Security Threats Come A-Callin'

VoIP calling systems are just as vulnerable to hacking as other Internet applications, new research indicates

Businesses that swap out old phone systems in favor of new Internet-based calling gear could be in for some major headaches.

Sure, the technology can lower bills and adds a bevy of features to communications systems. But it's also vulnerable to security threats. And while concerns over the security of Voice over Internet Protocol (VoIP) have surfaced for months, new research being made public on Aug. 2 shows just how big the threat—and potential headaches for corporate users—may become.

VoIP calling systems are just as susceptible to hacking and digital mischief as any other Internet-based application, say David Endler, a computer security researcher for TippingPoint, a unit of networking concern 3Com (COMS), and Mark Collier, CTO of SecureLogix, a San Antonio-based computer security firm backed in part by Symantec (SYMC). And hacking into such systems is shockingly simple, the researchers say. They're taking the wraps off those findings at the annual BlackHat computer security conference in Las Vegas.

"If you look at VoIP, it's no different than any other application we've seen, whether it's Wi-Fi or Web applications," Endler says. "What happens is that very early in its life cycle, everyone is deploying it and security isn't addressed because clear threats haven't emerged. We can expect that in the coming year those threats will emerge. It's the kind of story we've seen time and again in the computer security business."


  The pair's research centers on VoIP equipment from major vendors including Cisco Systems (CSCO), Avaya (AV), and Skype, owned by eBay (EBAY), as well as the open-source Asterisk platform. Endler and Collier have already informed vendors of their findings, and weaknesses aren't targeted at any one specific company or product, but rather affect several vendors. "We've been in contact with them and we're aware of what they'll be talking about, and we'll have some of our own people at the presentation," says Cisco spokeswoman Molly Ford. "This doesn't affect a specific Cisco product but concerns the entire industry, and so of course we're interested."

That interest will likely be shared by any company that's considering a VoIP upgrade (see, 11/10/06, "Internet Telephony: Coming in Clear"). Endler and Collier scoured network gear and the software that runs it for potential vulnerabilities. "We had to write our own tools to do the job and, in so doing, uncovered more weaknesses than we initially suspected," Collier says.

And the weaknesses are already starting to be used by troublemakers (see, 7/11/06, "The Phone is the Latest Phishing Rod"). In June, FBI agents arrested a man in Miami who had attacked the network of a VoIP calling service provider and then sold what were essentially stolen calling minutes to unwitting customers, leaving an unnamed Newark (N.J.)-based company holding the bag for more than a half-million minutes' worth of phone calls.


  The U.S. Justice Dept. alleges that 23-year-old Edwin Andres Pena, with the help of a professional computer hacker based in Spokane, Wash., hacked into the networks of the VoIP calling company and obtained the codes for routing calls through the company's network without being detected. He then sold access to people who knew only that they were buying calling minutes, according to the Justice Dept. complaint. Pena purchased real estate, cars, and a 40-foot motor boat with the proceeds from the scam, the FBI says. "If there's money to be made, you can expect that attacks like this will continue," Endler says.

So how easy is it to hack a VoIP calling system? Surprisingly so. The researchers developed a tool designed to overwhelm networks that use session initiation protocol, or SIP. Every such call starts with what's known as an "invite request"—meaning one computer reaches out over the Internet to establish a connection with another to set up the call. Endler and Collier developed software that overwhelms corporate VoIP systems with thousands or millions of these invite requests all at once. The result is that no one is able to place calls to or make calls from phones on that network. Endler and Collier will demo the tool at BlackHat.

Another type of attack is even more ominous. Every time a VoIP phone is turned on, it registers on the network, essentially saying "I'm here" and requesting attention so it can start working. The process is not secure and vulnerable to hacking, the pair says. Hackers can muck about with registration information in a way that lets them eavesdrop or even redirect a call to another phone altogether.


  In some cases that registration information is readily available through a carefully crafted search on engines like Google (GOOG). Endler and Collier say some VoIP phones have their own Web server software on them and that an informed attacker knowing what to search for can find the unsecured configuration screens of individual phones through a simple Web search. In some cases, this information can yield other useful information, like passwords and Internet Protocol addresses that can be used to attack other parts of the system.

"There's really no one gaping hole," Endler says. "The problem is really a combination of attacks that are very easy to perform today in most of the VoIP environments you see today."

Before it's here, it's on the Bloomberg Terminal.