The Internet and its role in VoIP Hacking
If nothing else, Edward Snowden taught us to lock our doors, that no internet systems by default are secure, and importantly there are as many bad actors as good, and that everything. In this knowledge base we discuss can VoIP can be hacked?
The story of how this junior Microsoft networking recruit with minimal security experience rocketed through the CIA and the NSA is a cautionary tale for anyone connected to systems on the public internet. Ed Snowden wasn’t that dark sunglasses spy in a long overcoat. His last days at the NSA were in an underground bunker in Hawaii, developing the routines to exploit known holes in his target networks, prying for anything of interest. While Snowden probably never considered the question of VoIP security, his disclosures are that VoIP (or SIP) communications are only as secure as deliberate fraud strategies. And this was before the search engines, credit cards, and social media companies began legally tracking every page visit and interaction for sale to the highest bidder.
Registration – Passwords and TLS
Registration is the process of connecting a handset or softphone directly to a public SIP proxy. While Registered handsets appear to be permanently connected, they, in fact, Register on time scales between 10-3,600 seconds (we recommend 180 seconds). It’s this constant process of re-registration that exposes the opportunity for fraud.
The example configuration below holds all the information required by the phone and, of course, the VoIP hackers to make and receive calls via Registration:
- Phone number: 13106771246
- Password: abc.123
- Proxy: sip.sipcity.com
- Port: 5060
- Transport: UDP
- RegRenewal: 180
In this example, the combination of a weak password using the default UDP “5060” is the source of the vulnerability. While stable and convenient, UDP is an old technology that sends clear text between the phone and our network. Without encryption, communication over UDP is easily intercepted during the re-Registration cycles. Using tools like “SIP Vicious”, VoIP hackers will scour millions of Registrations across port 5060, revealing tens if not hundreds of thousands of vulnerable accounts. It’s this stage where weak passwords pose their vulnerability. Once the target has been identified, the process of password cracking is straightforward for the hacker, with the help of password databases like “RockYou” and “Pwned”, which hold more than a billion example passwords that the hackers are caching on their systems.
For Registration, the simple defence is strong passwords complimented by substituting UDP on port 5060 to TLS encryption on port 5061. That’s it in a nutshell. The combination of TLS and strong passwords combined with our security measures are robust and highly effective strategies to secure customers’ on-premise equipment.
As a footnote to TLS, all SIPcity’s mobile applications are configured by default to use TLS on port 5061. Equally, SIPcity insists on strong passwords through our login and authentical process.
SIP Peering
SIP Peering (‘Peering’) is the process where customers connect their customer on-premise equipment or CPE to a SIP proxy. The difference between Registration and Peering is that the latter utilises a network peer permanently between the customer’s WAN IP and a public proxy. With SIP Peering, there is no concept of Registration or even credentials. When the customer converts their account to Peering, SIPcity routes all traffic to the nominated WAN IP. The customer on their side with NATTS that traffic to its on-premise IP-PBX.
So how does a fraudster attack the account? An all too common error for IT Support Engineers is assuming the communication between the customer CPE and the proxy is private. Similar to Registration, a ‘SIP Vicious’ 5060 port scan port will quickly identify the IP-PBX CPE. From experience, Hackers are continuously probing for makes and models of IP-PBX systems deployed using Default passwords. Typical examples are NEC, Avaya and most open-source Asterisk systems. The fault isn’t with these devices or systems themselves but, from experience, with generalist IT Consultants and Engineers with minimal understanding of VoIP systems and the associated fraud risks. All too often, when triaging the compromise, the fault lies squarely with these generalist IT Engineers.
For SIP Peering customers, we recommend the following:
- Firewalls: SIP Peering accounts should always be protected by firewalls to block and filter all communication down to the VoIP Service Provider’s public IP (27.111.12.66 /24).
- Passwords: Without the protection of a firewall, only the CPE password stands between the VoIP hacker and a compromised account. Insist on using 11-16 character passwords, including numbers and special characters.
The Market for VoIP Hacking and Toll Fraud
This is a side note, yet essential to the background of the motivation and business of VoIP fraud. Historically the market for VoIP services was for International Calling Cards, sold cheaply on the streets in countries where international toll calls were prohibitively expensive. But as that market evaporated, the hackers shifted to selling international routes direct to carriers in countries with dubious service offerings. While some countries have seen fallen international calling costs, the fraud market almost exclusively provides routes into war-torn regions like Somalia, Congo, Ethiopia, and Sudan. In many of these locations, a mobile call cost can go as high as $10 per minute. We now add Afghanistan, Yemen, and Libya to the list for the same reasons.
In Europe, the issue is expensive routes; Luxemburg, Netherlands, Russia, and Switzerland are a few examples of destinations that, for their own reasons, have more costly routes than mobile calls into France or Germany.
VoIP Hacks and the toll fraud resale market
The initial fraud’s perpetrators are rarely the compromised accounts’ final resellers.
The research suggests that hackers are motivated by the challenge and notoriety of breaking into a system more than any financial reward. Like many of the best software developers, hackers begin their craft in adolescence or as young teenagers. By early adulthood, when most graduate developers are mere novices, this group is writing elegant and sophisticated programs in C++ with the ability to cache billion-word password libraries like RockYou and Pwned in seconds.
By this stage, the VoIP hackers understand and have normalised the risks of what they do. In reality, the people monetising the frauds are maybe three or four times removed from the initial hack. We have seen examples of the final consumers being otherwise legitimate companies, if not willfully blind in the final schemes. We have also seen compromises implemented many months are the first compromise.
Summary
The question remains – is VoIP secure? Yes, it is. With the implementation of strong passwords at all application device and software levels and by following some simple strategies, it can be very secure. Without a sound security strategy, VoIP is no different to any other internet service offering with money attached.
Need more information?
SIPcity takes VoIP security very seriously. Read more information on TCP, TLS and Secure RTP Options.
Find out more about How Secure is SIPcity’s VoIP system and contact our team about our Calling Plans and Cloud PBX features.
- Call 1800 150 686
- Email us info@sipcity.com.au
