digital impersonation, there can be a number of solutions. The most secure approach would be widespread application of digital signatures and PKI for the authentication of end-users. This approach is not only very difficult to apply globally, it also has some disturbing privacy implications (anonymity after all is a feature most of us are used to when making calls, Caller-ID notwithstanding). An alternative is to apply generic controls at an organization's perimeter such as firewalls and Intrusion Detection Systems, which would protect against an outsider gaining access in this manner. Technology notwithstanding, the most effective solution is the same as with social engineering in other circumstances: Don't believe what the phone displays, don't assume you know who you're talking to and be smart about what kind of information you give to people on the telephone. These are all basic security awareness issues and should be handled as such with appropriate training and drills. Security is not just about technology; it is about people applying technology with a bit of common sense. BUSY TONE Although most consumers will berate their telecommunications providers and complain bitterly about the service, in truth we have been accustomed to a high level of reliability when using the phone. How many times in your life have you picked up the phone and not heard a dial tone? Achieving the kind of reliability that makes phones 'just work' 99.999 percent of the time would be enviable in the world of IT. So as we converge and shift voice onto a dynamic ad-hoc network such as the Internet we are bound to (at least at first) lose some reliability. From a security perspective however, there is a much-increased opportunity for mischief. This comes mainly in the form of Denial of Service (DoS), which is already one of the most common types of attacks on the Internet. Denial of Service involves attacks whose main aim is to affect the availability of a system by disrupting services, applications or networks. In the telephony world, DoS would make you always get a busy signal. How would DoS affect a converged network? It is Wednesday afternoon, and the Federal Reserve is about to announce whether it will change interest rates. At the city's largest bond trader, all the IP phones stop working at exactly the moment the announcement is made. The traders are unable to trade and as a result the company loses millions of dollars in the 15 minutes it takes to restore service. Clearly there is a much greater danger of disruption for converged networks. Furthermore, as data and voice travel over the same network, disruption of one affects the other. The VoIP failure may simply be a side effect of a wider DoS attack against the company's network. Unfortunately, there is no foolproof way to protect against DoS. A DoS attack will target and attempt to exhaust resources that you voluntarily make available. For example, if you allow incoming VoIP sessions from outside your organization, these can be used indiscriminately by anyone. If someone decides to abuse these resources, there is not much you can do. They may have disguised their source address, or may keep changing source addresses, making it difficult or impossible to block an attack. Denial of Service can't be stopped because it is based on tying up publicly available resources by brute force. If everyone in NY called your phone, you would not be able to use it and would have to disconnect it. Even the phone company could not help you stop people from calling you without a specific number to block. FREE CALLS FOR ALL PBX owners have already had to deal with theft of service. Phreakers will compromise PBX security and use the system to make free calls or organize 'party lines' to communicate with their friends. The Communications Fraud Control Association (http://cfca.org/) says “it is estimated that annual fraud losses are in excess of $12 billion worldwide.” Convergence will only increase this threat of theft. As the networks converge there will be a need for gateways connecting VoIP systems to POTS (plain old telephone service). These gateways allow normal phones to call VoIP phones and vice-versa. Whether these gateways are part of a PBX or part of a VoIP system, they represent the border between telecommunications networks and data networks. This means that they will make telecommunications networks more accessible from the data network side. Hackers will almost certainly find ways to “spoof” (pretend to be some known system), gaining access to the gateway as a legitimate user and making phone calls at the expense of the company. The security designed into such gateways at present is at best trivial. Even a rather unskilled attacker can quite easily spoof the SIP sessions and UDP packets that compose the voice stream. The authentication systems that have been added on to SIP and H.323 in order to restrict access are not very well designed and mostly send the authentication details in the clear (not encrypted) so that someone with access to the network can compromise them quite easily. The solution to theft of service is a combination of technology, monitoring, and awareness. From the technology perspective it is imperative that at least simple controls such as firewalls and password access be added to the telephony gateways to protect against unauthorized access. Monitoring of use and user training and awareness can complement the technical solutions in order to improve the security. After all, you don’t want to find out about service theft when you get your bill and discover it is $250,000 more than expected. Continuous monitoring and auditing will at least give you an early warning of problems. CONCLUSION A global converged network will change the telephony landscape completely. New services, applications, and paradigms are already emerging. In the rush to migrate telephony to the more flexible infrastructure of the Internet, security has almost been an afterthought. Soon it will become obvious that a flexible and open network creates security problems that were not issues in the closed proprietary past of telephony. These issues will need to be addressed in order for Internet telephony to flourish. There will certainly be challenges at first, but most of the technical difficulties can be overcome if security is made part of the design requirements of new IP telephony applications from the beginning. As organizations migrate their internal phone systems to IP, they will be able to protect them by applying security best practices at the perimeter of the organization. Many of the security solutions are not VoIP specific; rather the solutions involve the same combination of people, processes, and technology that are applied to protect data networks. Security within corporate networks can be improved by protecting the perimeter and applying encryption. The real challenge will appear when IP telephony transcends the boundaries of a single organization. When companies start connecting to each other or accepting incoming VoIP connections from the public, the security problems will become much more serious. Solutions will depend on designing security into the protocols and user agents. Unfortunately, security is often “bolted” on as an afterthought. Perhaps the most pertinent lesson is that it is estimated that security measures cost 10 times less if they are included in the design and not added on after the implementation. Internet telephony pioneers can reap significant savings by considering security at the earliest stages in the development of applications or systems. If they do not, they will soon discover that the honeymoon is over. Andreas M. Antonopoulos is security practice leader at Greenwich Technology Partners. Joseph D. Knape is an independent security consultant in Dallas, Texas. Greenwich Technology Partners is a leading network infrastructure consulting and engineering company that designs, builds, and manages the complex networks that utilize advanced Internet protocol, electro/optical, and other sophisticated technologies. Additional information about Greenwich Technology Partners can be found online at www.greenwichtech.com. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 02:33:21 PDT