How vulnerable is Voice over IP?

While VoIP attacks are still rare today, these are expected to increase by 50 per cent in 2008, according to McAfee research. The prediction is based on extrapolation of recent trends: more than twice the number of VoIP-related vulnerabilities were reported in 2007 versus the previous year.

“The knowledge to hack into VoIP systems follows the level of VoIP penetration,” says Bogdan Materna, CTO at Ottawa-based security provider VoIPshield Systems Inc. “Hackers lack the experience now, so it’s not that popular. We know cases are happening but affected parties are not going public, and this is one of the issues in the industry. There are no entities like CERT (Computer Emergency Response Team) or surveys to track VoIP incidents like there are for data security breaches.”

From a staffing perspective, security management for integrated platforms introduces new headaches, he says. “Telecom staff understand voice but not IP networks, with IT people it’s the reverse, and security guys know something about IP but voice is foreign to them. These groups have to merge and work together, so just from a process point of view, this can cause security issues.”

Physical security
VoIP networks are vulnerable to all manner of familiar data network exploits such as denial of service attacks, worms, and viruses. While there are best practices for securing converged networks with technology, there are areas of concern outside the network.

Physical security around VoIP is an area that requires rethinking, as many functions become logical ones, says Materna. “The old PBX boxes used to be physically separate systems with a separate telecom group looking after them. But VoIP is just servers and computers running software, so all kinds of new issues — weak passwords, who can access servers to do what — are introduced.”

But traditional physical security measures are still needed. A U.S. National Institute of Standards and Technology (NIST) report warns that even if companies deploying VoIP systems follow all security best practices by installing VoIP-enabled firewalls, intrusion detection systems and voice traffic encryption, they will still need locks and security guards to make sure attackers don’t get access to the servers.

There are also access and role-based issues to consider in a call centre environment, which has sensitive functions that can be more easily abused. The call recording function to monitor quality, for example, can now amass large quantities of calls containing customer information in digital, easily downloaded formats, says Materna.

Other managerial functions are also vulnerable. “Supervisor functions that allow managers to listen in on calls to review how agents interact with customers are software functions in a VoIP system,” says Gary Audin, president of Delphi Inc., an Arlington, VA-based telecom consultancy. “With PBX boxes, this was a wired separately with a physical connection, and no one else could use it unless they had access to the physical station. Now that it’s a logical function, anyone who can take on a supervisor role can eavesdrop.” Audin adds that Cisco’s own VoIP system was abused by an employee who used this tactic to eavesdrop on his boss’ discussions about performance evaluations and salaries.

To tackle these shifts in logical and physical security, Nortel best practices recommend general controlled and monitored access to data centres, secure rooms with privileged access and role-based access to VoIP and call centre infrastructure, in addition to audit trails, threat assessment/intrusion detection systems, and securing external access to infrastructure via VPN or other methods for networks.

Human VoIP factors
 “VoIP networks are capable of being secured with a layered security architecture ”“ but hackers can bypass all that with social engineering, which defeats all the technology,” says Tracy Fleming, IP telephony practice leader at Avaya Canada. As with data networks, security training will need to be extended to call centre agents to help them resist being tricked into revealing passwords or other access information to hackers masquerading as IT staff once voice and data networks merge.

At the customer end, one profitable new form of social engineering that combines new technology with human trickery is “vishing,” or phishing using VoIP networks, says Materna. In this new scam, hackers set up a 1-800 number and a fake call centre for a legitimate financial institution, then send e-mails to induce unwitting customers to call and divulge their account numbers, personal identification numbers (PINs) and other information. “All the voice prompts sound the same as their bank, but they’re actually talking to hackers,” he says. “These incidents haven’t been revealed in the public domain, but we’re heard this has already happened at some banks.”

---

Materna points out that social engineering tactics are actually easier with voice systems. “Many people don’t trust the Web or e-mail when it comes to providing sensitive information, but they still trust their phones. Now that VoIP is becoming part of the Internet infrastructure, a lot of data security issues are migrating to VoIP.” Customer authentication mechanisms such as PINs aren’t robust enough in this new terrain and will need to be fortified with other mechanisms as VoIP systems proliferate, he adds.

Another important human issue is agent screening. The opportunity to steal customer data and commit fraud increases dramatically with VoIP. Conversations with customers used to disappear into the ether, but voice files containing customers’ financial information can be more easily stolen via downloaded files. In a widely-publicized 2006 incident, a call centre agent at an outsourced Indian facility for London-based HSBC bank diverted $424,689 of customer funds into his own account. The press reported with glee that the bank had not conducted a background check on the agent to save $215.

 The rise of virtual contact centres that connect teleworkers via VoIP systems is another major trend that requires security attention. “These are getting popular, as it’s one of the main advantages of VoIP,” says Materna. By allowing agents to telework from their homes, companies can save on real estate costs and employ staff anywhere.

But along with the benefits come the headaches of securing remote home environments where enterprises have little control. To pre-empt any potential issues, many companies equip remote agents with terminals or web-based stations that don’t run corporate applications locally, says Fleming. “Nothing is left on the computer when transactions are done. Many also have no-printer policies, and we’re even seeing screens where you can only see the information straight-on but not at an angle.”

Voxcom gets VoIP
The ability to tap into labour markets anywhere was one of the main drivers in implementing VoIP at Voxcom’s call centre, says Patti McDougall, manager of quality assurance and telecom services. The Edmonton-based security company monitors 125,000 residences and small commercial businesses across Canada for intruders, fire, floods and other risks.

Unemployment rates are low in boomtown Edmonton, and the company is looking at ways to attract new employees and retain key talent, she explains. “We started an at-home agent program so we could leverage our technology to accommodate teleworkers and not be bound to any one region for staff.”

Security was a key consideration in developing the program, as a high degree of reliability is required of Voxcom’s agents and systems. “It’s an emergency response call centre, so our operators are responsible for dealing with alarms going off on customers’ panels, be it contacting the customer, police, or medical personnel,” says McDougall.

The company did its due diligence before embarking on the program. “We spoke to many companies doing VoIP at home to identify any issues ahead of time,” she says. Voxcom considered but rejected the idea of allowing staff to use their own home PCs. “We wanted to be able to control the level of access and security,” she says. “The only thing available on a home desktop is the agent software via a VPN connection.”

Voxcom equipped its home agents with PCs that are actually glorified terminals. All processing is done through a terminal server application that links to corporate customer relationship management (CRM) applications where customer information is stored, she says. “Nothing is stored locally so we don’t need to deal with viruses and firewalls. And you can’t see from peripheral vision what’s on the screen.”

In addition, home agents are required to sign an agreement stating the PC will only be used for Voxcom business. ”The agreement also outlines expectations, roles and guidelines for working at home, including suggestions for personal safety, for example, if they get injured at home while working. We also do random audits of at-home agents, and we have 100 per cent call recording and 30 per cent screen recordings to check for compliance.”

About 15 of Voxcom’s 100 call centre agents are teleworkers, and the company plans to expand the program into other departments and regions in the future, she says. To qualify for the home program, staff must meet certain criteria. “We conduct background checks on all our employees regardless but there’s a second level for home agents. They have to have been with us a minimum of six to 12 months, must meet certain criteria based on quality scores, and can’t have had any disciplinary actions in the past year,” she says.