Perth is one of the world’s most isolated cities, perched on the west coast of Australia bordered by the Indian Ocean and vast, scrub-strewn desert to the east.

But geography was no obstacle to the hackers who compromised the voice-over-IP (VoIP) system of a small Perth business in January 2009, making 11,000 international phone calls in 46 hours and costing the company over AUD$120,000 (£57,000).

West Australian detectives investigating the incident said the company was only alerted when it received an invoice from its service provider, and described the incident as part of an “emerging trend”.

The high cost of this particular incident makes it conspicuous, but such security breaches are common: as recently as September 2nd 2009, a North Carolina business was billed $2500 for making 200 calls to the Dominican Republic after its PBX was hacked.

And end user organisations are not the sole targets either. In April 2009, four men were arrested in Texas for stealing more than 120 million minutes from major carriers AT&T and Verizon, and reselling them through front companies at a heavy discount, netting a profit of $1.2 million.

Toll fraud is nothing new and phone hacking (‘phreaking’) is one of the earliest forms, discovered in 1957 by a blind seven year old boy called Joe Engressia who could obtain free international calls from an AT&T telephone switch by whistling down the line at a perfect 2600 Hz.

The era of tone-dialling may be over but the convergence of voice and data (VoIP) networks has opened up corporate telecommunications systems to a new generation of threats, ranging from toll-fraud to voice spam, eavesdropping and denial of service attacks.

Even more recently, the growing adoption of unified communications (UC) has meant that previously isolated voice networks are now vulnerable to the same threats facing conventional data networks, as well as opening the enterprise to attacks on new applications such as instant messaging clients.

“The problem with converged networks is that they inherit all of the problems of packet switch technology as well as the data vulnerabilities and traditional problems of the circuit switch network,” observes Jonathan Zar, spokesman for the Voice-over-IP Security Alliance (VOIPSA).

Users are not the only ones to benefit convenience of IP-based communication either. Attacks against phone systems are much easier to conduct over IP because traditional telecommunications services have been hardened over many decades and the skills involved remain highly specialist.

Laundering call time

Toll fraud is the most enduring problem because it is so easily monetised, explains Trevor Healy, CEO of VoIP provider Jajah which partners with Microsoft to connect users of its software-based UC solution, Office Communication Server (OCS), with the public phone network (a service known as ‘SIP trunking’).

“[Toll fraud] is a massive issue, and is highly sophisticated and highly organised,” he says. “You have a group of people who steal minutes and sell them in Internet cafés; there will be a big sign in window saying ‘make cheap international calls here’. A consumer walks in and makes a call to friend overseas, then hands over cash. If you have an Internet café somewhere like Vietnam where people have family overseas, that’s a big captive audience wanting to call places like the US.”

Crime rings will also use providers like Jajah to monetise stolen credit cards anonymously, effectively laundering money through net cafés. “Minutes are an instantly consumable commodity that everybody needs,” Healy explains, “ and [criminals] will steal them using fraudulent credit cards.”

Much like a bank, Jajah uses fraud monitoring and pattern recognition systems “Most companies would currently struggle to prevent a distributed denial-of-service attack on their unified communications architecture” to try and protect itself from fraud – unlike a conventional carrier, it doesn’t have the luxury of billing its customers for fraudulent minutes. Such is the threat from toll fraud, the company has located its research and development centre in Israel, due to the ready availability of two types of engineer: “highly skilled telecoms engineers and security guys from the government and military,” says Healy.

Credit card fraud through providers like Jajah or AT&T is only one way for criminals to source voice minutes to launder. Increasingly popular is direct theft from a corporation by compromising its IP-PBX.

“It’s actually a fairly simple process,” explains Peter Cox, CEO of VoIP security firm UM-Labs and the creator of proof-of-concept VoIP hacking tool SIPtap. “The attacker has to first identify the voice endpoint on the Internet, which is easy because VoIP protocols have features that allow you to query their status. They send these queries out to a range of addresses and if they get a response they know they have a VoIP endpoint.”

The next step, Cox explains, is to send a call request “which might require the domain name of the company being attacked – not difficult to find out.” The attacker’s goal, he says, is to trick the endpoint into passing the call onto the company’s internal phone system and relaying it out to the external phone network. “It either works or it doesn’t,” Cox says. “The problem is most calls get through.”

Hacking phone systems

Beyond hacking UC systems to steal call time, it is also relatively easy to disrupt a company’s VoIP service and leave it without a phone system.

Most companies would currently struggle to prevent a distributed denial-of-service (DDoS) attack on their UC architecture without specialist (and expensive) appliances such as session border controllers, for instance. Meanwhile the barriers-to-entry for these kinds of attacks are rapidly diminishing.

