VOIP TARGETS, THREATS, AND COMPONENTS - CASING THE ESTABLISHMENT - Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)

Praise for Hacking Exposed: Unified communications & VoIP Security Secrets & Solutions, Second Edition (2014)


Case Study: Is There Really Any SIP in the Internet?

Voice over IP (VoIP) and unified communications (UC) have many security issues—some unique and others shared with other network applications. Some security issues can be exploited from public networks, whereas others can only be exploited if the attacker has internal access. When we wrote the first version of this book, the majority of issues required internal access. UC is now more commonly used across the public network, and this network has become much more hostile. Part I of this book introduces the most significant UC threats and attacks, and then covers the processes of footprinting, scanning, and enumeration, which are used to gather information necessary for later attacks.

Scanning the Entire Internet for SIP Servers

In 2011, an individual or group scanned the entire IPv4 address range for Session Initiation Protocol (SIP) servers. This represents over 4,000,000,000 IP addresses. At the time of this book’s writing, no one was sure who did this or what their motives were. The scan was detected and analyzed extensively. The attacker used the Sality botnet for the attack. This in itself was significant because it is neither a free nor simple undertaking. The scan ran for some 12 days. The payload used through the botnet was captured, so there’s no doubt that the Sality botnet was used and what the scan was for.

One researcher used a dark net, which logged some information for the scan. A dark net is a collection of IP addresses to which no hosts are assigned. When a packet is sent to an IP address in the dark net, no response is given, but the packet is logged. Access to the dark net gives the researcher a great way to monitor the scan. The scan did not spoof source IPs, because it was looking for replies from SIP servers. The scan, although massive in scope, was relatively “stealthy.” The details of the scan are beyond the scope of this book, but you can review them here:



The packet sent during the scan was a SIP REGISTER request. The message tried to register a nonexistent user, which if indeed was received by a SIP server would result in a “no such user” response. As we will describe later in Part I, scans can also be performed with INVITE and OPTION requests, with various pros and cons. Here’s a sample packet captured by the researcher:


No one knows how many SIP servers were found. Of course, with each passing day more SIP servers and clients would have been found. Some of the likely classes of SIP servers include:

Consumer VoIP/SIP offerings such as Vonage and MagicJack These are not terribly interesting, although finding them may provide a way to break into deployments using a PC.

Enterprises with an Internet-based SIP presence Most enterprises do not expose SIP to the Internet, but some applications, such as video and the growing UC offerings from vendors such as Microsoft Lync, may be seen.

Service providers Definitely the most interesting. Although this book is focused on enterprise UC security, identifying SIP servers provided by service providers is particularly valuable, as we will discuss soon.

The resulting list of SIP servers found by the scan is itself valuable and can be sold on its own. Also, the SIP servers can be enumerated to find out if they have no authentication or have simple authentication that can be exploited. The SIP responses provide clues as to what system is being used. If a SIP server, especially one set up by a service provider, can be compromised, it can be used for a variety of call-generation attacks, including the following:

Toll fraud Gaining access for free calling or generating traffic to premium 1-900 type numbers

Telephony denial of service (TDoS) A flood of unwanted calls that disrupts operation of the target

Call pumping A relatively large number of unwanted calls that terminate on 1-800 numbers as a way to share revenue

Voice SPAM Unwanted calls designed to sell some product or service

Voice phishing Unwanted calls designed to trick a consumer into calling a number that connects them to a human, fake IVR (interactive voice response), or real IVR (which monitors the traffic) in order to gather personal information

In the future, you will see more scans and attackers exploiting the systems for these and other attacks.

Using the Shodan Search Engine to Locate Internet SIP Servers

In addition to scanning, you can use the Shodan search engine (www.shodanhq.com) to locate SIP servers. Shodan probes IP addresses and ports and then records the “banner” information. This information can be used to probe for vulnerable SIP servers. If you type in “SIP server”, you will see around 3.5 million hits:


In addition to “SIP server”, you can scan for any string, including specific VoIP/UC phones, such as the popular Cisco 7940. As you can see, this returns some 435 matches:


The Shodan search engine also provides an application programming interface (API) that can be used to download and otherwise manipulate the data.


