Voice of VOIPSA

Blue Box podcast #53 is now available covering a range of topics, including a listener’s suggestion for the Skype multiple login issue, Cisco’s IP phone security advisories, network neutrality, EU privacy legislation and, yes, we covered that wacky story about smokers being a threat to VoIP because we just had to… plus the usual listener comments, VOIPSEC review and other VoIP security news. Detailed show notes, links and more over at the Blue Box site.

At O’Reilly’s 2007 Emerging Telephony conference last week in San Francisco, I had the opportunity to give a 15-minute presentation to all attendees about VoIP security. Rather than doing the traditional slideware outlining the threats, tools, best practices, etc., I tried to do something very different and simply tell a story of what could happen if a VoIP system were installed in an insecure manner – and how to go about securing that system. I tried to make it interesting and humorous (something not often tied to VoIP security) and the feedback at the show was quite positive. The audio and slides are now available over at Blue Box and I’d definitely be interested in any feedback you all have about the presentation, either in content or style.

That’s the question Dean Takahashi asks in a column in today’s San Jose Mercury News titled: Wiretapping could stifle VOIP technology. It is not entirely clear to me why Takahashi is writing this today given that there does not seem to be any real “new” news…. but with a headline like that and in the Mercury News, it is bound to get some attention over the next few days. Takahashi points out that US VoIP service providers that connect to the PSTN much comply with the FCC regulation by May 14, 2007 but that pure Internet peer-to-peer/p2p services like Skype are currently exempt. He does provide this teaser:

But it appears from its legal maneuvers that the FBI may also want to find a way to tap peer-to-peer calls, the ones that bypass the telephone system. And the FCC’s analysis of the FBI request suggests it might go along with a move to require wiretapping on any new Internet communications system.

Which leads to the obvious question of how a p2p system would actually do this… which leads to the opinion that some centralization would be required… which leads to the conclusion that this could therefore kill p2p VoIP systems in their true p2p form. The article refers people over to the Center for Democracy and Technology CALEA page where the CDT has copious amounts of info about CALEA (obviously from their point-of-view). Takahashi concludes with:

We have to balance the need to enforce laws with the need to move technology forward and at the same time protect our privacy. If we hobble technology to help law enforcement, we make ourselves vulnerable, not safer.

We faced this kind of issue in the early 1990s, when the debate was about whether to allow encryption technologies strong enough to hide data from the government. The government later decided to allow strong encryption to be used unencumbered, particularly as the technology was allowed overseas. The outcome here may be the same.

Given that VOIPSA is a global organization that encompasses a wide range of companies, people and geographic regions, its not really our place as an organization to wade into the debate of legislation in one particular country. But it is definitely a matter that does merit discussion and attention. There are very legitimate needs by law enforcement. There are also very legitimate privacy concerns – and security concerns. Where do we as nations, companies and individuals strike the balance?

Over on the Best Practices mailing list, I have now issued a last call for comments on the structure of the document. The document structure question is outlined on the Development Process page in the VOIPSA wiki. Right now all signs point to a near-consensus on using proposal #2 to structure the document around functional areas… but I asked yesterday for any final comments.  Barring any last-minute cascade of outrage and desire for another structure, I’ll make the decision tomorrow morning and we’ll get down to work.  Comments can be left here on the blog, if you want, but the best place to probably route them is the mailing list.  Thanks.

Yesterday the VoIP News web site posted a feature article: How Secure Are Your VoIP Calls? It includes quotes from both Jonathan and myself and generally makes the points we’ve made both here and on Blue Box around VoIP security. Overall a good article with only a few minor nits to pick:

• The question I would generally suggest customers ask their enterprise vendor is “What do you do to secure voice communication over the LAN?“
• I don’t know that I would have said enterprise phone systems were “enterprise stuff” but hey, you get the idea.
• In the second bullet at the end, the point is to ensure that call control is encrypted or otherwise protected. Many people first think of encrypting voice because eavesdropping is something easy to understand – and they don’t think about call control. Yet you could argue that call control is perhaps more important because far more devious things can be done if you can corrupt call control.
• Unless he’s holding out on us, Mark Collier does not write the VoIP Lowdown blog that had this list of VoIP security challenges. In fact, if you note, Mark commented on the article (and perhaps because he was the last commenter someone assumed he wrote the blog). Mark actually writes over at www.voipsecurityblog.com (where I note he has a nice new header image and picture) as well as here on this blog once in a while. He actually has a post on his blog pointing over to this list on VoIP Lowdown.
• It’s actually not entirely clear from the post who did write that list at VoIP Lowdown, but on this page it states that the writer was Pushpa Sathish, who is also the person now having a byline on all the new posts since that time (which is good because it will save them this attribution issue in the future).

Again, relatively minor details in the grand scheme of things (although Pushpa Sathish may not appreciate the attribution going to Mark) and a good contribution to the overall conversation on VoIP security.

Thanks, VoIP News, for running the feature story!

