Information Age: News, analysis & insight for IT & business leaders

Converging communications on an IP network promises great benefits for cost and flexbility, but it also opens up significant security challenges

Unified communication technology promises to radically change the way large organisations communicate and collaborate internally. The core of this technological shift, driven largely by the rise of consumer applications such as Skype, is voice-over-IP (VoIP), which greatly cuts the cost of telecommunications by allowing calls to be placed over existing IP networks, as well as enabling things like digital voicemail and presence (‘don’t call me’) management.

But in their haste to take advantage of this technology, many companies have neglected to consider the security implications of opening their most critical lines of communication to the same threat environment as the Internet.

“Moving voice communication to IP networks opens up these services to the same kind of cyber attacks,” says Peter Cox, VoIP security expert and CEO of UM-Labs. “What better way to attack a country’s infrastructure, or a rival corporation, than by attacking their phone system?”

During his presentation at the Enterprise Security event, Cox demonstrated the ease with which an attacker can launch an assortment of devastating attacks on a company’s communication infrastructure.

The challenge of defending this environment is far more complex, he explains, because, unlike email, which relies on just a few protocols, corporate-grade VoIP services are far more complex due to a lack of standardisation.

“Straightaway we have to worry about two sets of protocols,” he explained. “There’s the signalling protocol that makes the phone ring and hang up when a conversation finishes, and the media protocol for the voice or video [content].”

Furthermore, every device, be it a desk phone or a software communication application, has to function as both a client and a server, receiving incoming media streams, with many operating on a peer-to-peer basis once the IP-PBX has set up the call session. This, explains Cox, “has a number of security implications”.

“We can split the threats into signalling threats and media threats,” he explained, offering several examples.

“A very nice attack is to flood phones with signalling invites – which would work well on a call centre. You don’t even need a phone, just a computer capable of scripting. What happens is that every phone rings, and you arrange the attack so that whenever a call is answered the call hangs up, waits a few seconds then rings again. It doesn’t take long before the phone gets thrown through the window – an extremely effective denial-of-service attack.”

Another attack is a deregistration attack: “If a phone goes through a registration process, which most do, an attacker can easily send a deregistration request so that no calls get through – another effective denial-of-service attack. Authentication is still something of a novelty in the VoIP community, and an even greater problem with devices like mobiles outside the enterprise perimeter.”

The important realisation, Cox says, is that pretty much all of these attacks are “completely valid and legal protocol attacks” that are unstoppable through many of the usual network protections, such as firewalls.

“Many firewalls claim to be [VoIP protocol] aware, but most are not aware enough to handle things like call flooding threats – it’s a call, a request that looks legitimate, so it gets let through.”

With several attendees already looking concerned, Cox proceeded to demonstrate a call hijacking attack on a mobile device, intercepting a VoIP call from a mobile device through a corporate IP-PBX and automatically uploading it to the public Internet where the conversation was readily accessible in MP3 format.

This story accompanies the following feature

The maturing threat landscape

With both enterprise systems and the cybercriminal underground evolving rapidly, safeguarding information is as challenging today as it has ever been, as the Enterprise Security 09 event heard