Technology article: Hang up the Phone! Your VoIP is Being Hacked!

Article Tips > Technology

Sensational title isn't it?

Pardon the sarcasm, but once again we are being bombarded with sensationalist blog and news headlines about the vulnerability of VoIP. The headlines would have you believe that recording any VoIP call is as simple as installing a utility on your PC. Sorry but, in a secure environment that's just nonsense.

I deem the stories to be counter productive and I question the motives. It's great to raise security awareness, but how about some perspective and some helpful advice? What I don't see in these blog posts and news articles, is any description of the environment or circumstance under which these attacks are possible. Nor do I see any advice on whether protection mechanisms are available.

Several months ago, I bought and read the book Hacking Exposed VoIP since so many security presentations and articles used this book as a reference. It was interesting, and I would recommend it for those who would like to understand VoIP and SIP vulnerabilities. However, what I discovered was that nearly all of the hacks / vulnerabilities described in the book were dependent on the fact that common security best practices had not been implemented or had been compromised.

The latest flurry is related to a monitoring utility named SipTap by Peter Cox at VoIPCode.org.

While it's true that VoIP is vulnerable to a wide variety of attacks, it is also true that nearly all (including this latest one) can be mitigated by sound security practices.

I won't go into a detailed tutorial but I will provide a quick list and some references for you to pursue:

* Secure the IP Phones preventing users from viewing or changing configuration parameters
* Encryption: Signaling, Audio Path and Administrative
* Use Certificates to authenticate humans and components that use the system
* Disable root access for telephony administrators
* Deploy AAA systems and procedures (Authentication, Authorization and Accounting)
* Carefully choose who is allowed to transfer calls to an external destination
* Deploy and maintain virus protection
* Disable all unnecessary services on phones and related systems
* Expire passwords
* Disable passwords following a number of failed attempts
* Impose content and length restrictions to passwords
* Impose rate-limiting mechanisms to thwart DoS attackes
* Deploy security monitoring and alarming systems
* Phones and devices should reject unsigned or tampered firmware
* Reject 802.1q traffic destined to, or from the PC switch port of the phone
* Segment voice and data traffic on separate VLANs (PC phones violate this best practice)
* Install properly configured firewalls (duh!)
* Secure all network devices (physically and logically)
* Phones should ignore gratuitous ARPs
* Perform DHCP inspection
* Implement VPNs for remote access

Here are some excellent references:

Enhanced Security for Unified Communications (Cisco)
Enterprise VoIP Security Best Practices (Juniper)
VoIP Security for Dummies (Avaya)

I don't deny for a second that SIP and VoIP have vulnerabilities and that they must be addressed. But, there's no going back to TDM. IP communications is here to stay and the vast majority of risks can be adequately mitigated. Many of the security precautions should already be in place if your network and IT environment is secure.

Rick McCharles
VoIP / IP Telephony Consultant, Toronto
RIC Services

About the author of Hang up the Phone! Your VoIP is Being Hacked!

IP Communications and Technology RIC Services