Another podcast to note… Canadian analyst Jon Arnold interviewed me for his Canadian thought leaders podcast series all about… gee… VoIP security! (Yes, okay, so I no longer live in Canada, but I did live there for most of 5 years and I still work for a Canadian company.) We had a great chat about VoIPSA, Blue Box, VoIP security in general and my views on some of the current vulnerabilities to VoIP. It runs about 19 minutes or so and you can get it from the link on Jon’s blog.

Blue Box Podcast #47 is now available for download. In this show, Jonathan and I talk about some of the recent articles and reports hyping VoIP security, recent comments from SANS about the need for better VoIP security training, moves by the Indian government to block Skype and other VoIP services and much, much more. Tons of listener comments in this show… probably the most we’ve ever had. See the show notes for all the links and info.

I am pleased to announce that the VOIPSA Best Practices project will be kicking off this week. As noted in the project description, the goal is to gather into one document the core set of “best common practices” that can be used to address the threats to VoIP that were outlined in the VoIP Security Threat Taxonomy project. I’m still making some changes to the wiki in advance of the formal project kickoff, but right now you can subscribe to the best practices email list if you would like to assist in the project. All are welcome, regardless of experience level. If you don’t want to join a mailing list, updates will be posted here on this blog from time to time.

The October edition of Internet Telephony Magazine (free download can be found on the TMC website) names the 100 Top Voices of IP Communications.  A nice list of industry thought leaders, including VOIPSA Chairman, David Endler.

The same issue also has an article about CALEA, if that floats your boat. 

 

Today SANS announced the 2006 version of their annual “Top-20 Internet Security Attack Targets” and for the first time, VoIP is included as one of the threats. The press release identifies six major trends in attack patterns and includes this:

5. VOIP (Voice over Internet Protocol) attacks used now to make money by reselling minutes and potentially for injection of misleading messages and even for creating massive outages in the old phone network.

The press release contains an “Expert Analysis” section with a contribution from Rohit Dhamankar, senior manager of security research at TippingPoint, that states:

Last year we saw many remote code execution vulnerabilities in Asterisk, a popular VoIP server that is being used by mid to large size companies. The FBI reports many VOIP systems are being compromised so criminals can sell minutes and leave the bill with the victim. But that’s not my major concern.

The VoIP system marries the IP network with the old-style phone network (SS7). The latter has not been accessible to hackers on an easy basis prior to the VoIP deployments. By compromising a VoIP server, an attacker now has the ability to inject bad messages in the phone network. One may ask, what would that do: The most disastrous consequence can be bringing down the old phone network.

A crash that happened in 1990 brought down a phone system for 9 hours -
http://www.cs.berkeley.edu/~nikitab/courses/cs294-8/hw1.html

Although the 1990 outage was not due to a cyber attack, such an attack is feasible in the near future by controlling a VoIP server.

While we all can debate whether a VoIP attack today could actually bring down the PSTN, the potential (however large or minute) is certainly out there and the larger point is that, as we have been saying here for quite some time, there are very real issues within VoIP security that do need to be addressed. Many, if not most, of those issues have solutions or ways to be mitigated, but doing so does involve some work and typically configuration changes, network improvements, etc.

The section on VoIP in the SANS Top 20 includes this text:

VoIP technology has seen rapid adoption during the past year. At the same time, there has been an increase in security scrutiny of typical components of a VoIP network such as the call proxy and media servers and the VoIP phones themselves. Various products such as Cisco Unified Call Manager , Asterisk and a number of VoIP phones from various vendors have been found to contain vulnerabilities that can either lead to a crash or a complete control over the vulnerable server/device. By gaining a control over the VoIP server and phones, an attacker could carry out VoIP phishing scams, eavesdropping, toll fraud or denial-of-service attacks.

Since many VoIP servers especially the ones at VoIP service providers are an interface between SS7 (traditional phone signaling) and IP networks, an attacker capable of compromising a vulnerable VoIP server could even potentially manipulate the SS7 signaling interconnection to disrupt services on the Public Switched Telephone Network (PSTN).

The section goes on to list CVEs related to Asterisk and Cisco Call Manager, and then includes a section on ways to mitigate those vulnerabilities. (Which is good input into the VoIP Security Best Practices project we are about to launch.)

It is great to see SANS putting the spotlight on VoIP, and we within VOIPSA look forward to continuing to work with people all across the industry to both point out the vulnerabilities in VoIP and also to help identify solutions to address the concerns.

(If you are just finding VOIPSA as a result of the SANS Top 20, you may want to look at the VoIP Security Threat Taxonomy that we developed last year. You may also wish to sign up on the mailing list for our VoIP Security Best Practices project that is about to launch.)

UPDATE: I should also note that the SANS Top 20 list also includes a section on “Phishing“, which does mention VoIP phishing as well.

P.S. Many thanks to the Blue Box podcast listener who sent in word that the SANS Top 20 had just been released this morning.