June 12, 2014 by Phil England
The features, functionality and benefits of Voice over IP are well understood by many but in contrast we find most people have a relatively poor understanding of the potential attack scenarios that could be faced by their VoIP systems. Voice services are a business critical application and attacks against service availability could be troublesome for many businesses who may not realise their dependence on the service. As well as being a target in it’s own right a VoIP system attack is often used by hackers as a stepping stone and enabler for further attacks on other business critical systems. It can be used as part of the reconnaissance phase and to aid in social engineering efforts and testing denial of service.
Here’s a run-down of the main kinds of attacks that are commonly targeted at VoIP systems:
Spoofing: This is the act of impersonating another caller. It's pretty simple, there is even an nmap script to perform the task. Run –script=sip-call-spoof with the appropriate script arguments to test for the function. Clearly this won't actually make a call but is useful for a proof of concept.
Spoofing Attack Scenario: Establish a foothold into a network, use VoIP spoofing to impersonate an IT Support employee via their Caller ID and request sensitive information from another employee.
Man-in-the-Middle (MiTM) Attacks: Two attacks that can be performed quite easily are recording phone calls and mixing extra audio into the streams. Recording is performed by simply taking a packet capture and opening with Wireshark, there are built in analysis tools for VoIP. Adding extra audio requires the use of tools like RTP MixSound from http://www.hackingvoip.com/sec_tools.html.
MiTM Attack Scenario: Record audio to find out about upcoming deals, great for conference rooms that often have open access to their VoIP/Video Conferencing systems (true story). Mix in audio to confuse or annoy callers, for example play background sounds over the phone to make it sound like one party is in a different location, add static to make conversation difficult.
Denial Of Service (DoS) Attacks: Simple - make all the phones ring, send BYE messages as soon as calls are connected, use up resources on Proxies and Gateways so that outbound calls fail. SIPSAK and Scapy can be used to perform these attacks fairly easily, although depending on individual setup sometimes you need to impersonate other infrastructure to create effective results.
DoS Attack Scenario: Causing havoc within a company by reducing call capacity, blocking other callers from entering competitions or applying for tickets, restricting outbound calls.
So consider the above and remember to secure those VoIP services! If you want a hand testing your defences against these and other attacks – get in touch.
