IBM warns of rising VoIP cyber-attacks

IBM says common Session Initiation Protocol (SIP) and SIP and Cisco Skinny Client Control Protocol (SCCP) are most common targets.

Cyber-attacks using the VoIP protocol Session Initiation Protocol (SIP) have been growing this year accounting for over 51% of the security event activity analyzed in the last 12 months, according to a report from IBM’s Security Intelligence group this week.

“SIP is one of the most commonly used application layer protocols in VoIP technology… we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second half of 2016,” IBM wrote. “In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and September were mostly the result of specially crafted SIP messages that were terminated incorrectly. Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in October 2016 was largely influenced by SIP messages with invalid characters in the SIP “To” field. These could be reflective of suspicious activity, necessitating further investigation.”

IBM said that Cisco’s proprietary Skinny Client Control Protocol (SCCP) accounted for just over 48% of detected security events during the same time period. SCCP is used for communication between Cisco Unified Communications Manager and Cisco VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly over the past 12 months, IBM noted.

“A large majority of the security events targeting the SCCP protocol — nearly 74%— are actually pre-attack probes that enable the perpetrators to examine device capabilities and gather information on potential targets. Finally, the H225 protocol, which is part of the H.323 protocol suite, accounted for less than 1% of the activity — barely a blip on the first chart,” IBM stated.

As IBM states, because VoIP routes calls through the same paths used by network and internet traffic, it is also subject to some of the same vulnerabilities and threats cybercriminals use to exploit these networks. VoIP traffic can thus be intercepted, captured or modified and is subject to attacks aimed at degrading or eliminating service.

+More on Network World: Cisco Talos: Spam at levels not seen since 2010+

VoIP technology lets fraudsters conduct caller ID spoofing with minimal cost and effort, IBM stated. This lets attackers acquire information or facilitate additional scams against their targets.

Earlier this year there were reports of certain VoIP phones that had insecure default configurations, which allowed attackers to make, receive and transfer calls, play recordings, upload new firmware and even use victims’ devices for covert surveillance. VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access to avoid paying for telephone calls, IBM wrote. An attacker can also carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone service with thousands of junk calls per minute from automated IP dialers as well, IBM stated.

The Internal Revenue Service has for years been battling a huge telephone scam greatly enabled by fraudsters using VoIP spoofing phones and pretending to be IRS agents. Other agencies too have had this problem. And of course the robocall scourge is largely dependent on making use of VoIP.

So, what can be done? Cisco’s Talos security group suggested the following techniques to reduce VoIP security issues:

  • Apply encryption by segment, device, or user; encrypting indiscriminately can result in excessive network latency or introduce operational overhead and complexity.
  • Encrypt the signaling at your Internet gateway with Session Initiation Protocol (SIP) over Transport Layer Security (TLS); your service provider's switch fabric may do this.
  • Use VPNs for network connections by remote phones. This is especially important when HTTPS or SRTP is unavailable.
  • Apply strong passwords to access the voicemail inbox. Immediately change the default password to a strong password, then change it as often as your company's policy dictates for changing login and email passwords.
  • Delete sensitive voicemail messages as soon as users have listened to them. Not storing voicemails is the easiest and most effective way to protect them.
  • Immediately report anomalies. You may not know a phone has been hacked until an employee reports an odd occurrence, such as a saved voicemail message that has been deleted or forwarded to an unusual number.

Join the Computerworld newsletter!

Error: Please check your email address.

Tags IBMcisco

More about CiscoIBMInternal Revenue ServiceIRSTransportVoIP

Show Comments