Despite VoIP’s worldwide explosion, most of the network security issues surrounding VoIP technology have not been adequately resolved.
Why do you need VoIP security today? Well “Security and complexity are often inversely proportional,” goes one of the old security axioms from Fred Avolio. In other words, the more complicated a process is, the more it leaves room for mistakes, flaws, and insecurity. That does not bode well for VoIP mainly because basic operations of VoIP require:
- Converting an analog voice to digital signals
- Compressing those digital signals into packets the Internet can carry
- Reassembling the packets at the receiving end as audible voice
- Translating telephone numbers into IP addresses (and vice versa)
- Letting the telephone system know where to find phone users
In short, implementing VoIP introduces your network to numerous codecs protocols, and transport methods. If complexity does not promote network security, VoIP exposes substantial attack surface for malicious hackers.
VoIP and network security have always had that “inversely proportional” relationship. When administrators first tried to implement Session-Initiation Protocol (SIP) and H.323, firewalls typically broke VoIP connections. That was because these protocols initiate a connection on a known, standard port, but then they want to open other ports dynamically, as needed. It took security vendors a while to create special services that could handle the dynamic ports temporarily and close them cleanly after a session terminated. The result is that many firewall security vendors now claim “VoIP Support!” – not because they secure VoIP in any sophisticated way, but simply because they no longer break VoIP. That is clearly not the same as VoIP network security.
In 2007, Cisco made headlines when it published a Security Response admitting that a bug in their Unified IP Phone’s implementation of Real-Time Transport Protocol (RTP) could allow a remote attacker to eavesdrop on VoIP phone calls. Six months later, the security vendor VoIPShield announced that it could document more than 100 security holes in Cisco, Avaya, and Nortel VoIP products. Scary stuff!
Since 2006, attackers have increasingly exploited network security flaws in codecs. By injecting malicious code into files that your computer must decompress to use, attackers found they could execute malware on victim computers using file formats previously considered benign (such as QuickTime .MOV and Windows Media Player .WMP and .WAV files).
Given that attackers like to exploit codec flaws, VoIP provides the kind of technical wilderness that attackers love. VoIP incorporates audio, video, fax, and text, and provides numerous codec options in each of those technologies. Take audio alone: some users demand stereo sound and great audio quality, and thus prefer codecs that result in larger packets. Other, more bandwidth-sensitive, users prefer codecs that create smaller packets using a lower average bitrate, but requiring intensive processing. For reasons such as these, VoIP audio has at least eight codecs in common use.
Thus, to enjoy VoIP functionality, you must accept unregulated IP traffic from strangers, in a format that your computers must execute in order to use, mingled with traditional data packets on your LAN. Clearly, VoIP technology magnifies the risk to any network, many with a firewall security solution in place.
From our perspective, as bad as it is that an attacker might be able to eavesdrop on a call or teleconference, there are even worse problems with VoIP. Because VoIP runs mingled with your IP network, its most serious threat is that any hole in VoIP provides a stepping-stone to all your network data. So all that said you need to choose your firewall security solution carefully!