Hacking Exposed VoIP: Voice Over IP Security Secrets & Solutions was written to arm admins with hack-stopping tools. Written by Mark Collier, CTO at SecureLogix Co., and David Endler, chair of the VoIP Security Alliance (VoIPSA) and director of security research at 3Com's TippingPoint security division, Hacking Exposed VoIP is a one-stop primer for locking down VoIP systems from attack.
"There really, at the time, weren't a lot of resources out there that people could get their hands on about VoIP security," Collier said of the genesis of the project, adding that there were even fewer resources dealing with enterprise VoIP systems. And recent research indicates that the book hits just at the right time. The SANS institute named VoIP as one of the most potent threats to the corporate network, and InStat-MDR indicated that the number of UP phones sold will grow from 9 million in 2006 to 45.8 million in 2010.
The book, Collier said, combines detailed examples of how a VoIP system could be hacked and a host of "practical countermeasures" to keep it safe.
The book chronologically follows a potential hack through the process, first detailing the physical footprinting, scanning and enumeration of a system. From there, different types of attacks are exposed, from denial of service to eavesdropping to network and application interception.
"Denial of service is probably the most prevalent threat today to VoIP networks," Endler said. "A VoIP system has so many moving parts and has very strict network requirements. There are a lot of evil things you can do."
For example, if a company's VoIP system is under a denial-of-service attack and someone tries to send an email, that email could take several hours, Endler said, because the network is flooded with additional traffic.
The authors created tools for man-in-the-middle attacks and built an application that can be inserted between the SIP phone and SIP proxy, allowing the manipulation of audio. For example, calls can be dropped or rerouted or background noise can be added.
Collier said that he and Endler also compared attacks perpetrated against VoIP systems from specific vendors in order to determine vendor-specific best practices. They put Cisco CallManager, Avaya Communication Manager, Asterisk, and some emerging softphone technologies to the test to see how they'd weather an attack.
"One thing to keep in mind is [that] the enterprise-class offerings from the major vendors are securable, but out of the box they aren't secure," Collier said. While he wouldn't specifically say which vendor fared best under rigorous testing, he did say that all of them have their share of weaknesses that network and VoIP admins should be aware of. He added that there are many simple things that can be done to fully lock down any vendors' VoIP offerings.
"Every platform has different issues," he said. "Cisco and Avaya both take security seriously. The bottom line is if you follow their recommendations and know what you're doing, you can set up a pretty secure system. It's the know-how and desire to do it. Also, it's the budget to do it right."
Budgeting for an extra 10% to 20%, Collier said, can make the difference between a VoIP system that can be attacked and one that is locked down.
"This is a fairly new technology," he said. "Sometimes it makes sense to bring in a third party and do an assessment."
Hacking Exposed VoIP also examines VoIP session and application hacking, or attacks on the protocols that can give potential intruders full control over VoIP application traffic without any direct access and reconfiguration of the host or phones deployed. These types of attacks include fuzzing, flood-based disruption of service and manipulation of VoIP signaling and media.
One voice phishing attack that has already been identified is much like an email phishing attack, Endler said. A user gets an authentic-looking email from PayPal questioning account information. Instead of directing the user to a bogus PayPal mock-up Web site, the email prompts him to call a phone number. Once that number is called, a recording asks the caller to enter his account number. Later, a hacker comes back and reconstructs the touch tones recorded by the back-end VoIP system to recover account information.
To educate yourself and learn how to thwart VoIP-related hacks and attacks, see Endler and Collier's 20 newly released downloadable tools for many of the attacks outlined in the book, ranging from denial of service to audio eavesdropping to adding sounds to an active VoIP conversation. Collier said more tools are on the way.
"Over the next couple of years, there will be an increase in attacks," Collier said. "Hopefully, we will also see more tools."
"In a way, we're using our crystal ball," Endler added. "Threats in 2007 will continue to emerge and take hold. The trick is to stay ahead of them."