Voip: A New Frontier for Security and Vulnerabilities
Essay Preview: Voip: A New Frontier for Security and Vulnerabilities
Report this essay
VoIP: A New Frontier for Security and Vulnerabilities
Introduction to Voice over IP Technology
The promise of extremely cheap telephone service, utilizing the Internet to transmit voice, has made voice over IP an attractive and profitable idea. Vonage (
Voice over IP uses a server to connect all telephones in a local area network and act as a gateway for VoIP packets traveling to and from the Internet. Consumers with broadband internet connections can purchase VoIP handsets or routers with an RJ-11 jack to connect regular telephones. Businesses must implement a VoIP application server to handle corporate telephone use, much like mail servers are used to manage email. The Internet Protocol Private Branch eXchange (IP PBX) is telephone equipment used by private companies, rather than telephone service providers, for the management of VoIP calls placed on the data network. When considering VoIP, organizations should focus on necessary quality of service (QoS) requirements, the cost to implement, and a number of security precautions needed to protect the network (Mullins, 2005).
Protocols
The two most common protocols central to VoIP are Session Initiation Protocol (SIP) and H.323. Both also rely on a number of other protocols, such as DNS and ENUM, in order to locate and navigate to other hosts on the Internet.
SIP first uses either TCP or UDP to signal a host on port 5060; then the Real-Time Transport Protocol (RTP) is used to transmit an audio stream over UDP ports 16384 through 32767 (Mullins, 2005). It is a broader specification, generally used to connect network devices to servers or other kinds of control equipment. SIP supports user authentication and the transmission of any type of media, including audio, video, and messaging.
On the other hand, H.323 is a bit more complex, deriving much of its design from legacy communication systems. Some would argue that it is also better, having already experienced and solved communication problems in the past. H.323 utilizes unicast and multicast on UDP port 1718 to locate the gateway; then remote access service (RAS) is started on UDP port 1719. H.225 and H.245 are also used for call signaling over TCP port 1720 and data transmission over TCP ports 1000 through 65535 (Mullins, 2005).
Security Concerns
As with any new technology of the Information Age which has had groundbreaking implications for the way we communicate electronically, IT managers have been wise to greet voice over IP with some skepticism. After all, VoIP is a service that utilizes the Internet to transmit data, much like web browsers, email, or any other networked application. In that case, security should definitely be a major concern for anyone who is considering the adoption of VoIP telephone service. As Korzeniowski (2005) writes, “VoIP features all of the security problems inherent with IP communications and adds a few new items to the mix.”
The Internet
The benefits that voice over IP offer must be acknowledged with these security concerns in mind. Unfortunately for simplicitys sake, VoIP is not just a replacement for traditional phone systems operating on the PSTN (Public Switched Telephone Network). Indeed, we often take for granted the security we enjoy on the PSTN, which is by nature more secluded than Internet transmissions. A dedicated circuit handles only the relevant parties involved in communicating (normally only two in a typical two-way telephone call), making breaches or intrusions very uncommon. This is much unlike a typical link on a data network which may handle many IP transmissions at once. In fact, any host that sends or receives data on the Internet is as accessible to the public as the hosts security permits. This also includes the actual IP packets going to and from the host on public lines, which may be intercepted by other parties.
Given the nature of VoIP as an Internet application, we can assume a number of security risks based on those we attribute to any Internet-based application. We should be especially wary of new technology that has yet to receive much attention in the areas of security/vulnerability corrections or known attack methods. Rendon writes, “There hasnt yet been a widely publicized attack on a voice system,” but he interviews a few business technology professionals who either believe attacks have occurred or at least acknowledge that a thorough security assessment is required to protect from the many possible modes of attack (2004).
One can only imagine what sort of havoc a hacker could unleash upon a company with a vulnerable VoIP system. The VoIP server and all of its administrative capabilities could be usurped, as well as individual telephone and voicemail systems. The hacker may intercept and listen to calls occurring on the companys network or use the corporate phone system to call expensive, long-distance numbers. Compromising a companys telephony capabilities could impede important business functions, resulting in monetary damages.
Eavesdropping
One particular concern would likely pique the interests of consumer and business minds alike: the idea that your conversations and voicemails could become a downloadable mp3 on the Internet. Similarly to the way hackers have traditionally sniffed IP packets on a data network to study what is being sent, eavesdroppers could intercept VoIP packets, potentially recording and/or listening in on an entire conversation or voicemail.
Caller ID Spoofing
As VoIP services have begun emerging on the Internet, so have some competitive but highly controversial services. Caller ID spoofing can allow anyone with an Internet connection and a VoIP handset or software application, to place VoIP calls appearing from fabricated or misleading (spoofed) names and numbers. Obviously, this presents a breakthrough opportunity for prank callers, but it can also be a clever ploy for telemarketers and scam artists.
Gordon describes a situation that occurred late last summer when people all over the U.S. and Canada started getting phone calls from a Twin Cities phone number. A voice recording would offer deals on wireless phone services. But when