What worries me most is some kid in his basement, running some call generator/robodialer, taking down my contact center, just to prove a point.

—Quote from a contact center manager of a top-5 U.S. bank

Let’s start with saying that a number of terms are used to describe voice and other forms of communication. Voice itself has largely migrated from legacy time-division multiplexing (TDM) systems to Voice over IP (VoIP), Internet telephony, IP telephony, or whichever term you like to use. This book uses VoIP. Most new enterprise handsets and call control/private branch exchanges (PBXs) use VoIP. The installed base within enterprises, at least in the United States, now has more VoIP than TDM. Much of the transmission of voice in service provider networks uses VoIP. Many of us use “over the top” VoIP services such as Skype to leverage the Internet for free long-distance/international calling. A recent estimate has one-fourth of long-distance/international traffic carried by Skype. These are just a few examples. Nevertheless, there is still a lot of TDM traffic in enterprises, especially for infrastructure such as public trunking, fax machines, and so on. We won’t devote a lot of material in this book to TDM per se, but it is present in the majority of complex UC systems.

The industry is also using terms such as unified communications (UC) and collaboration, where voice and VoIP are joined by video, presence, instant messaging, social networking/media, and so on. This book focuses on voice, and to a lesser extent video. We will cover other types of UC in the emerging technologies chapter. It is hard enough to cover all the issues with voice and video as it is, so there is no need to make the book even longer and thus more watered down. Voice and video are where the most interesting and relevant threats are. We expect in the coming years that unified communications (UC) will be the predominant term used to describe legacy voice, VoIP, video, presence, instant messaging, social networking, and so on, so we will use that as a generic term.

Enterprises, service providers, and consumers all heavily use UC. Regardless of where UC is implemented and the technologies used, the inherent vulnerabilities are quite similar. The UC technologies use many of the same systems, devices, protocols, and applications and, as such, the threats and motives to exploit them are similar as well. However, this book is focused on the issues that enterprises and businesses are likely to face. We will mention when an issue is particularly acute for a service provider or consumer, but, again, that is not the focus of the book.

When a hacker targets a UC system, they typically have a motive. It may be to disrupt operations (denial of service). Maybe they are upset with the economy and out of a job, and want to target a major bank. Maybe they want to take down a contact center within the financial or insurance industry with a flood of calls (telephony DoS, or TDoS). Maybe they want to threaten a business with a flood of calls to extort money from the company. Maybe they want to annoy or harass certain individuals. Maybe they want to steal minutes/access, so they can resell it and make money (toll fraud). Maybe they want to generate traffic to a premium number they set up—again, to make money. Maybe they want to social engineer systems or agents in a contact center so they can steal money (fraud). Maybe they want to make calls and trick users into calling back and giving up personal information (voice phishing, or “vishing”). Maybe they want to sell merchandise or services (voice SPAM/SPAM over Internet Telephony [SPIT]). Maybe they want to listen to and record key conversations and video sessions (eavesdropping). Finally, they may want to modify/manipulate conversations to embarrass, annoy, or trick users. There are other motivations as well, but these are some of the main ones. One of the best resources on these attacks is the annual SecureLogix Voice and Unified Communications State of Security Report,1 which you can find a link to in the “References.” This year (2013) is the third year this report has been published. We reference and use material from this report in the first two parts of the book. (In the interest of full disclosure, we are co-authors of this report.)

Before attacking, hackers will go through the process of reconnaissance, information gathering, and target selection. In some cases, this process is extremely easy. For example, if the hacker wants to flood a politician or contact center with many calls, all they need is the phone number as well as a way to generate calls or organize callers. Other attacks may require a lot more homework and even insider access to a UC system. The hacker may also need to know details about the system, vendor, software version, supporting services, and protocols. Unfortunately, some of the worst threats require the least amount of information.

