Beware of UC Security Threats

Unified communications opens up your VoIP network to new avenues of collaboration, including instant messaging, video, business applications and e-mail. And that opens up your network to new avenues of attack.

While the biggest actual threats to VoIP networks remain attacks to the underlying IP network infrastructure, UC opens up new angles of attack by creating connections between VoIP networks and corporate data networks.

Typically, most corporate deployments these days try to segregate VoIP as much as possible, creating islands that protect the voice network by broadly restricting access for devices unnecessary to supporting calls, says Ted Ritter, an analyst with Nemertes Research.

Unified communications changes all that. "With UC, by definition you are opening up your infrastructure and focusing on collaboration, reaching outside the enterprise to trading partners and customers," Ritter says.

Eavesdropping, altering conversations, stealing phone access to commit toll fraud and flooding targeted extensions with calls -- all of which were possible before -- become easier, he says.

Don't Ignore Basic IP-Network Attacks

In reality, however, few of these theoretical VoIP-specific attacks have occurred in the wild, says David Endler chairman of Voice Over IP Security Alliance and senior director of security research at Tipping Point. Endler has co-authored a book about such attacks called "Hacking VoIP Exposed", but acknowledges that the basic step of protecting the IP network that underpins VoIP is still the best protection.

"People may tend to look at some of the sexier types of attacks out there to prevent them -- things such as eavesdropping or impersonation or caller ID spoofing -- the truth is the most prevalent threat right now is the very basic network-level type of attacks," Endler says.

Still, businesses deploying VoIP should be aware of security cracks that UC can open up, says Stuart McLeod, the course director for IT training firm Global Knowledge who teaches its VoIP security courses. "Security is always about having as many layers of obstacles as possible between the hacker and his goals. We lose a couple once you move to unified communications," he says.

For example, UC may introduce the use of softphone clients on PCs, which can cause trouble, says Jason Ostrom the director of Viper Labs, the security research arm of Sipera, a vendor that specializes in VoIP security. With an eye toward testing business VoIP networks, Ostrom develops VoIP-specific attacks in his lab, automates existing attacks and makes them more sophisticated.

He says the Microsoft Office Communications Server client and Cisco Communicator softphone client for call-center applications can be potential sites for attack, particularly from insiders. They could break into the data virtual LAN via the clients, which have listening voice services to tap into the VoIP VLAN, he says.

Also, UC applications live on the voice VLAN that are tied into LDAP and Active Directory servers, creating another exposure for the data network. "User passwords and corporate data can be stolen through the voice VLAN," Ostrom says.

Risk assessment is essential to making decisions about defending VoIP tied to UC, says Paul Kocher, president and chief scientist at Cryptography Research, a data security consultancy. UC represents a series of sophisticated integration points with applications that can create other risks, but not all of them are urgent, he says.

For example, within UC software, programs can be configured to trigger phone calls, but that's not a major problem. "There are potential eavesdropping scenarios or the application could be corrupted to call the wrong phone number," Kocher says. "But those aren't the types of things you lie awake at night and worry about."

It's possible to defend these networks, Ritter says, but the increased complexity means that more corporate business units need to be involved at a higher level than was required for standalone VoIP.

Don't Ignore the Compliance Factor

Compliance is a big issue in industries such as finance, health care and the payment-card industry, which have regulations that can impact VoIP. UC must be defended against data leaks whether it be voice mail that gets e-mailed, an IM sent outside the company or an archived videoconference that's sitting on a disk and contains patient information.

UC also creates new legal complexities that can affect policies about storing call data, Ritter says. Voice mail attachments to e-mails, for instance, are classified as electronic data that must be made available during the discovery phase of lawsuits, he says. If such voice mail is stored on a thumb drive that sits in a desk drawer for three years, it's discoverable as electronically stored data, he says. "The voice mail is still around even though the voice mail system itself purged it years ago," Ritter says.

Businesses that are most successful with UC deployments bring their security teams in early on in the planning process, Ritter says, but that is not the usual case. "Unfortunately we still find security is typically one of the last teams to be involved in planning," he says.

Ritter recommends getting the security and compliance teams together early in the planning for UC and VoIP. That offloads much of the responsibility for security from the implementers who are more likely telephony experts or general infrastructure experts. Even corporate litigation teams should be brought in.

The exposure of VoIP will continue to increase with new technologies, he says. Nemertes found that 46% of IT executives surveyed who are planning service-oriented architectures say they also plan to integrate UC with their SOA applications such as CRM or ERP.

"That adds another layer of complexity because it extends UC and VoIP into the application domain," Ritter says. Despite this exposure, Nemertes found that security teams had the least amount of input into SOA deployments.

Part of the problem may be that business executives see security as just saying no to anything that exposes networks and data to more risk even if it means blocking useful ways of doing business.

"We don't know if they see security as business prevention and that's why they don't bring them in, or organizationally they're still in silos," Ritter says "We don't think the security teams are being brought in early enough in the planning to deal with the complexities and the vulnerabilities that are putting the organization at risk."

Perhaps the biggest threat to VoIP security is that many if not most users don't consider security thoroughly, the experts say.
"Most VoIP deployments I have seen do not have recommended best practices in place like strong encryption, authentication and access control protecting the VoIP network from the rest of the network," Ostrom says.

Beyond that, some businesses don't recognize that they use protocols that may be readily tampered with. "The most common mistake I see is the use of insecure protocols for things like VLAN assignment," says Andy Zmolek, senior manager for Security Planning and Strategy for Avaya.

"They should use link layer discovery protocol and 802.1X authentication to make sure VLAN assignments and access control are secure," Zmolek says. Without secure authentication, a PC could masquerade as a phone, get access to the VoIP VLAN and then wreak havoc."

Another problem has nothing to do with technology but rather the communication within the teams that are supposed to deploy it, he says. For instance many customers send out RFPs that include features that never get turned on after they make the purchase. "They have the ability of encrypting signaling and media, and they rarely turn that on. You could argue the security organization should handle that, but the security teams are just beginning to understand how to make sure the desired security is enforced," he says.

Businesses should beware of automatically trusting their own employees, Ostrom says. He says he finds faulty thinking among corporations relying on VoIP: because VoIP users are on the internal network, and those users are trusted so there is no VoIP security problem. That is a dangerous assumption because if they are wrong, an attacker with network access can do vast damage, he says.

A user with network access can piggybacking on the successful 802.1X authentication of an IP phone by inserting a rogue laptop on a hub shared by the phone, he says.

The phone authenticates to the switch port, but there is no per-packet authentication after that. If an attacker shares the authentication with a hub that the phone uses to connect to the network, it gains access to the VoIP network and can create man-in-the-middle attacks for eavesdropping or changing the content of phone calls, he says.

"We've developed a proof-of-concept tool to demonstrate this attack," he says. "With it they can target other phones or VLAN hop to attack the data network."

Most of the concern businesses have about VoIP still centers around protecting the underlying data network from assaults like denial-of-service attacks, says Irwin Lazar, an analyst with Nemertes.

"Overall though I'd say that security doesn't rank all that high among IT executive concerns around VoIP right now," Lazar says, "though as enterprise VoIP networks are extended beyond the network boundary via peering and SIP trunking, concerns will increase."

It may take serious consequences, though, to prompt better VoIP security practices like encryption, McLeod says. "I think the average Fortune 500 company is going to have to have some security event occur to have a wake-up call before they spend the money," he says. "Then there will be more pressure placed on the vendor to make security like it is in Wi-Fi -- automatic, easy and every piece of gear includes it."

Subscribe to the Best of PCWorld Newsletter