The convergence of voice communications and data networking enabled by VoIP and unified communications has provided more powerful networking capability. But at the same time, it has created special secuirty challenges, wrote Kindervag in his report "Dial “H” for Hack".
“The fact that communications are unified and merged create a set of security challenges that often are overlooked”, Kindervag told Infosecurity. “Now you can use the regular telecommunications network to exploit the data network in many ways.”
Two ways hackers can exploit the network are “hopping” and “sniffing.” Attackers can use VLAN-hopping attacks to exploit the weaknesses in the layer 2 protocols to move between virtual local area networks (VLANs). By moving between VLANs, an attack may be able to use the VoIP system to gain access to critical data such as credit card numbers and financial data.
“Getting from a lobby telephone into your main ‘toxic’ data that you don’t want to let outside is a pretty significant risk”, he said.
Sniffing entails eavesdropping on unencrypted voice traffic. Hackers with access to VoIP can capture voice traffic with a sniffer tool, such as Wireshark, and convert the packets into a media file using a tool such as voice over misconfigured Internet telephones (VOMIT), Kindervag explained. This enables hackers to listen in on sensitive voice communication.
“VoIP has become an attack surface just like a web page…There are some researchers who think you can do cross-site scripting or other web-based type of attacks against SIP [session initiation protocol]”, he said.
Despite the risks, many organizations seem to be unaware of the security challenges. “In many ways, the people who are deploying unified communications systems are just so enamored with it that they forget to ask about security”, he said.
Kindervag offered a number of solutions to reduce the security risks of VoIP. “The solutions are multifunctional. You need to employ encryption internally on your unified communication traffic. You need to deploy [intrusion prevention systems] and firewalls internally that are VoIP aware and understand these attacks….You need to be especially careful when you are doing SIP trunking because you are extending your network to everybody, including a lot of potential hackers.”
The most important things to combat VoIP security threats are to be aware that the problems exist and to encrypt VoIP traffic, Kindervag stressed.