Security Review: VoIP Communication
Over the past five years or so, voice over IP has rapidly gained in popularity and use. It touts cheaper calls for residential users and corporations can save big because additional extensions on a VoIP infrastructure are less costlythan their traditional phone system counterparts. VoIP uses the same data lines as IP traffic to transmit voice. As such, it faces many of the same security issues as digital data.
Assets:
- Reliable, time-sensitive communication: No matter how much of our global communication is moving to text-based solutions, telephone calls are still the best way to communicate quickly
- Privacy: Users disussing sensitive information want the content of their conversation to be accessible only to the intended parties.
Adversaries:
- Digital phreakers: Phreakers in the days of analog phones exploited phones to be able to make free calls. Similar feats have been accomplished with VoIP systems.
- Company rivals: They might seek to bring down a company’s communications to reduce their ability to handle business.
- Profiteers: Can hold a company’s communications ransom
Weaknesses:
- It’s digital, and travels over the same wires as other data. One no longer needs to tap a phone at either end of the conversation to eavesdrop
- Data must be delivered real-time. Reliability measures that reattempt data delivery at a significantly later time impair the immediate delivery required for a voice conversation.
Potential defenses:
- Not much can be done against DDoS attacks. Companies can only ensure that they aren’t part of the problem by keeping their machines clean of malware that participates in DDoS attacks by employing firewalls and keeping software up to date. Having some sort of Quality of Service system in place for VoIP may also help alleviate the problems of a DDoS attack.
- Encryption: Encrypting the communication can make the original voice data hard to recover, securing its content.
It’s real-time nature makes VoIP extremely sensitive to DDoS attacks. For residential users, an interruption in service could be as annoying as an inability to make calls, or in the worst case, prevent the user from making calls to emergency services. For businesses, service interruption can incur profit loss. Hackers have already exploited VoIP systems to make free calls by brute-forcing the IP packet prefix that VoIP providers use to identify calls admitted on their networks. The hackers were able to then turn a profit by selling minutes on the hacked services. Tapping a VoIP conversation doesn’t require a physical tap on the line at one end of the conversation. A hacker can sniff packets off the network bound to or originating from the desired victim and reassemble them into audio.
Source: VoIP Security at silicon.com