When we wrote the first edition of Hacking Exposed VoIP, we focused a lot on the UC systems themselves, the network, and the protocols. This is because at the time, back in 2006, virtually all UC systems were internal and the primary way to attack them was from within the network. This is still true, and we will still cover a lot of that in this edition. A slightly dated, but still good reference for these types of attacks can be found at the Voice Over IP Security Alliance (VOIPSA) website2 and the VoIPSA threat taxonomy.3 In its day, VOIPSA was the go-to resource for VoIP security. There isn’t much activity on the site now, but it still has a lot of good material. Another dated, but good reference is the Blue Box Podcast.4 You can find links to all of these in the “References” section at the end of the chapter.

Even now, in 2013, most UC remains internal, even though more and more enterprises are replacing legacy TDM trunking with SIP. Enterprises are also using the Internet for more UC, especially for video and other services. This migration will change the threat picture. However, also keep in mind that hackers aren’t so much attacking UC itself; rather, UC architectures, protocols, and services make it much easier for hackers to perform the same sorts of voice attacks that have been common for years. If a hacker wants to flood a contact center with malicious calls, they use VoIP to set up a robodialing operation, use VoIP/SIP to get calls into the network, and don’t care whether the target is 100-percent UC, 100-percent TDM, or some mixture of both.

Voice network security has been an issue in enterprises for years, with voice application threats such as toll fraud, social engineering, and harassing calls posing the largest risks. However, with the proliferation of UC in both the service provider and enterprise networks, the threat to voice networks has dramatically increased. This is not because UC itself is being attacked through packet vulnerabilities, but rather that UC creates many new vectors of attack and makes the overall network more vulnerable and hostile. Hackers may not target UC per se, but leverage UC to perform the same voice application attacks they have been perpetrating for years. Even the Public Switched Telephone Network (PSTN), which was mostly a closed network, has become much more hostile due to the proliferation of VoIP call origination and is increasingly resembling the Internet from a security standpoint. More and more UC is also traveling over the Internet. The UC systems themselves are becoming more common, more complex, and have vulnerabilities that hackers with the right access can exploit. Finally, even social networking sites such as Facebook and Twitter can be used to organize mass-calling campaigns, creating a new method of generating harassing calls or TDoS attacks.

An organizational trend happening with UC deployments is that the voice and networking groups are being combined within the enterprise. Although this approach makes sense financially by decreasing personnel and overhead, integrating voice management with network management often places additional strain on a typically overburdened department by increasing the workload and technologies to manage. UC can be a complex technology and may not be completely understood by the person administering it if it is suddenly part of their duties when it hadn’t been before. This gap in understanding can lead to errors, which can cost the enterprise a lot of money.

UC is dependent on the enterprise’s network infrastructure for its security posture, making it vulnerable to any deficiencies that exist within the network. These can include misconfigured systems such as gateways and firewalls, poor password strength, unsecured or rogue wireless access points, and no operating system patching frequency. As Figure 1-1 depicts, UC security intersects with the traditional data security layers found in an enterprise and is also dependent on them to provide a sound foundation for overall security, as each layer is dependent on the others.


Figure 1-1 The UC security pyramid

Many of the UC application attacks shown in Figure 1-1 are explained and demonstrated in the following chapters. We want to point out many of the other attacks listed in the diagram, such as SQL injection and SYN floods, which are hardly new by any stretch of the imagination. These are the very same attacks that traditional data networks are plagued by and have found new life when applied to UC deployments. In some cases, these attacks can provide expanded severity against a UC deployment. For instance, a SYN flood denial of service attack against your organization’s router might mean that web browsing is a little slow for everyone surfing behind it. The very same SYN flood properly applied against a VoIP network or VoIP device might mean that voice conversations are unintelligible due to jitter or calls cannot be placed because of network latency.

Time and time again, throughout this book we will emphasize the importance of your supporting infrastructure security. Because of the dependencies that VoIP places on your traditional data network, it’s not uncommon for attackers to compromise a trusted workstation or server in order to gain access to the VoIP network.

