Security scenarios
VoIP reliability requirements are very stringent and approach 99.999% (5 minutes of downtime a year). Clearly, this level of reliability calls for automated real time response to security threats and attacks. The types of attacks that are common in the data security realm and may render email or a computer network unusable for several hours are not acceptable when it comes to IP communication.

One of the things that makes VoIP so attractive is its promise of using existing data network infrastructure for voice communications. Unfortunately voice communications are exposed to all of the threats that exist for a traditional data network. VoIP is even more affected by these threats because of its stringent QoS (Quality of Service) requirements. The following section briefly explains the most common type of security threats that exist today for a VoIP service.

Eavesdropping
Eavesdropping is the intercepting of conversations by unintended recipients. Eavesdropping in VoIP requires intercepting the signal and associated media streams of a conversation. No one argues that an attacker cannot access and install a tap on a telephone pair outside your house. That action, however, requires more visibility and explicit laws prohibit eavesdropping. IP eavesdropping can be accomplished from the comfort of a laptop as long as the tools and expertise exist to carry out the attack successfully.

Ethereal, Ettercap, Vomit represent just some of the software available that is used for media capture. Using the software is as simple as capturing and decoding RTP packets, analyzing sessions and then saving the the captured voice as an audio file (.au). This is based on the fundamental that every header of an RTP packet contains information about the codec used to encode voice samples. The codec used is generally a standard one, which allows the software to decode the RTP packet, and thus the audio data. Thus, an entire conversation can be tapped.

"Spam over Internet telephony," or SPIT
SPIT is substantially more deadly than its email counterpart. Email spam will degrade service and clog up bandwidth. When emails are delayed by a few minutes, it does not make a difference. With VoIP spam, gateways are hit directly, degrading voice quality, which is very noticeable to end users.

VoIP is completely insecure at the protocol level; there is no encryption and authentication. This means that it is easy to hack a caller ID and claim to be whomever they want. This open nature of the VoIP phone call makes it easy for spammers to send audio-commercials to VoIP voice-mail inboxes in much the same way they bombard email inboxes today. Since VoIP services aren't regulated, customers are not entitled to the same rights and protections as standard phone users.

Any open, IP-based phone system could be a target of "spitters." Other services, such as Skype and Vonage are more immune to such attacks because portions of these networks operate over a closed system that the SPITters would have to hack. However any network architecture is vulnerable to hacker attack--Skype users were subjected to an unsolicited Voice Broadcast Message earlier in 2004. In response, the company quickly patched the loophole within a couple of days.

There is an upside of being able to broadcast to phones. Emergency management agencies are able to reach out and warn populations more easily than ever before--an important consideration in today's post-9/11 environment, and something that would be useful not only for national alerts but for such local ones as Amber alerts for missing children.

Spoofing
Spoofing poses another level of challenge for VoIP that is creation of TCP/IP packets using someone else's IP address. Hackers use a variety of techniques to find an IP address of a trusted host and then modify the packet header (Source IP address field) so that it appears that the packets are coming from that host, a technique popularly called as Caller ID Spoofing in VoIP domain. Pranks on friends and loved ones are the most common application of spoofing.

Websites such as: Spoofcard, Nufone, and Spooftelprovide caller ID spoofing services, and eliminate the need for special hardware.

Caller ID spoofing is often used by those who bug stolen credit card numbers. They will call a service such as Western Union, setting Caller ID to appear to originate from the card holder's home, and use the credit card number to order cash transfers that they then pick up. Exposing a similar vulnerability, Caller ID is used by credit-card companies to authenticate newly issued cards. The recipients are generally asked to call from their home phones to activate their cards.

In August, Secure Science Corporation warned that hackers can use Caller ID spoofing to break into voice mail boxes of T-Mobile subscribers. A U.S. wireless company with 15.4 million customers, T-Mobile permits users to check voice mail without entering a passcode, as long as they're calling from their own phone--an easy matter to fake with caller I.D. spoofing.

Caller ID Spoofing and SPIT are threats that are one or the other form of more generic term "Man-in-the-middle" attack. This is the name given to a situation where an attacker inserts himself between the originator and recipient of the call, without either of them knowing that their communication medium has been compromised. To either participant in the call, the attacker appears as the other, intended participant. Thus the attacker can intercept, modify and insert messages in the conversation. Obvious consequences include loss of confidential information and changing the meaning of the information conveyed.

Call hijacking is a form of the man-in-the-middle attack in which the attacker replaces one of the participants in the call. Such attacks can be accomplished in a variety of ways. One, is the manipulation of registration records maintained by the registrar/proxy server in a SIP-based VoIP network. This allows a malicious user to register as a valid user and further carry out toll fraud etc. Another means to launch such an attack is to manipulate the 3xx SIP response codes (See Figure 2). This allows the rogue user to redirect the voice traffic through them.

