Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Communications Security

VoIP Security Threats Defined 60

Zonorph writes "Information week is reporting that the recently formed industry group Voice over IP Security Alliance (VOIPSA) just published their first draft of a VoIP Security Threat Taxonomy for public comment. From the VOIPSA, 'This VoIP Security Threat Taxonomy is meant to define the many potential security threats to VoIP deployments, services, and end users. Part of the challenge of devising effective VoIP security protections requires first identifying these threats in the first place.'"
This discussion has been archived. No new comments can be posted.

VoIP Security Threats Defined

Comments Filter:
  • "This is fairly easy money, let's think of stuff to keep ourselves busy"
    • Whether it makes money for them is not the issue. The issue is that anything that is transmitted over a public channel is open for analysis, and hence private information need to be secure.

      Its very encouraging to see that they are taking a methodical approach to securing this. It is a hint that people are starting to take security in every public channel very seriously.

      I would very readily give money to someone who makes me more secure about my communications.
      • That may be, but every time I see or hear some stuff about a commission (sp?) like this, they usually waste a sh*tload of money for meager results.

        So please forgive me my cynicism
      • by quarkoid ( 26884 ) on Tuesday October 25, 2005 @06:25AM (#13870504) Homepage
        The issue is that anything that is transmitted over a public channel is open for analysis, and hence private information need to be secure.

        No, that's not the issue. The good old PSTN is public and insecure. The post (snail mail) is public and insecure. If people want to send their information securely, they scramble their phone calls and encrypt (code/cipher/whatever) their post. The same applies to VoIP (VPN, encryption etc.).

        The issue here is cost.

        When a VoIP system is cracked, it costs somebody money.

        The problem here is a lack of understanding on how to secure (*NOT* encrypt) VoIP connections.

        Nick.
        • No, that's not the issue. The good old PSTN is public and insecure

          Just coz it wasn't done doesn't mean it shouldn't have been done. That is why its a good thing that this is happening now. People are taking security more seriously.
        • I just can't let this go unchallenged:

          No, that's not the issue. The good old PSTN is public and insecure. The post (snail mail) is public and insecure.

          Two very bad examples because they are both more secure than standard unencrypted network data.

          * Eavesdropping on classic PSTN requires physical access to the line or switch. If you manage to find network access to a console port, it's possible to copy a data stream from one trunk port to another. You still need to get connected to it somehow.

          * Snail mail

          • * Eavesdropping on classic PSTN requires physical access to the line or switch.

            I can easily listen to my next door neighbour if I really wanted to. Often the telco junction boxes are unlocked or sometimes they are even completely missing their covers in my part of the World.

            * Snail mail conversations also require physical access.

            People work at post offices. People cannot be trusted.

            The potential "men in the middle" in your Internet traffic, are mostly ISP staff. ISP staff, telco staff, post office staff, wh
      • The government wants some security on VOIP because otherwise people will start using secure encryption of their own. Provide simple security by default and most people wont bother with strong methods like VPN which give the government problems exercising their right to monitor their citizens.
      • I would very readily give money to someone who makes me more secure about my communications

        I know it sounds crazy, but how about being secure in your communications? Don't disclose things to people in areas that are insecure. Why does society think it's always up to somebody else to protect us from ourselves?

        Beyond that, companies that study things are hired researchers. They're largely hired to legitimize a predetermined answer; not actually research an answer, for that answer may contradict the company

      • The issue is that anything that is transmitted over a public channel is open for analysis, and hence private information need to be secure.

        Make that "ANY channel which leaves your scrutiny". Even if it does not pass the public.

        Years ago, I was chatting with a friend on the phone and we started talking about our local telco, which I had previously worked for. We were having a bit of a bitch session about how poor their service is, their dodgy workmanship, the incredible profits they make and what a lazy bunc
  • by team99parody ( 880782 ) on Tuesday October 25, 2005 @05:40AM (#13870391) Homepage
    If everyone somehow thinks VOIP on the internet is some magicly secure channel, they'll use it carelessly and lots of security problems will occur.

    If they think it's a public chatroom (like an IRC channel) they'll be careful what they say, and fewer problems will result.