A final active reference for VoIP and UC security is the primary author’s blog, Mark Collier’s VoIP/UC Security Blog.5 We actively maintain this blog and it serves as an anchor point for online material for this book.

Campus/Internal UC

UC systems are complex and introduce a number of vulnerabilities. Figure 1-2 illustrates this issue.


Figure 1-2 Campus/internal UC

This figure uses a simplified enterprise UC network to illustrate several concepts. In this UC network, the IP PBX is shown as a collection of servers providing various functions. This is typical of a modern IP PBX, which uses many different devices to provide different services. A large enterprise often duplicates this configuration for each site, likely using equipment from multiple vendors. The figure also shows different user devices, such as IP phones, softphones on the data VLAN, fax machines, and legacy phones.


For centralized SIP and hosted IP deployments, some sites will not have the IP PBX. These deployments are addressed in a subsequent section.

This book uses the term public voice network to describe the service provider voice and UC network and to indicate that it is a mixture of TDM and VoIP. You may also see the term IP PSTN in other material.

Internal/campus UC systems are complex and involve many servers and components. A typical IP PBX has many devices and protocols that are exchanged over the internal network. Large enterprises have many separate systems, configurations, and equipment from multiple vendors. These systems offer many operating systems, network stacks, applications, protocols, and configurations to attack. The primary threats to these systems are different forms of denial of service (DoS) and eavesdropping.

The major UC vendors are progressively doing a better job of securing their systems, including improving default configurations and offering security features such as encryption. However, security is often not the primary consideration during deployment of new UC network systems, and quite a few vulnerabilities exist. This is especially true for critical devices, such as call control, media gateway, and support servers. It is also particularly true for highly critical voice deployments such as contact centers.

Internal UC vulnerabilities are similar to those in other critical internal enterprise applications. Different forms of DoS and eavesdropping represent the greatest vulnerabilities. A hacker with internal network access and the right motivation and tools can attack the aforementioned devices. And, of course, if a hacker has internal access to a corporate network, broader security issues are present other than UC security.

The connection to the service provider is still TDM in the majority of enterprises. The IP PBX uses an integrated or separate device that provides the media gateway function. Hackers may not be attacking UC systems themselves; they attack the voice application and network, often using VoIP to enable, simplify, and/or reduce the cost of the attack. Many of the threats to UC networks are the types of attacks that are always present at the UC application layer, whether the underlying network is legacy TDM, UC, or a combination. Again, hackers exploit voice networks for a reason, such as stealing usage, engaging in social engineering, harassing users, instigating disruption, and making money. They do not care what the transport technology is, unless, of course, UC makes it easier to execute the attacks.

As shown in Figure 1-2, traditionally the major external threats to enterprise UC networks have been toll fraud and social engineering. These threats have been high for years, and VoIP availability is either making them worse or keeping them constant. Threats such as TDoS, harassing calls, voice SPAM, and voice phishing/vishing have not been a big an issue in the past, but as described next, they have now become the greatest threats. See the Communications Fraud Control Association (CFCA) website6 for information on various traditional fraud attacks, as well as evolving threats such as TDoS.

Session Initiation Protocol and SIP Trunk Threats

SIP is a standards-based protocol for controlling UC calls and sessions. SIP has become the standard for a variety of UC applications and is heavily used by all of the major UC vendors. Although proprietary handset protocols, H.323, and TDM are still used, SIP is taking over as the preferred protocol for the majority of UC. We will devote a lot of time to SIP in this book.

SIP is being used more and more for enterprise trunks, which provide a means to connect enterprise voice networks to the public voice network. Figure 1-3 shows the threat change when SIP trunks, as opposed to TDM trunks, are used to connect to the public voice network.


Figure 1-3 SIP trunks

Many enterprises are transitioning to SIP trunks. This transition has been slow, but is accelerating rapidly. Enterprises use SIP trunks for one-to-one replacement of TDM trunks and also to consolidate the traffic from smaller branch or retail sites to a centralized trunk model. Centralized SIP trunk deployments offer a number of advantages but also increase the threat of certain types of attacks, because all or most of an enterprise’s public access involves one or a few sites.

