VoIP vulnerability trends

McAfee Labs released a very interesting white paper about VoIP vulnerability trends and targets, and about protocol- and application-level attacks.

They first observed an increase in VoIP vulnerabilities during the end of 2006 and that trend has continued through today.

They credit part of this increase to better tools for finding VoIP vulnerabilities, yet this upward trend should be largely attributed to the growing number of VoIP installations.

Protocol-level attacks

Eavesdropping
Eavesdropping attacks can occur because the media transport protocol that carries the conversation lacks encryption in many default configurations. This is the case when using RTP as the media transport layer. For a superior solution, you should use secure RTP (SRTP), which provides both encryption and authentication.

Replay
Replay attacks replay a legitimate session (usually captured by sniffing the network traffic) against a target. For VoIP, replay attacks can occur in the signaling protocol SIP. To protect against this type of attack we can now use SIPS (SIP over transport-layer security).

Denial of service
Because VoIP is a service on the IP network, it is open to the same flooding attacks that affect other IP-based services: infrastructure attacks, signaling and media protocol attacks, and the “bye teardown” attack.

Signal and media manipulation
VoIP is vulnerable to the same network-manipulation attacks as other network services. One such attack is “RTP InsertSound,” which allows an intruder to inject sound files into an RTP media stream (a voice conversation between two or more IP phones).

Application-Level Attacks

VoIP devices with open servicesThe service port exposed in most phones allows administrators to gather statistics, information, and remote configuration settings, but it also allows attackers to gain more insight to a network and identify the VoIP phones.

VoIP phone web services
The previously mentioned service ports also interact as web services and thus are
prone to common vulnerabilities such as cross-site request forgeries and cross-site scripting.

Vishing
With VoIP, calls can come from anywhere on the Internet and the caller-ID verification can easily be spoofed. Much like phishing, a vishing attack often looks like a financial institution that is asking for personal information such as credit card and social security numbers.

VoIP spam
Also known as SPIT (spam over Internet telephony), it is being used by telemarketers to reach thousands of users. Such unwelcome calls can rapidly consume resources and create a denial-of-service attack.

VoIP toll fraud
One of the most frequent attacks against VoIP, toll fraud is the act of gaining access to a VoIP network and making unauthorized calls. Attackers exploit weak usernames and passwords, open gateways, and other application-level attacks.

To eliminate these threats, McAfee Labs advises designing the VoIP network with optimized security in mind, and with an in-depth knowledge of the existing VoIP vulnerabilities.

For more details, you can read the white paper.