DDoS attacks leveraging instant messaging networks are a frequent occurrence today, says Roger Jones, a consulting engineer at Avaya. He expects that as VoIP calls increasingly become free to make between operators, “we’ll start to see people using some form of dialling technology to launch massive numbers of phone calls at an
organisation.”

Jones experienced many such attacks first hand when Avaya supplied converged communications to the World Cup in 2006. “We had our core PBX in Munich spread to all the stadiums in the World Cup, but as we approached the first game between Germany and Costa Rica the denial of service attacks and attempts to infiltrate the FIFA network really kicked off,” he recalls. “We had a lot of intrusion detection stuff around the network so we were able to withstand it, but I imagine a number of people would enjoy taking large corporations down.”

Many of the cost-savings from an enterprise VoIP solution arise from ‘SIP trunking’, whereby the corporate IP phone network is connected to the public switched telephone network (PSTN) through a third party service provider. However, this can expose organisations to potential attacks from public networks.

“We would absolutely insist that customers moving to SIP trunking have [a session border controller] at their end of link,” explains Jones. “A distributed ‘denial of ringing’ attack could easily overwhelm a company’s PBX and we would want Trevor Healy, Jajah “Toll fraud is a massive issue, and is highly sophisticated and highly organised” something there to analyse that traffic before it reaches the PBX,” he says.

Eavesdropping, recording and call tampering do pose a threat for governments and other organisations guarding sensitive information, but it is a threat that can be largely resolved by call encryption. However, Healey argues that the information surrounding the data – which these measures often leave exposed – is just as sensitive as the call itself.

“It’s very important to protect call data records because in corporate espionage you can often tell as much from where people are calling as you can from what they are saying,” says Healy.

Encrypting and decrypting a real-time data stream impacts call quality and requires both additional bandwidth and hardware performance, and is a particular issue for software-based UC solutions. “Things can get interesting from a RAM perspective,” Jones acknowledges, adding that this is one of the reasons why Avaya performs as much of the process as possible in the phone or gateway hardware itself. “Often a customer won’t switch it on for phones inside the building but will for remote devices,” he adds.

Lines of defence

The complexity of VoIP protocols can challenge ordinary firewalls, which are designed for protecting web and email environments. Even web-based applications such as IM clients and popular VoIP service Skype test the typical firewall’s capabilities.

“Typical firewalls and proxies are not designed to handle evasive behaviour coming from inside the network to the outside,” says Kailash Ambwani, CEO of IM security firm Facetime. “Skype in particular is notorious for being able to get through almost any infrastructure.”

Ironically, mandating a particular IM client or a UC solution such as Microsoft’s OCS tends to accelerate the number of unmonitored UC applications in the enterprise, says Ambwani.

“When we ask customers why they are thinking of deploying OCS, one of the reasons is because they think it will reduce the use of public instant messaging on their networks,” he says. “The reality is exactly the opposite and our surveys show that use of public IM goes up once it has been introduced to a broad audience and implicitly sanctioned.”

Meanwhile, more sophisticated session border controllers that can handle VoIP threats can be prohibitively expensive for anything other than a large enterprise. “With something that doesn’t have an ROI, it is very difficult to invest anything other the minimum,” explains VOIPSA’s Zar. To fill the niche, a cottage industry of so- called ‘UC-aware’ firewall appliances has sprung up in the last few years. It’s a niche that’s expanding, says UM-Labs’ Cox, because “a lot of UC vendors are competing with each other on features, and in a rush to add functionality they have tended to give security a secondary priority”.

The hosting question

Comprehensively defending an enterprise’s UC environment is a highly complex undertaking requiring collaboration between telecoms, network and security teams, putting it beyond the reach of all but the largest companies. That means there is a strong argument for outsourcing support and maintenance of UCinfrastructure to a third party hosting service.

This is very “boutique work” says Jajah’s Healy. “We have people from Israeli intelligence working on this; the guy in the back room of an enterprise is not skilled at it. We don’t see a world where this won’t move towards managed services.”

The tradition of hosted telephony in the UK is anything but proud, however, and many IT managers carry less-than-fond memories for old pre-IP hosted Centrex services, argues Avaya’s Jones. “The hosting question is asked regularly, but I’m not seeing larger organisations going for it at the moment,” he says.

Nevertheless, Zar of VOIPSA thinks that security will prove to be a sufficient driver for hosted UC adoption. “We think this will go the way of cloud computing, with organisations migrating to fully-hosted arrangements.”

For enterprise organisations, however, the low level of visibility into the plumbing – and the associated security risks – of the services that those third parties currently provide is unacceptable, he adds. “The backend is not transparent.”

That leaves early adopters of UC in an uncomfortable position. The tools required to conduct UC hacks are widely available, but the tools that are required to prevent them – and the companies that sell those tools – have yet to mature.