igor - Fotolia
Security teams are struggling to keep pace with the growing number of exploits of vulnerabilities in the voice over internet protocol (VoIP) available to cyber attackers, researchers warn.
“A lack of understanding of modern VoIP and UC security means that many service providers and businesses are leaving themselves at risk to threat actors repurposing this exposed infrastructure for attacks such as botnets, malware distribution, vishing, denial of service attacks and toll fraud,” according to Fatih Ozavci, a managing consultant with Context Information Security.
At the Black Hat security conference in Las Vegas, which ends on 4 August, Ozavci highlighted potential vulnerabilities in major UC product suites and messaging platforms. The vulnerabilities allow hackers to bypass security measures, inject malicious content to messaging, spoof caller identities and bypass billing, along with problems caused by insecure configurations.
“By exploiting these vulnerabilities, attackers could gain unauthorised access to client systems or communication services such as conference and collaboration, voicemail, SIP trunks and instant messaging,” said Ozavci.
His Black Hat presentation highlighted weaknesses in UC messaging, federated communications and collaboration services that could be used to gain unauthorised access to the UC environment and client systems, as well as to attack client systems through signalling protocols and messaging.
“These attacks can be used to compromise the client systems connected using protocol and software vulnerabilities,” said Ozavci, adding: “Dial plans, misconfigured SIP trunks, conference and network infrastructures are also major targets for advanced attacks.”
The Context IS researcher has also looked at media transport protocols such as the secure real-time transport protocol (SRTP) for voice calls, file, desktop and presentation sharing.
Read more about VoIP security
- VoIP security is, in some ways, a sleeper issue compared to the problems of botnets and malware.
- Among the key exposures of VoIP systems are traditional hacks such as intercepting and decoding VoIP traffic and impersonating a party in a VoIP exchange to collect data.
- There are many free and commercial tools on the market that are used by developers which can also be used to attack VoIP components.
The media transmitted may have confidential or sensitive information, which can be an object of PCI, Cobit or compliance requirements such as credit card information on calls to interactive voice response (IVR) services or customer privacy information.
“Due to insecure encryption and design issues, sensitive information in the media that’s been transmitted can be exposed and compromised,” said Ozavci.