    Same for email - if it were only widely known that email can be forged by anyone and read by anyone, the nigerian spammers wouldn't have any luck finding a mark. But the damn "email security" industry and ISPs set peoples expectations incorrectly and a lot of people get hurt.
    • by Anonymous Coward on Tuesday October 25, 2005 @05:46AM (#13870408)
      Another good example is the comparing VOIP security with the lack of security of the analog phone line coming in your house. Gee, people with alligator clips can tap into the phone lines easily accessible outside your house and listen to your calls.

      Somehow noone get's all excited about those security holes; but somehow computers have some mystical aura that makes people expect them to be locked down to a far greater extent than their physical phone or mailbox. This seems pretty odd, since my physical mailbox gets lots of stuff in it that's far more valuable than my email.

      • But for someone to tap your phone, they have to come with alligator clips to your phone line. This means that someone can't easily "screen" a lot of different phone lines without a lot of manpower. VoIP, on the other hand, could be tapped remotely without intervening with your installation at all, and the process can be automated.
        • This means that someone can't easily "screen" a lot of different phone lines without a lot of manpower. VoIP, on the other hand, could be tapped remotely without intervening with your installation at all, and the process can be automated.

          To remotely tap your Internet connection, this would typically be done at your Internet Service Provider.

          To remotely tap your telephone connection, this would typically be done at your Telephone Service Provider.

          There are lots of points where these things can be eavesdroppe
      • Problem is you can't mass snoop on physical mailboxes, while you can do this on electronic comms.
      • true... but... the problem is physical location. Basically it boils down to connection oriented networks vs. connectionless networks. sure someone can tap a traditional pots line, but they had to be physically "on the line". with VoIP and programs like http://ettercap.sourceforge.net/ [sourceforge.net] this physical domain it extended making it possible for someone to access the path of communications from almost anywhere in the network. I'm not saying that traditional phone security was any better, but VoIP not only suffers
    • If everyone somehow thinks VOIP on the internet is some magicly secure channel, they'll use it carelessly and lots of security problems will occur.

      Actually, while it's not "magically" secure, it would be possible to make VoIP a lot more secure than about any other communication system. Just think encryption, plus the fact that you can say the key fingerprint out loud so that a "man in the middle" would actually need to imitate your voice in real-time in order to gain access. Of course, you're still vulnerab
  • ...I was a child. A bit of packet sniffing here, and they would have known all my secret plans to take over the world!
  • The biggest single threat to the security of VOIP deployments is CALEA mandated backdoors in VOIP services IMHO. This is in effect government mandated exploits waiting to be exploited by others as well. Cisco was only the latest to demonstrated just how well undisclosed backdoors hidden by obscurity really work, but in this case the problem is not one that can later simply be fixed in the code, because it was broken by the law.

    • by Anonymous Coward
      The biggest single threat to the security of VOIP deployments is CALEA mandated backdoors

      Yes indeed. VoIP transmissions can be easily secured with *strong* encryption like RSA or AES with long keys. But governments will prevent it from becoming standard. Of course the caller and callee can make additional arrangements to use strong encryption, when available (ala PGP mail). And in the current political climate, that wil be marked as illegal use too. Sigh :-(.
  • Encryption (Score:5, Insightful)

    by WindBourne ( 631190 ) on Tuesday October 25, 2005 @05:48AM (#13870415) Journal
    The encryption apporach should allow for easier quicker change of algos. We are now playing a game where we are fighting both crackers and govs.
    • Protocols that allow both ends to negotiate what algorithms they use are very hard to get right; they may allow an active attacker to force both ends to use whatever is least secure. The most secure thing is probably to choose good algorithms, and stick to them.
  • C'mon...
    Part of the challenge of devising effective VoIP security protections requires first identifying these threats in the first place.

    Allow me to rephrase:

    Part of the challenge in an undertaking requires understanding why we might consider doing it in the first place.

    Well...duh....

  • by VincenzoRomano ( 881055 ) on Tuesday October 25, 2005 @05:53AM (#13870431) Homepage Journal
    Public VoIP security issues are more or less the same as in the plain old public telephone service.
    If someone really cares about security (and "privacy") issues, she will provide for her own private VoIP service.
    Very few people knows whether the communication will travel safely through the net and related servers.
    Yes, my link to my favourite VoIP carrier is encrypted with a zillion bits encryption key. And what happens after?
    The solution is to avoid using public services for security and privacy concerned communications.
    There is very little to do if you dictate your credit card numbers by phone, whatever technology you use!
    • Yes, my link to my favourite VoIP carrier is encrypted with a zillion bits encryption key. And what happens after?

