Professional Documents
Culture Documents
Table of Contents
Table of contents���������������������������������������������������������������������������������� 3
Introduction��������������������������������������������������������������������������������������������� 4
VoIP Benefits�������������������������������������������������������������������������������������������� 5
VoIP History���������������������������������������������������������������������������������������������� 6
VoIP Standards���������������������������������������������������������������������������������������� 7
H.323������������������������������������������������������������������������������������������������������������ 8
VoIP Vulnerabilities����������������������������������������������������������������������������10
Skype����������������������������������������������������������������������������������������������������������17
Conclusion����������������������������������������������������������������������������������������������19
References�����������������������������������������������������������������������������������������������20
Disclaimer Information�������������������������������������������������������������������21
V oIP is defined as the ability to make telephone calls, associated with VoIP, and those specific to VoIP. Firstly,
send faxes and carry out video-conferencing over an overview of the benefits of VoIP.
IP based networks. This is achieved by utilising current
VoIP standards and protocols such as H.323, Session
Initiation Protocol (SIP), and Skype to convert analogue
signals into digital data that can be transmitted over
the Internet. VoIP offers a number of benefits including
increased flexibility and reduced overheads to any
organisation that is willing to change its voice networks
from the traditional circuit switched network to that of
the packet switched network utilised by VoIP.
http://clickz.com/showPage.html?page=3623253
http://lw.pennnet.com/Articles/Article_Display.cfm?ARTICLE_
ID=267354&p=13
• Reduced cost of phone calls: The costs of phone The second major benefit of VoIP is increased flexibility
calls via VoIP are minuscule when compared to and location independence. These additional benefits
equivalent calls made over the traditional PSTN. emphasize the advantages to be gained by any
This is because VoIP takes advantage of existing organisation implementing the technology and show
WAN connectivity to remote locations over a that VoIP is more than simply just a way to reduce
dedicated data network or the Internet, thus expenditure. They include:
avoiding any long-distance toll-call charges.
• Improved flexibility: VoIP allows for new helpful
• Reduced maintenance and capital costs: VoIP is features like ‘click-to-call’ that enable a user to
based on software rather than purely hardware, simply click a URL while browsing a web page
therefore it is easier to alter and maintain. that will initiate a call over a VoIP network to an
Furthermore deploying a VoIP network can be attendant.
less expensive when compared with the costs
• Improved productivity: A Virtual Private Network
of deploying a Private Branch Exchange (PBX).
(VPN) combined with VoIP can be used to set
• Simplified infrastructure: Because VoIP up a fully functioning office anywhere there
utilises the same infrastructure as your data is a broadband connection. Furthermore VoIP
network its possible to converge the two, thus treats voice as if it were any other kind of data, so
simplifying the operation and management of users can attach documents to voice messages
the network. This is also advantageous from a or participate in virtual meetings using shared
cost perspective as a single network can carry data and videoconferencing.
both voice and data.
• Location Independence: This allows an
The financial gain provided by VoIP obviously depends individual to have incoming phone calls
on the size of the business and how that particular automatically routed to their office or personal
business operates. One particular business case, VoIP phone number regardless of location. This
provided by Deloitte’s New Zealand, showed the initial is because when using a VoIP network, the user
VoIP setup cost for a medium sized business of 350 only needs to be able to register their location
employees would be close to $225,000. This figure with the VoIP server to be able to receive calls.
includes an incremental capital investment of $125,000
as it would approximately cost $100,000 to replace the
existing analogue system. Once installed the system
There are two major non proprietary standards used for VoIP
communications by many VoIP software applications. They are H.323
and Session Initiation Protocol (SIP).
As VoIP is an IP based technology that utilises the Internet it also inherits all
associated IP vulnerabilities. The impact of these Internet-borne attacks is
then multiplied by the VoIP architecture as it adds a number of additional
weaknesses, which require futher work to secure and maintain. Furthermore,
as with adding any new service to an inadequately secured environment,
is like piercing holes in an already-leaky boat. The following paragraphs
describe the risks and vulnerabilities of VoIP that are firstly, inherited from
IP, secondly, associated with VoIP, and lastly, specific to VoIP.
malicious users.
Re w
su
ltin Flo
gC all
Caller A all in gC Caller B
Flo lt
w su
Re
Malicious User
Zombies
http://voipsa.org/blog/2006/08/28/paris-hilton-hacker-extraordinaire/
http://www.techweb.com/wire/
security/165702369 http://voipsa.org/blog/2006/06/07/hacker-cracks-net-phone-providers-for-gain/
VoIP Spam these. The above paragraphs also emphasize the fact
VoIP SPAM or Spam over Internet Telephony (SPIT) is the that organisations that chose a simplified infrastructure
unsolicited and unwanted bulk messages broadcast for both voice and data could experience disruptions to
over VoIP to particular end users. Not only could this their data networks if an attack was launched against
be extremely annoying (especially when time zones their more vulnerable VoIP network.
are taken into consideration), it also has the potential to
VoIP is a relatively new technology and research
be rather costly where for example, calls are forwarded
regarding its security is very young, in fact it is said
to mobile phones. Another issue arises with SPIT and
to be at the tip of the iceberg. Therefore as additional
the fact that high-volume bulk calls routed over IP are
research is carried out and new vulnerabilities are
very difficult to trace and have the inherent capacity
discovered, it would be important for an organisation
for fraud, unauthorised resource use, and privacy
to consider separating the data and VoIP networks in
violations.
order to avoid a potential business and or operational
Voice mail bombing is a form of SPIT where multiple catastrophe.
