What type of attacks are VOIP Systems prone to?
Since VOIP systems are running on the LAN and they are IP devices, they are also prone to attacks from outside or inside, perhaps by hackers who want to disrupt your communications or by employees. What type of attacks can be carried out on a VOIP system. This article attempts to find that.
Generally, a VOIP call is established with two components. The signalling messages, which set up the call initially (via a proxy server) between the caller and the called parties, and then the actual media traffic (RTP) which flows directly between the caller and called parties. There are two separate logical connections formed in the above process, and both are vulnerable to attacks.
The signalling path uses UDP/TCP port 5060. If this port is open (in a firewall), then it becomes a hole through with intruders can launch their attacks. The media stream, which is formed when the end points start exchanging the RTP packets directly between them, would be flowing through a port which is selected arbitrarily by the endpoints. Continuous monitoring of such ports opened by the endpoints is required and it should be dynamically closed, other wise there would be a hole to be exploited.
NAT – Network Address Translation is another issue with VOIP systems. NAT is required for protecting the private IP addresses from being exposed to the outside world by associating these addresses to a common public IP address which is sent to the internet. Typically, NAT looks for IP addresses at layer 3, but VOIP protocols assign IP addresses at layer 5. So, if this is not taken care, then the private IP addresses may be exposed to the callers.
Certain calls can be hijacked. That means, the calls intended for one receiver can be re-directed to another – When a SIP agent sends an invite message to set up a call, the attacker sends a 3xy re-direction message and will provide his own re-direction address.
Fake BYE and OK messages can be exchanged over a SIP signalling path without affecting the media stream. In that case, the call would be going on, but the billing server (which relies on the signalling information, would think that the call has been terminated, and stop recording the session for billing. This could be used to rob the company of its telephone expenditure.
The attacker can mimic the caller identities, and cancel pending SIP invite requests, thereby stopping the SIP server to function. This stops the communication for everyone in the organization.
So, VOIP systems are also network terminals / end points which need to be secured.
excITingIP.com