      And the link from my browser to the webserver of my favorite merchant is encrypted using SSL. Since my merchant uses 3rd party hosting and simply repackages the form information in a plain-text email to get that information from the server back to his store, I guess that solid-lock in my browser is a false sense of security, huh? See "Are Secure Internet Transactions Really Secure?" [jsweb.net], a paper
  • by SecureTheNet ( 915798 ) on Tuesday October 25, 2005 @06:00AM (#13870457) Homepage
    You think the public switched telephone network is any more secure than VOIP? Hackers have been playing around in the phone system since it's inception, via switchboard pranks, then devices like blueboxes, and finally hacking the DMS-100 switch used to route your telephone calls. Free service, free features, unbillable numbers, untracable calls, phone taps, and even controlling dial-in lines to win radio call-in prizes. This is all old hat, and VOIP is simply the new playground.
  • by quarkoid ( 26884 ) on Tuesday October 25, 2005 @06:14AM (#13870479) Homepage
    I run a business which supplies telephone systems. All our systems run VoIP and all can be remotely accessed. It doesn't matter how much I jump up and down about social/network/hardware security, the customers just don't get it.

    Luckily, we do.

    Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then copies the voice traffic off elsewhere.

    Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then registers with the switch and proxys external connections out over the customer's PSTN/VoIP trunks, at the customer's expense.

    None of these have happened yet (in fact, one compromised machine we were called in to look after could have given the cracker access to 30 PSTN lines, but was just used for IRC botting), but I'm just waiting for the day when the customer's trunks are attacked. Of course, when this happens, there is a tangible cost element (in terms of the telco charges for the calls made).

    The worrying thing is that there are a number of telecomms wannabees starting up. These are typically IT companies who are seeing their margins disappear and wanting to branch out. These people are mainly selling Asterisk or some form of virtual PBX service. Sadly, these people don't understand telecomms and (much to my surprise), don't appear to understand basic network protocols and terminology (let alone security). These are the companies who'll give VoIP a bad name and who'll cost their customers a fortune.

    Luckily, as with IT, when the sh1t hits the fan, companies like ours will be there to sort it out (and make more money from sorting it out than we would have done in the first place).

    Ho hum.

    Nick.
    • Can you describe your systems a bit more. I'm wondering why on earth the VOIP devices and servers are locally network accessible much less remotely? They should be on their own internal vlan and isolated as much as possible (eg strong network ACLs). Or are these VOIP systems integrated with the PCs somehow or the gateway/callmanagers located off-site? Personally, I'd never hire a VOIP specialist who sets up insecure systems such as you just described.
  • Security? (Score:4, Informative)

    by el_womble ( 779715 ) on Tuesday October 25, 2005 @06:21AM (#13870496) Homepage
    We're all IT pros or enthusiasts right? Are any of us really under the impression that anything is really secure? Given enough time and resources anything can be cracked - and if its not the computer system its the users that are the weakest link.

    If you need to believe that what you are saying is secure, or need to advise people that need to believe that you can secure things, surely thats what you tell them.

    VoIP is has a few killer advantages: reduced costs, CD quality sound, potential to expand to video and REDUCED COSTS.

    The security surrounding it may stop pesky neighbourhood kids splicing into your phone line and listening in, but there is NO technology that will prevent a dedicated and skilled cracker from listening into anything you broadcast or keep on your computer. But they are few and far between and I like those odds (its not as if I have any real secrets). What really bothers me about this is the idea of government mandated backdoors.

    How can a country that gives its citizens the right to bear arms and form militia not see that in the information age encryption is the next Smith and Western? In that respect its not designed to stop the police from arresting you, or to help you rob banks. Sure you can use it for such, but thats not what it was designed for, it is designed to help you protect yourself, your family and your possesions and act as a deterent. Just don't expect your six-shooter to defend you from a trained assasin.

    I live in the UK, so I don't carry a gun (not that I would in the US either), but I do lock my house and my car - and I don't give the police a master key unless they ask me and provide a warrant. Thats fair. Builders don't look the other way whilst the police come on site and install a special secret door that only they can use and the reason that doesn't happen, is because there would be two sets of people that have the key, the police and the criminals. Its the same with encryption.
    • Re:Security? (Score:3, Informative)

      by Detritus ( 11846 )
      The security surrounding it may stop pesky neighbourhood kids splicing into your phone line and listening in, but there is NO technology that will prevent a dedicated and skilled cracker from listening into anything you broadcast or keep on your computer.