The majority of enterprise SIP trunk deployments are provisioned by large service providers, who supply a private SIP connection between their networks and the enterprise. This is a separate, managed, private connection, where security and quality of service (QoS) can be ensured, as opposed to the Internet, where neither security nor quality can be ensured. It is possible for SIP-specific packet attacks to be seen on these private SIP trunks, although such attacks are uncommon. Also, SIP trunks primarily use SIP and the Real-time Transport Protocol (RTP, for audio), as opposed to the multitude of protocols used on an internal/campus VoIP network.

Service providers also deploy SIP security on their side of the network, using Session Border Controllers (SBCs). The SBC provides an additional layer of security that analyzes SIP or RTP before it is delivered to the enterprise. For information on an SBC, see Cisco’s website for the Cisco Unified Border Element (CUBE).7 It is technically possible to see scans, fuzzed/malformed packets, and packet floods on dedicated service-provider SIP trunks, but this is a low threat on these types of SIP trunks. Nevertheless, it is a good security practice to deploy SIP-specific packet security on an enterprise SIP trunk, preferably using a different technology than that used by the service provider.

As an enterprise uses SIP over the Internet, the threat rises considerably. Although uncommon now, this may occur more often as enterprises want to extend the rich communications experience they enjoy inside their networks with video, instant messaging (IM), presence, and other UC applications. Several Internet SIP-based video systems have been exploited, but the motivations for these attacks have been toll fraud rather than the video application itself.

UC application-level attacks/threats such as toll fraud, social engineering, unsecured and unauthorized modems, harassing calls, and TDoS are still present; none of these threats decrease with the transition to SIP trunks. Service providers and their SIP-specific security devices do nothing to block these call-level attacks.

As introduced earlier, a related change in enterprise voice networks is the move to centralized SIP trunking, where smaller-site localized trunking is replaced with centralized SIP trunks. Centralized SIP trunking creates a chokepoint where failure can be very critical. For example, an attack intended for a lower-priority administrative site might consume extra bandwidth and “bleed over” to more critical sites sharing the combined centralized SIP trunk. Figure 1-4 illustrates this issue.


Figure 1-4 Centralized SIP attack

Increased Threats from the Public Voice Network

A primary way in which UC is changing the threat to enterprise voice networks is the increasingly simple and inexpensive ability for hackers to originate VoIP/SIP calls in the PSTN. Figure 1-5 illustrates the threat from this network.


Figure 1-5 Increased threats from the public voice network

As the public voice network has migrated to UC, it has become easy and inexpensive to originate large numbers of concurrent calls and target enterprises. Although the trunking entry point into enterprises remains primarily TDM, the call origination point is increasingly VoIP/SIP. On the origination side, the public voice network is starting to look more like the Internet every day from a call-generation point of view. This change is accelerating and is out of the control of the enterprise. Service providers, who are in the business of delivering calls, are neither incentivized nor equipped to address these types of threats. This call-origination transition is occurring independently of how the enterprise chooses to adopt UC. This transition represents the most significant threat to enterprise networks.

SIP trunks, consumer/cable SIP offerings, Internet-based SIP services, softphones, and smartphones all combine to make it easy and common to originate calls with SIP. Call origination through SIP makes it very simple to spoof caller ID. Also, it is very easy to use free software such as the Asterisk/Trixbox IP PBX, a call generator such as SIPp, and other tools to automatically generate calls. These call generators are commonly referred to as robodialers. Call-generation capability can be set up in a matter of hours or days to enable harassing call campaigns, which include annoyance, TDoS, call pumping, voice SPAM, and voice phishing. It is already possible to generate thousands of concurrent calls; with each passing day, the threat gets worse. Even now, it is possible for a UC-aware botnet to fire up and generate tens of thousands of simultaneous calls.

