New Security Concern: VoIPBy John Parkinson | Posted 11-05-2008
Another day, another cybersecurity challenge.
Every time I deploy some new and potentially valuable networking technology, I must first research what new vulnerabilities and threats using that technology adds to the stack that already exists. Then, I need to find new weapons in the unending fight against the bad guys.
My latest security concern is IP telephony. I'm looking to leverage the benefits of adding Voice over IP to our unified communications stack sometime in the next year. Following my generally paranoid program evaluation approach, I sent one of my network teams out to look for problems, while I tasked another team to search for the best answer to meet our business needs. I used two distinct teams because I wanted an objective assessment of both issues.
We knew that the signaling protocol VoIP uses to set up a call can be spoofed, and we also knew what we could do about that. But we were surprised to discover that the payload of a VoIP call--the digital content in an IP packet that carries a portion of the digitized voice during a call--also can be spoofed.
In effect, you can set up a call and then use the fake call path to send data out of the enterprise. Because an IP phone is just a computer with a digital-to-analog converter, a microphone and a speaker, the end point can grab the fake call packets and rebuild the original data as a file.
Not only must I ensure that a call goes to a real person, I also have to make sure the call content is a digitized voice and not something else--something I don't want leaving the premises. I can tell that the IP address belongs to someone who has a directory entry for IP telephony service, but there's no guarantee that I am connecting to a phone. So-called soft phones are in widespread use and are available in open source form, which makes them easy to extend in order to add capabilities to reassemble packets into something other than an audio stream.
In a unified communications environment, I often don't know the phone number of the person I'm calling. I just select their name from a directory list and click "call." So I must ensure that all directory entries are valid, which is not an easy task when my directory may have several million entries in it, and 10 percent of them change every month.
Beyond that issue, however, I must check the payload of every VoIP packet and figure out if it's just digitized voice or something else. Then I can decide what to do with it--either pass it on if it's okay or trigger some additional investigation if it's not. This must be done for all VoIP traffic, in and out of the enterprise, because this little gem of a spoof is a great way to deliver things that must be kept out, as well as steal things that must be kept in.
The good news is that we found a very clever piece of software that can reliably tell the difference between digitized voice and something else. The bad news is that I have to buy, deploy, maintain and manage yet another piece of technology just to make VoIP calls safe. It's another tax on operations--one that reduces the advantage I get from VoIP.
Oh well, on to the next threat.