      With a secure telephone, like a STU-III [wikipedia.org], your hypothetical "dedicated and skilled cracker" is hopelessly outclassed.

      • Even in the wikipedia article that you cite, they say that there is a chance, although there are no confirmations, that the STU-III has been hacked. But thats not really my point here. Even if the hardware is secure, the human element is open to attack: "Everybody breaks on the third day".

        From what I understand of cracking, you always take the path of least resistance. If cracking the encryption is hard, you think outside the box and use other technologies to get what you want, lazer listening devices, mole
  • Let's face it: you can add all the security you want, but a determined thief/hacker/criminal will always find a way in. Always. Protect yourselves as much as you can, yes. Just don't expect anything to be 100% secure forever.

    Looking at the VOIPSA Wiki [voipsa.org], there is a section entitled "Social Threats." Naively I assumed this section would cover things like social engineering, telemarketing, etc. Instead it has such gems as "Modern interactive communication systems can include more than two people in a sessio

    • "Modern interactive communication systems can include more than two people in a session and people can move fluidly from role-to-role, including: initiating contact; joining communication in progress; accepting contact; terminating communication in progress; refusing contact."

      This needs to be explained?

      As a security person, I should think so, yeah. Because if we don't explicitly model these activities, then we may end up leaning heavily on weak or even false assumptions for our security. Worse, any po

  • Australian media are simplyfying the term "VoIP" to just "voice over internet", considered to be easier to understand. Additionally, "vee~owe~eye" is, i consider, more inclined for common usage (ie outside of power user zones) than "vooipp", as the latter is a very quickly spoken word that does not illict the same visual body motions of the lower face which are much easier to lip read. oh, and of course that acronym would be so much sweeter...VoISA...mmmm
  • This will probably get bashed to high heavens, but Skype recently got their software reviewed [skype.com] by an independent security expert. Favourably.
    • This will probably get bashed to high heavens, but Skype recently got their software reviewed by an independent security expert. Favourably.

      ITYM Skype say that they recently got the encryption code that they say is part of their software reviewed by someone they say is an independant security expert.

      And the "review" document was written by Skype based on the summary of the report. It says so on their site.

      In other words, this will only make you trust their software if you already trust them.

      Maybe you can t
  • by matth ( 22742 ) on Tuesday October 25, 2005 @07:34AM (#13870725) Homepage
    It never fails to amaze me that people are ready to jump on VoIP as being "insecure" when infact it is probably more secure then your POTS line. To tap into a POTS line all you need is a butt set. Climb your local pole (and look like you should be) and no one will question you. Or walk up and place a tap on the CO NID outside a building. If it's a business, look like you should be there, and again no one will question you.

    To actually tap VoIP you need to be in the path of the packet somewhere. It isn't like you can just hack a server and sniff the traffic. You'd actually need to be on a router someplace, and have some way to get the packets off the router and into some form that you could make into an audio file.... Yeah, which would you do?
  • Today's voice telecom network is relatively easy for governments to listen in on. Fearful governments who can only maintain power by limiting access to information will not be quick to give that up. The two examples that come to mind for me are the Peoples Republic Of China and Iran. Both of these governments are afraid of simple dissent and griping. Even the USA government is afraid of what will happen if they cannot wiretap phone calls between terrorists.

    A voip system that uses assymetric encryption
    • Imagine that my brother and I exchange public keys and keep our private keys private. What can the government do to crack our phone call if doing so requires the private keys that we are smart enough not to share?

      Anything can be cracked given time and money. The issue comes down to does the government think what you communicated is worth their time and money.

  • Part of the challenge of devising effective VoIP security protections requires, to begin with, first identifying these threats in the first place, for starters, at the outset, initially.
  • You might wanna read this article [itmanagersjournal.com] as well. It offers a great introduction to the VoIP security issues.
  • With any sort of telco system there are two distinct areas of security. First is the security of the equipment. If crackers gain access to your equipment (in the case of VoIP your servers) they can cost you a lot of money. The second is security of the conversation, if crackers/government can eavesdrop on your conversations it may cost you in other ways.

    The PSTN is somewhat secure in the first area and totally insecure in the second. In my opinion the VoIP world needs to work on the security of equipme

Brain off-line, please wait.

Working...