One reason why these threats are so dangerous is that the hacker doesn’t need to know a lot about the system the enterprise is using. For many of the attacks, all a hacker needs is a list of phone numbers—or it could even be a single number for some attacks, such as a 1-800 number—which is easily and safely gathered from a website. Some of the possible attacks include the following:

Contact center For harassing calls or TDoS. The target can be a financial contact center or other critical voice service, such as 911 or 311. These are very easy targets to identify, because one or several numbers are made widely available to make sure consumers or users can easily access the service. Basically no scanning/enumeration is necessary. The motivation here is likely disruption, but the attack could possibly be for financial reasons, extortion, or for cover.

Specific user and contact center A hacker may target a specific user—perhaps a high wealth individual—to attempt to social engineer an interactive voice response (IVR) or agent into allowing an illicit financial transaction. UC makes this easier, because it makes it so simple to spoof caller ID. The hacker can mask their identity and/or spoof it to look like the target user.

High-profile user For harassing calls. The target may be a politician, enterprise executive, or other high-profile user.

General users For attacks such as voice SPAM and voice phishing/vishing. The target is enterprise users/consumers, so the hacker needs information such as specific or even random numbers. Some large enterprises have entire exchanges that can be easily determined.

Toll fraud The target is outbound access trunks, which can be used to make long-distance and international calls. The hacker looks for a poorly configured DISA, media gateway, video system, and so on.

Hosted UC

Hosted UC is a deployment where the service provider hosts the IP PBX and other UC application servers in their public cloud. The enterprise simply deploys IP phones or softphones. This deployment offers the classic advantages and disadvantages over an enterprise-deployed IP PBX. However, unlike classic Centrex, hosted UC can be delivered and expanded/reduced much more quickly and cost effectively. Figure 1-6 illustrates a hosted UC deployment.


Figure 1-6 Hosted UC

From a security point of view, hosted UC offers some advantages because the enterprise does not need to worry about securing the complex IP PBX and its devices, services, and supporting applications. The enterprise should still be concerned about threats such as eavesdropping and possibly malware delivered to softphones from the service provider. The enterprise will now have many connections open to the service provider that it will want to secure, especially if the Internet is used to deliver the hosted IP service.

More importantly, the enterprise is now depending on the service provider to address the voice application threats described in the previous sections. The enterprise still has some exposure to toll fraud and is still very vulnerable to inbound voice application attacks such as social engineering, harassing calls, and TDoS. These threats all still exist, but the enterprise has shifted the responsibility of addressing them to the service provider.


UC systems face many threats, a majority of which have gotten worse because of the increasing threat and hostility level of the public voice network (PVN). Attacks such as TDoS, call pumping, harassing calls, voice SPAM, voice phishing/vishing, social engineering, and toll fraud have become the biggest issues for enterprises, especially those with financial contact centers. Most UC systems are internal and can primarily be attacked from a packet point of view from within the network. An attacker with the right incentive, access, and tools can easily exploit a UC system. These same UC systems are slowing being exposed to public networks through SIP and traffic over the Internet, which will only increase the threat.

See the “References” for more information.811


1. Voice and Unified Communications—State of Security Report 2013, www.securelogix.com/sos/.

2. Voice over IP Security Alliance, www.voipsa.org.

3. VoIPSA Threat Taxonomy, www.voipsa.org/Activities/taxonomy.php.

4. Blue Box Podcast, www.blueboxpodcast.com.

5. Mark Collier’s VoIP/UC Security Blog, www.voipsecurityblog.com/.

6. Communications Fraud Control Association (CFCA), www.cfca.org.

7. Cisco Unified Border Element (CUBE), www.cisco.com.

8. NIST Security Considerations for Voice Over IP Systems, http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf.

9. SANS VoIP Security Training, www.sans.org/course/voip-security.

10. SANS Institute InfoSec Reading Room, www.sans.org/reading_room/whitepapers/voip/voip-security-vulnerabilities_2036.

11. VoIP Security, VoIP-Info.org, www.voip-info.org/wiki/view/VOIP+Security.