Hacking Unified Communications security
A fundamental shift in the IT security world has taken place. It is the common thread running through these real-world case studies:
1. An enterprise telecoms manager at a small company is stunned to receive a US$100,000 phone bill, an invoice many times greater than normal.
2. A major health care system of hospitals and clinics has deployed converged IP communications. One day, the privacy compliance officer discovers that doctors, nurses and pharmacists are communicating protected patient data to each other using an unauthorized instant messaging application pushing data out into “the Cloud,” somewhere out on the Internet. Panicked, the officer realizes a major privacy law violation is taking place.
3. A major bank adopts SIP trunking to cut telecoms costs. The SIP trunks bring in-bound calls to call center representatives who are the primary interface with the bank’s retail banking customers. Within an hour of turning up the trunks, the bank’s new system is hit by a VoIP Denial of Service attack designed to effectively block all calls to its call center services, cutting off communications with its customer base in the middle of the business day.
These are all factual accounts of recent Unified Communications (UC) security risks encountered by real companies. They represent stark examples of the new security environment facing companies around the world as Unified Communications reaches mass adoption.
UC Security is the new phase in the long evolution of IT security. Each leap forward in technical innovation is followed by the exploitation of security vulnerabilities as the new technology reached mass adoption. Local Area Networks and Wide Area Networks spawned the need for authentication systems, firewalls and intrusion detection systems. Ubiquitous computing and the Internet eventually brought the need for anti-virus on end-points, spam protection, and VPNS. The new era of enterprise communications – UC – is bringing with it new attack vectors, exploits, and losses mounting into the billions of dollars for companies that fail to properly plan or appreciate the unique requirements of UC applications.
UC is most often defined as the convergence of multiple communications applications – typically VoIP, collaboration tools, instant messaging, presence-enabled tools, and IP video conferencing. UC also often involves new end-point devices such as smartphones or tablets accessing these communications applications. Finally, UC may also involve extending communications across untrusted networks such as the Internet or other networks out of the company’s control, such as with SIP trunks. UC may also include connecting with other applications in another company’s environments such as a supply chain partner, or incorporating an application running from “The Cloud” or hosted provider. In short, UC often involves varied, smart end-points sharing corporate data and corporate applications across borders and over untrusted networks.
Every aspect of this innovation involves a multitude of new security concerns. As is the case in all technical innovations, the true security risks that really matter do not become apparent until the technology has been in use for some time.
VoIP and UC have been deployed in production long enough for the risks to become very clear indeed. Consider:
- A Romanian VoIP hacking ring is estimated to have stolen 11 million Euros in services by the time it was broken up in late 2010. Companies deploying non-secured VoIP and UC systems paid the price.
- The US government broke up an international comms hacking ring that employed hackers in Asia, targeting companies in the US, and reselling stolen services in Italy. The ring had hacked more than 2,000 business and stolen minutes worth more than US$55 million before authorities shut it down.
- Vishing – the use of VoIP technology for Identity Theft – has become so prevalent that government warnings about it are almost continuous. For example, a series of VoIP Identity Theft scams targeted millions of retail banking customers in the US in 2009 and 2010, prompting regulatory and law enforcement authorities to issue consumer alerts across many states.
- Local media sources worldwide report case after case of small companies falling victim to toll fraud incidences in which the small company receives a telecom invoice for tens of thousands of dollars, orders of magnitude beyond their normal charges.
- Corporate espionage is taking place via UC vectors, with security experts citing confirmed cases of eavesdropping, data leakage and related crimes resulting from improperly secured VoIP systems. Security researchers have demonstrated major vulnerabilities that permit eavesdropping and communications interception not only in VoIP, but in video conferencing and other applications as well.
- More insidious and disturbing VoIP crimes are on the rise, including SWATting, in which the culprit calls in a bogus terrorist attack or hostage crisis using a spoofed caller identification, causing authorities to dispatch heavily armed police to an unsuspecting business or residence.
All of these problems stem from the common misconception that VoIP and UC do not need any special security controls beyond basic data security. Every victim of the incidents described above had this sense of complacency. But UC has distinctly special characteristics that must be appreciated and addressed. They include:
Real-time performance: Unlike email or web browsing, VoIP, video conferencing, collaboration and instant messaging tools must perform – and be secured – in real-time to be “business class.”
Converged applications: UC mingles traffic from a host of applications that previously were segregated. The result? Compromising one application makes it easier to compromise all of them. For example, tools available at no cost on the Internet right now enable an attacker to easily hop from a VoIP virtual LAN to the data virtual LAN. When that happens, every system attached to the corporate network is at risk.
Untrusted networks: A company’s UC often is extended to teleworkers, remote call centers, even smartphones or laptops in a coffee shop. These are untrusted networks where sniffers can easily intercept and compromise corporate data. How does an enterprise prove compliance with privacy laws in that environment?
New end-points: Employees are using smartphones, tablets like the iPad, soft-clients on computers and other new devices to conduct company communications. If the enterprise is permitting access to corporate VoIP and UC then those systems are open to security risks introduced by these new devices. Furthermore, an increasingly common trend is for enterprises to permit employees to use their personal devices, adding additional risk and lack of control.
In summary, all new communications applications require application-layer security, and UC is no different. Email, spam, and web browsing all brought about new products such as proxy servers, filters or firewalls that provide security for users, systems and corporate data. Before a company adopts VoIP or other UC applications, the security architecture must be carefully evaluated in light of the new UC security requirements. If UC security is addressed proactively and realistically, a company can actually make its path to VoIP and UC adoption simpler and more effective.