Researchers call time on poor VoIP server security

News by Tom Reeve

Voice over IP attacks are on the rise because of the proliferation of online tools and software which can target these services.

VoIP attacks can be highly profitable, as successful attackers gain access to telephone lines from which they can make calls to foreign countries and premium rate phone services. Long-distance services can be sold on to phone shops while attackers can make up to £1 a minute by calling premium rate numbers which they control.

Voice over Internet Protocol (VoIP) has been increasingly implemented by companies wishing to exploit low-cost Internet connectivity to supplant more expensive long-distance telephone service, but routing voice and multimedia content over the Internet exposes the organisation's telecoms system to the same risks faced by Internet servers and web-connected corporate networks.

Security consultancy Nettitude has released a report based on its experience monitoring servers for its clients. During the first quarter of 2015, it witnessed  a large number of attacks against VoIP servers. Surprisingly, it said, the attacks on VoIP services – carried out by targeting Session Initiation Protocol (SIP) servers – represented 67 percent of all attacks it recorded against UK-based servers.

By comparison, SQL servers – which represented the second-most attacked category – accounted for only four percent of attacks.

In one VoIP attack, Nettitude observed an attacker using a tool called 'SIPVicious', so in the interests of research, they downloaded the tool – which is used legitimately to audit SIP systems.

According to Nettitude, SIPVicious's capabilities include scanning for SIP devices, identifying active extensions on a PBX telephone exchange, cracking SIP PBX passwords, managing sessions and exporting reports. It also has a module called svcrash which attempts to stop unauthorised scans.

Monitoring attackers, it witnessed multiple attacks including numerous failed password attempts which has a detrimental effect on service performance.

If an attacker gains access to the application layer, he can make calls to long-distance numbers and premium-rate services. Calls to a BT premium number would, for instance, cost £1.50 a minute, of which the attacker would get £1. This could prove very expensive to the victim who could be charged £9000 for a 10-hour phone call.

Jules Pagna Disso, senior R&D analyst at Nettitude, told that this is what motivates hackers to attack VOIP systems.

The most surprising aspect of the research was that 80 percent of attacks took place out of office hours. He speculated that attackers know from experience that the VOIP server was most likely not to be monitored at these times.

“The attack will generally start by a reconnaissance phase. This reconnaissance can be done either by using search engines like Shodhan or by directly scanning public IP addresses,” he said. “Once the target is identified, the attacker will start by brute forcing his access through the server.”

This is made simpler by administrators who use weak passwords or in some cases fail to change the default password.

“On successful login, the attacker will query the server to understand what features are enabled on the server. At this stage, the attacker is ready to abuse the available feature of the target server,” he said.

In addition to racking up huge phone bills, which can cripple a company's finances, attackers can also interrogate the company phone directory, stealing customers' phone numbers, and even intercept and record calls.

Protecting a server involves the same basic computer hygiene principals that apply to other types of servers: put the server behind a firewall, make sure the operating system is patched and updated on a regular basis and use strong passwords and authentication.

Paul Marsh, director at SecQuest Information Security, wasn't surprised by the results of Nettitude's research.

He said that VOIP fraud is commonplace and most successful VOIP server attacks “are due to poor configurations within client authentication or the dial plan on the server, allowing external attackers to connect and place calls”.

In addition to ensuring the server employs robust authentication, he said you should also examine the SIP authentication logs, “assessing the authentication rate per user to look for brute force attacks, the output of which can be applied to a firewall drop rule”.

He said the dial plan should be configured to prevent calls to countries where the organisation doesn't do business. “For example a UK based small company may never have need to call the Middle East, Pakistan, Afghanistan etc, so technical measures should be put in place to prevent calls being made to these destinations.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews