SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. The press release identifies six major trends in attack patterns and includes this:

5. VOIP (Voice over Internet Protocol) attacks used now to make money by reselling minutes and potentially for injection of misleading messages and even for creating massive outages in the old phone network.

The press release contains an “Expert Analysis” section with a contribution from Rohit Dhamankar, senior manager of security research at TippingPoint, that states:

Last year we saw many remote code execution vulnerabilities in Asterisk, a popular VoIP server that is being used by mid to large size companies. The FBI reports many VOIP systems are being compromised so criminals can sell minutes and leave the bill with the victim. But that’s not my major concern.

The VoIP system marries the IP network with the old-style phone network (SS7). The latter has not been accessible to hackers on an easy basis prior to the VoIP deployments. By compromising a VoIP server, an attacker now has the ability to inject bad messages in the phone network. One may ask, what would that do: The most disastrous consequence can be bringing down the old phone network.

A crash that happened in 1990 brought down a phone system for 9 hours –
http://www.cs.berkeley.edu/~nikitab/courses/cs294-8/hw1.html

Although the 1990 outage was not due to a cyber attack, such an attack is feasible in the near future by controlling a VoIP server.

While we all can debate whether a VoIP attack today could actually bring down the PSTN, the potential (however large or minute) is certainly out there and the larger point is that, as we have been saying here for quite some time, there are very real issues within VoIP security that do need to be addressed. Many, if not most, of those issues have solutions or ways to be mitigated, but doing so does involve some work and typically configuration changes, network improvements, etc.

The section on VoIP in the SANS Top 20 includes this text:

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

The section goes on to list CVEs related to Asterisk and Cisco Call Manager, and then includes a section on ways to mitigate those vulnerabilities. (Which is good input into the VoIP Security Best Practices project we are about to launch.)

It is great to see SANS putting the spotlight on VoIP, and we within VOIPSA look forward to continuing to work with people all across the industry to both point out the vulnerabilities in VoIP and also to help identify solutions to address the concerns.

(If you are just finding VOIPSA as a result of the SANS Top 20, you may want to look at the VoIP Security Threat Taxonomy that we developed last year. You may also wish to sign up on the mailing list for our VoIP Security Best Practices project that is about to launch.)

UPDATE: I should also note that the SANS Top 20 list also includes a section on “Phishing“, which does mention VoIP phishing as well.

P.S. Many thanks to the Blue Box podcast listener who sent in word that the SANS Top 20 had just been released this morning.

5 thoughts on “SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

  1. Shawn Merdinger

    I find it very interesting that SANS is now recommending folks run security tools like PROTOS against their VoIP products. This could indicate the beginning of a new level of due diligence in IT shops.

    One of many potential issues concerns the complexity of these fuzzing tools. Aside from setup and running them correctly, there’s also the very challenging aspects of determining *exactly* what the attack causing the problem actually was — for example running these voip fuzzer testcases in different ways (forward, backward, random) can place a device under test in a strange one-off state. An example of this is from the README in the J. Oquendo’s recently released Asteroid SIP tool: http://www.infiltrated.net/asteroid/

    “Anyhow, I have found that by sending a certain sequence of these packets, in a certain order, servers react differently. Sometimes it will
    crash faster, sometimes more extensions are subscribe, etc, etc. I will not post any sequencing until vendors have patched their programs
    against this lame attack but, I will release the packet samples I’ve been working with.”

    For those about to embark on this brave new world of customer-done QA, a “first run” of SIP tools I’d suggest running against your SIP device is the SIPSAK tool with some of the flooding options, the PROTOS SIP suite, the Asteroid suite, and ISIC (udpsic and tcpsic) against the SIP ports.

    Reply
  2. Pingback: SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time « Telecom, Security and P2P

  3. Pingback: VoIP: Security Threat #5 -- Alec Saunders .LOG

  4. Pingback: Telecom,Security and P2P » Blog Archive » SANS Top 20 Internet Security Attack Target List for 2006 includes VoIP for the first time

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>