{"id":1237,"date":"2009-03-13T18:49:37","date_gmt":"2009-03-14T02:49:37","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=1237"},"modified":"2009-03-13T18:50:08","modified_gmt":"2009-03-14T02:50:08","slug":"security-review-voip-communication","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-voip-communication\/","title":{"rendered":"Security Review: VoIP Communication"},"content":{"rendered":"<p>Over the past five years or so, voice over IP has rapidly gained in popularity and use.\u00a0 It touts cheaper calls for residential users and corporations can save big because additional extensions on a VoIP infrastructure are less costlythan their traditional phone system counterparts.\u00a0 VoIP uses the same data lines as IP traffic to transmit voice.\u00a0 As such, it faces many of the same security issues as digital data.<\/p>\n<p>Assets:<\/p>\n<ul>\n<li>Reliable, time-sensitive communication: No matter how much of our global communication is moving to text-based solutions, telephone calls are still the best way to communicate quickly<\/li>\n<li>Privacy: Users disussing sensitive information want the content of their conversation to be accessible only to the intended parties.<\/li>\n<\/ul>\n<p>Adversaries:<\/p>\n<ul>\n<li>Digital phreakers:\u00a0 Phreakers in the days of analog phones exploited phones to be able to make free calls.\u00a0 Similar feats have been accomplished with VoIP systems.<\/li>\n<li>Company rivals: They might seek to bring down a company&#8217;s communications to\u00a0 reduce their ability to handle business.<\/li>\n<li>Profiteers: Can hold a company&#8217;s communications ransom<\/li>\n<\/ul>\n<p><!--more--><br \/>\nWeaknesses:<\/p>\n<ul>\n<li>It&#8217;s digital, and travels over the same wires as other data.\u00a0 One no longer\u00a0 needs to tap a phone at either end of the conversation to eavesdrop<\/li>\n<li>Data must be delivered real-time.\u00a0 Reliability measures that reattempt data delivery at a significantly later time impair the immediate delivery required for a voice conversation.<\/li>\n<\/ul>\n<p>Potential defenses:<\/p>\n<ul>\n<li>Not much can be done against DDoS attacks.\u00a0 Companies can only ensure that they aren&#8217;t part of the problem by keeping their machines clean of malware that participates in DDoS attacks by employing firewalls and keeping software up to date.\u00a0 Having some sort of Quality of Service system in place for VoIP may also help alleviate the problems of a DDoS attack.<\/li>\n<li>Encryption: Encrypting the communication can make the original voice data\u00a0 hard to recover, securing its content.<\/li>\n<\/ul>\n<p>It&#8217;s real-time nature makes VoIP extremely sensitive to DDoS attacks.\u00a0 For residential users, an interruption in service could be as annoying as an inability to make calls, or in the worst case, prevent the user from making calls to emergency services.\u00a0 For businesses, service interruption can incur profit loss.\u00a0 Hackers have already exploited VoIP systems to make free calls by brute-forcing the IP packet prefix that VoIP providers use to identify calls admitted on their networks.\u00a0 The hackers were able to then turn a profit by selling minutes on the hacked services.\u00a0 Tapping a VoIP conversation doesn&#8217;t require a physical tap on the line at one end of the conversation.\u00a0 A hacker can sniff packets off the network bound to or originating from the desired victim and reassemble them into audio.<\/p>\n<p>Source: <a href=\"http:\/\/www.silicon.com\/research\/specialreports\/voipsecurity\/0,3800013656,39166244,00.htm\" target=\"_blank\">VoIP Security<\/a> at silicon.com<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Over the past five years or so, voice over IP has rapidly gained in popularity and use.\u00a0 It touts cheaper calls for residential users and corporations can save big because additional extensions on a VoIP infrastructure are less costlythan their &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/03\/13\/security-review-voip-communication\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":124,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-1237","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/124"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=1237"}],"version-history":[{"count":9,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1237\/revisions"}],"predecessor-version":[{"id":1246,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/1237\/revisions\/1246"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=1237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=1237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=1237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}