There are some legal methods too, i.e., 'Footprinting' that is the easiest and safest way to go about finding information about a company that is available to the public, such as phone numbers, addresses, etc. Performing who is requests, searching through DNS tables, and scanning certain IP addresses for open ports, are other forms of open source footprinting. Most of this information is fairly easy to find, and obtaining it is legal. Most companies post information on their website which can be very useful to hackers--and the companies don't even realize it.

Footprinting this is most convenient way that hackers use to gather information about computer systems and the companies they belong to. Footprinting allows a hacker to know as much as they can about a system, its remote access capabilities, ports and services, and aspects of its security. Many administrators now post false phone numbers to protect themselves from footprinting.

Another serious attack is Denial of Service (DoS). This attack is the most dangerous of all as it causes loss of service to users. A form of DoS, called Flood DoS involves occupying the bandwidth of the victim network and hogging the computational resources of the system. With reference to VoIP, it is achieved by bombarding the IP phone/firewall with redundant packets, sent at a high rate through a rogue/compromised node on the network. Thus, the system's resources are occupied in processing these redundant packets and are unable to handle legitimate service requests. Malformed Packet DoS attack can be launched by sending malformed, manipulated protocol packets. This attack exploits flaws in the implementation of various VoIP-related protocols.

DoS may affect the VoIP applications where the same can be manipulated in several ways. A good example is SIP-based signaling protocol attacks, such as SIP-Cancel/Bye DoS, which can be used to prematurely terminate a VoIP call. At the transport protocol layer level, RTP packets can be manipulated to conduct DoS attacks. This includes SSRC Collision attacks, manipulation of the timestamp and sequence number fields of RTP packets and codec manipulation.

Codec Manipulation through RTP--RTP allows dynamic scaling of voice quality in the middle of a session, depending on the network conditions such as available bandwidth. As it detects a change in the available bandwidth, it correspondingly adjusts the quality of the codec used to encode the audio data. Attackers forge RTP packets and increase the codec quality beyond practical limits. This results in high bandwidth usage, packet loss and hence degradation of voice quality. They can also choose to worsen the code quality and render voice quality down to unacceptable levels.

A variant of DoS is Distributed DoS (DDoS), in which more than one network node is hijacked and used to launch a coordinated DoS attack. This form of DoS is particularly dangerous since it multiplies the effectiveness of the attack.

About the Authors
Mohit Arora is a Design Lead at Freescale Semiconductor, India. Since joining Freescale in 2005, his responsibilities have included taking care of Systems and Architecture requirements and leading the development of VoIP-based SOC, generic Microcontroller SOCs for MCD(Microcontroller Division). He has earlier worked in Imaging and Printing ASICs, USB2.0 PHY, PCI-Express, Infiniband and Serial ATA protocols. He earned a Bachelor's degree in Electronics and Communication Engineering from Netaji Subhas Institute of Technology(NSIT), Formerly Delhi Institute of Technology, India in 2000. He can be reached at: mohit.arora@freescale.com

Suhas Chakravarty is a Design Engineer at Freescale Semiconductor, India. He joined Freescale in 2005 is a part of Systems and Architecture Team for VoIP based SoC's for the MCD Division. He earned his Bachelor's Degree in Electronics and Communications Engineering from Netaji Subhas Institute of Technology(NSIT), India. He has worked extensively on embedded systems during his graduation. He can be reached at: suhas.chakravarty@freescale.com.

References

1. R. Barbieri, D. Bruschi, E Rosti, "Voice over IPsec: Analysis and Solutions." Proceedings of the 18th Annual Computer Security Applications Conference,2002.
2. D. Richard Kuhn, Thomas J. Walsh, Steffen Fries, "Security Considerations for Voice Over IP Systems," by National Institute of Standards and Technology.
3. http://www.voipaction.com/voice_spam.php
4. http://www.msnbc.msn.com/id/11624504/ "Technology facilitates Caller ID spoofing."
5. http://www.securityfocus.com/news/9822
6. VoIP Security: A Layered approach by xmco Partners www.xmcopartners.com/whitepapers/voip-security-layered-approach.pdf
7. "Security Consideration for Voice Over IP Systems," by NIST
.
8. http://www.voiplowdown.com/2006/12/voip_security_c.html
9. "Building Residential VoIP Gateways: A Tutorial," by Debbie Greenstreet and Sophia Scoggins, Texas Instruments Incorporated
10. "Safeguard against Denial of Service Attack for IP Phones," by Texas Instruments Ltd
11. "Ensure successful VoWLAN: Understanding security in VoIP networks," by Brent Lorenz, Texas Instruments