Security News > 2002 > August > Security In Converged Networks
http://www.tmcnet.com/it/0802/0802gr.htm BY ANDREAS M. ANTONOPOULOS & JOSEPH D. KNAPE August 2002 With all new technologies there is a security 'honeymoon' during which the technology is below the hacker's radar because of lack of widespread use. As a technology becomes more prevalent, and critical to organizations, its security will be probed and cracks will be found very soon. Internet telephony has now reached the critical mass of adoption and maturity that makes it not only a viable target but also a valuable one, as it becomes part of business critical applications. Whether the intent is to disrupt or profit, it will not be long before the first victims appear. Beyond the monetary risks, there is also a very serious privacy threat as we have become accustomed to government regulation that at least protects our privacy from everyone outside government. Legacy telephony has long enjoyed a level of protection through law, boundaries of physical security, and plain old obscurity that delegates it to a separate category of hacking. Apart from a few exceptions, telephony hackers or 'Phreakers' as they are dubbed, were a breed of their own with very specialized tools and techniques. Very few hackers were adept both in the world of computers and in the world of telephony. The telephony landscape and its relation to society is rapidly changing. When the phenomenon of 'convergence' between telephony and Internet started, it also brought closer the world of the phreaker and the hacker. VoIP brings all this to the next level. Unfortunately, the security inherent in VoIP solutions is equivalent to that of the early Internet: Non-existent. CONVERGING NETWORKS, CONVERGING THREATS With the convergence between voice and data, the critical barrier to would-be attackers quickly crumbles. The physical separation of the two networks and the relative security of voice networks were primarily enforced by federal laws and proprietary infrastructures, which are less effective as the networks converge. From a legislative perspective the transformation of the telephony landscape is of great concern: The current laws do not protect security or privacy; nor do they allow law enforcement access for wiretaps. Where the Internet spreads, it brings with it disrupting influences of new models and paradigms. In telephony the disruption is just starting, but the changes are going to be more staggering than we can imagine. Since IP is the underlying protocol used for the transmission of voice data, a VoIP network will be susceptible to the same security problems inherent in any IP-based network. Additionally, there is an added level of complexity in VoIP networks because of the challenges that must be met by VoIP technology in order to achieve useful levels of service for transmitting speech in an efficient and effective way. The most important threats in a converged world of ubiquitous VoIP are: * Eavesdropping from anywhere in the world (Privacy). * Social engineering (Authenticity/Integrity). * Disruption of voice communications/Denial of service (Availability). * Resource Theft (free calls for all). VIRTUAL WIRETAPS Eavesdropping on a telephony network requires either physical access to the wiring, or access to the digital backbones of the telephone companies. In a converged network, all the eavesdropper need do is compromise the security of the data network (or the endpoints) and he or she can access the voice streams. Such a 'virtual wiretap' is much more insidious than a physical wiretap, because it is almost impossible to detect. The copying of bits does not impact the original stream in any way. Therefore, unless one can control the access to the data network, the voice data is vulnerable. In many ways, we have grown used to an 'expectation of privacy' on telephone networks. This will no longer hold true unless we take steps to ensure our privacy with sophisticated security measures. Furthermore, the 'virtual wiretap' can be effected from, and the sound transmitted to, anywhere in the world. In fact I could hire someone to tap into your network and send me the audio, from anywhere in the world: Outsourcing meets wiretaps. For me to be able to listen in to your conversation, I would have to be able to decode the audio stream. With most current protocols, this is trivial. Encryption, however, would put an insurmountable obstacle in my path. Encryption is a well-developed technology, which has been applied to many different communications solutions. In the cellular phone market the term 'digital' has become synonymous with 'private' as the encryption has been sold as a product feature. There are two barriers to the application of encryption in VoIP. The first, as ever, has to do with standardization of the protocols. In order for encryption to be effective it must be very simple to use; in effect it must be transparent to the user. This requires standardization of the VoIP protocols (still in the early stages) and the encryption mechanisms. Because of the necessity to allow for upgrading of the encryption standards as they become obsolete or easy to 'crack,' it is important to have an open architecture that allows for 'negotiation' of suitable encryption algorithms between the end-points at runtime. This can be implemented in a similar way to the current support for multiple voice codecs with runtime negotiation. Encryption has become hugely popular as a means to leverage the Internet for corporate communications. Virtual Private Networks (VPNs) allow companies to transfer data between offices securely. An alternative to 'native' support of encryption within the VoIP protocols is the use of VPN tunnels in order to 'wrap' the voice stream. Unfortunately, this is quite difficult in practice. VPN devices and software are not currently designed to accommodate real-time traffic. As a result, they tend to add unacceptable levels of jitter and latency to the VoIP communications. Although just about bearable in small installations (1-2 voice streams), they become unwieldy in larger applications (VoIP between branches of a company, over VPNs for example). SOCIAL ENGINEERING Another important threat for VoIP networks is the ability to 'enhance' social engineering attacks. Social Engineering is the practice of using social skills and deception to exploit human vulnerabilities rather than system vulnerabilities. A common example is persuading someone in a company to give you their password by pretending to be an administrator in their IT department. Imagine how much easier it would be to persuade someone that you work for the company, if you can make their VoIP phone display the origination of the call as 'IT Helpdesk.' Or imagine how simple it would be if you could disguise your voice electronically to be identical to that of their boss. Software that allows digital impersonation has already been demonstrated; albeit crude, it is only a matter of time before it is sophisticated enough to be indistinguishable from the real person. The saving grace is that with current technology, it is unlikely this can be done at real-time without significant expenditure. Nevertheless, pre-recorded messages that sound like someone else are within the capabilities of desktop systems. And don't forget, your grace period diminishes by half every 18 months according to Moore's law. In order to protect against this kind of digital impersonation, there can be a number of solutions. The most secure approach would be widespread application of digital signatures and PKI for the authentication of end-users. This approach is not only very difficult to apply globally, it also has some disturbing privacy implications (anonymity after all is a feature most of us are used to when making calls, Caller-ID notwithstanding). An alternative is to apply generic controls at an organization's perimeter such as firewalls and Intrusion Detection Systems, which would protect against an outsider gaining access in this manner. Technology notwithstanding, the most effective solution is the same as with social engineering in other circumstances: Don't believe what the phone displays, don't assume you know who you're talking to and be smart about what kind of information you give to people on the telephone. These are all basic security awareness issues and should be handled as such with appropriate training and drills. Security is not just about technology; it is about people applying technology with a bit of common sense. BUSY TONE Although most consumers will berate their telecommunications providers and complain bitterly about the service, in truth we have been accustomed to a high level of reliability when using the phone. How many times in your life have you picked up the phone and not heard a dial tone? Achieving the kind of reliability that makes phones 'just work' 99.999 percent of the time would be enviable in the world of IT. So as we converge and shift voice onto a dynamic ad-hoc network such as the Internet we are bound to (at least at first) lose some reliability.