(this may entail hundreds or even thousands of) voice
The following paragraphs will look at Skype, which
mail messages flood voice mail boxes. This attack could
is the most commonly used VoIP application on the
result in service disruption or a denial of service attack.
market today.
The first real wide spread phishing attack utilising
VoIP was launched in June 2006 against customers of
the Santa Barbara Bank & Trust in Southern California.
Targets of the scam were sent an official looking email
warning them that their bank account had been locked
as a security measure and asked that the recipient call
the supplied number to verify the account and user’s
identity. When customers called the number they were
greeted with an automated voice system requesting
that they enter their account number and other
personal information.
http://www.eweek.com/article2/0,1895,1985966,00.asp
S kype is a proprietary VoIP system developed by However, there are a number of other factors that
Skype Technologies and released in August 2003. affect the security of Skype. Firstly, the security of
It is the software of choice in the UK, being used by Skype depends on the security of the computer and
48% of VoIP users. Skype, which recorded a record network on which Skype is running. Secondly, because
high of 8 million users online at one time in November Skype uses a proprietary protocol, the only sources
2006, utilises a Peer-to-Peer architecture that relies on a of information regarding any security weaknesses are
central authentication sever to authenticate users and statements from the company and publicly disclosed
software distributions. In addition to this, both user vulnerabilities. Thirdly, because Skype is mostly a peer-
identities and software distributions are digitally signed to-peer system, the overall security can be affected by
by an RSA private key. The resulting RSA public key is third parties that are unknown to those in a particular
embedded into every Skype executable and thus, phone conversation. The latter is possible as problems
provides the basis for voice encryption. have been identified in Skype’s encryption format,
which firstly, allows the execution of man-in-the-middle
Skype does differ considerably from SIP and H.323 in
attacks and secondly, enables the ability for a worm to
the way that it connects clients that are sitting behind
be hidden in the encryption during transmission10.
firewalls. In order to initiate a connection, Skype creates
a rendezvous point, also known as a super-node, which These are not the only concerns that affect the security
ensures NAT’ed users can communicate with each of Skype. Another issue arises in Skype because it is ‘port-
other. A super-node is a computer operating on a public agile’ meaning that if a firewall port is blocked, Skype will
IP address that has the ability to proxy connections to seek other open ports to establish a connection. This
the Skype clients behind the more restrictive firewalls. feature would also allow an attacker, if a vulnerability
Further to this, the total amount of load placed on a was exploited, to use the application to gather further
network when a machine becomes a super-node is information about machines on a network. Therefore,
unknown and it also has the ability to interfere with Skype could provide a back door into otherwise secure
a business’s applications and services. One publicised networks for worms, Trojans, and viruses11.
example showed that while a user’s machine was In addition to the above, it was recently shown that
acting as a super node, Skype was utilising 100kbps Skype could provide botnet controls that could enable
of the company’s bandwidth for both upload and a better way for controlling zombies. What is concerning
download dataflows. about this for an organisation is that any attack (for
Super-nodes are not the only concern of the Skype example a DoS attack) resulting from this technology
protocol. Security is also a major concern, the key may be virtually impossible to identify the perpetrator.
properties being; privacy, authenticity, availability, This is because Skype uses proprietary technology and
survivability, resilience, and integrity (of conversation encrypted data traffic that cannot be easily monitored.
and system).
10 http://www.skypejournal.com/blog/archives/2005/11/five_reasons_
not_to_block_skype_1.php
http://www.eweek.com/article2/0,1895,1985966,00.asp 11 http://computerworld.co.nz/news.nsf/news/
http://www.voipwiki.com/blog/?p=30 1C31DD62E610104ACC2570B40016C985
12 http://www.voipwiki.com/blog/?p=26
While this publication is accurate to the best of our knowledge, CCIP does not accept any
responsibility for errors or omissions. CCIP will not be liable for any loss or damage howsoever
caused, arising from or in connection with the use of information contained in this publication.
Reference in this publication in any manner to any commercial product, process or service does not
constitute or imply its endorsement or recommendation by CCIP. Views and opinions expressed
herein may not be used for advertising or product endorsement purposes.
CENTRE for CRITICAL INFRASTRUCTURE PROTECTION
www.ccip.govt.nz | ph: +64 4 498-7654 | fax: +64 4 498-7655
PO Box 12-209, Wellington , New Zealand