VOIP Security

VOIP Security Issues:

• Interception of calls
• Denial of Service Attacks
• Theft of Service
• Exfiltration of data via media session
• Malware embedded in signaling and media session

Interception of Calls

VOIP phone calls are fairly easy to capture and decode if you one has physical access to a LAN segment that the VOIP packets travel accross. Fortunately, with most enterprises using Ethernet switches instead of hubs, there are a limited number of locations this is possible.

Countermeasures

• Physical Security
• Encryption - not yet widely available for VOIP services
• Secure wireless networks

Denial of Service Attacks

Sending spurious traffic to VOIP services or endpoints to disrupt normal service.

Countermeasure

• Some Session Border Controllers have DoS countermeasures built in.

Theft of Service

Countermeasures

• Use Authentication features of VOIP protocols
• Encryption
• Physical security
• Secure wireless networks

Exfiltration of data via media session

Sending data out via the media session. RTP as a covert communication channel.

Countermeasure

• Deep Packet Inspection of all outgoing media streams

Malware embedded in signaling and media session

Malformed SIP and RTP (or other signaling/media streams) with malicious payloads

Countermeasures

• Deep Packet Inspection of all incoming signaling and media streams

VoIP Security Forums

• VoIP Security Forum

VoIP Security Training

• VoIP Security Training - VoIP Security Course Providers - Conference, Private, & On-site

See Also:

• SIP security
• easySysAdmin easySysAdmin is an automated support/security platform, designed to save your engineer's time and prevent hacking attempts. Specifically of interest to Asterisk users is the monitoring of SIP registrations, and automatic blocking of repeated failed attempts. In addition, "bad" IP addresses are shared via the service so other users can block them pre-emptively. For more information and the free trial visit our web site.
• VOIP Phreaking Presentation at the 22nd Chaos Communication Congress
• Best Practices for VoIP Security Whitepaper
• VOIPSA threat taxonomy from VOIPSA
• SecVoIP - Just another VoIP Security, Unified Communications Security, Video over IP Security, VVoIP Security Blog.
• Tactical VoIP Independent security consultants offering contract VoIP security audit, secure design, and forensic investigation services. Available World-wide. Currently serves Fortune 500, Government, and Industrial clients.