Hello, You’ve Been Compromised: Upward Attack Trend Targeting VoIP Protocol SIP

VoIP Attacks by the Numbers

There are numerous protocols used in voice-over-IP (VoIP) communications. According to IBM Managed Security Services (MSS) data, the most targeted VoIP protocol is Session Initiation Protocol (SIP), which accounted for over 51 percent of the security event activity analyzed in the last 12 months.

VoIP graphs

SIP is one of the most commonly used application layer protocols in VoIP technology, so it’s not surprising that it’s the most targeted. In fact, we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second half of 2016.

VoIP graphs

In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and September were mostly the result of specially crafted SIP messages that were terminated incorrectly. Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in October 2016 was largely influenced by SIP messages with invalid characters in the SIP “To” field. These could be reflective of suspicious activity, necessitating further investigation.

The second most targeted protocol, Cisco’s proprietary Skinny Client Control Protocol (SCCP), accounted for just over 48 percent of detected security events during the same time period. SCCP is a lightweight, IP-based protocol used for communication between Cisco Unified Communications Manager and Cisco VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly over the past 12 months.

VoIP graphs

A large majority of the security events targeting the SCCP protocol — nearly 74 percent — are actually pre-attack probes that enable the perpetrators to examine device capabilities and gather information on potential targets. Finally, the H225 protocol, which is part of the H.323 protocol suite, accounted for less than 1 percent of the activity — barely a blip on the first chart.

According to WhaTech, the global VoIP services market will expand at a 9.7 percent compound annual growth rate (CAGR) between 2014 and 2020. As businesses and consumers adopt VoIP to reduce costs, are they also introducing unforeseen risks?

Nothing to SPIT At

When it comes to unsolicited information, we’ve gotten pretty good at dealing with or reducing email spam in our inbox. But what about spam over internet telephony (SPIT), also known as VoIP spam? These unsolicited, automated phone calls made from internet-provided numbers are just as annoying as junk mail.

Since it is connected to the same pipes as spam, so to speak, VoIP technology has aided the proliferation of robocalls, allowing scammers to make illegal calls from anywhere in the world. It floods consumers and businesses with marketing calls, surveys and even identity theft scams, also known as vishing.

Unfortunately, stopping these calls is not as easy as flagging unsolicited email. Despite a Federal Communications Commission (FCC) ruling in June 2015 that gave U.S. telecommunication companies permission to provide robocall-blocking technology to consumers, the problem does not seem to be subsiding. In fact, the Federal Trade Commission (FTC) hosted a contest at DEF CON that challenged contestants to create a solution to automatically block and forward robocalls to a research honeypot.

In May 2016, the National Consumer Law Center (NCLC) reported that it expected the FTC to receive more than 3.3 million complaints concerning robocalls in 2016. The FCC provided a list of resources to help consumers stop these annoying or even fraudulent robocalls.

Vish and Chips

Beyond the irritation factor, attackers have found additional ways to capitalize on VoIP technology that pose a higher risk to both consumers and businesses. Because VoIP routes calls through the same paths used by network and internet traffic, it is also subject to some of the same vulnerabilities and threats cybercriminals use to exploit these networks. VoIP traffic can thus be intercepted, captured or modified and is subject to attacks aimed at degrading or eliminating service.

VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort. This enables attackers to obtain information or facilitate additional scams against their targets. A February report, for example, highlighted issues with certain VoIP phones that had insecure default configurations, which allowed attackers to make, receive and transfer calls, play recordings, upload new firmware and even use victims’ devices for covert surveillance.

VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access to avoid paying for telephone calls. VoIP phone consumers should avoid blindly relying on the manufacturer’s default security settings and use strong passwords.

An attacker can carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone service with thousands of junk calls per minute from automated IP dialers. A phone DDoS attack could cripple an organization that relies heavily on its phone systems. The method has even been used to prevent fraud victims from calling their banks after large sums of money were stolen from their bank accounts.

Secure Your VoIP Phones

VoIP risks extend beyond spam and eavesdropping. These phones connect a large variety of devices, and cybercriminals can weaponize any internet-connected corporate or consumer device. It’s imperative that organizations and consumers take the following steps to secure their VoIP phones:

  • Use strong passwords. Leaving the default admin password or using a weak password leaves your VoIP phone vulnerable to compromise. Default VoIP passwords are publicly available, and weak passwords are easy to guess or brute force. Don’t forget to harden your voicemail password, too.
  • Enable encryption. VoIP calls are transmitted over the internet unencrypted, allowing malicious actors to easily intercept data packets and record calls. Encryption can be enabled and configured between different points, depending on your setup and equipment, to make sure calls won’t be bugged. Talk to your VoIP vendor to get more details on how to enable the encryption option.
  • Consider using a VPN. A VPN can enhance VoIP security by encrypting voice traffic, mitigating the threat of an attacker using a network analyzer to capture the data.

Exploiting VoIP vulnerabilities and weaknesses may be an old-school cybercriminal trick, but given the rise in attacks targeting the SIP protocol, it’s clear that this tried-and-true threat is still at large.

Beware of older cyber attacks — Read the complete X-Force report

Share this Article:
Michelle Alvarez

Threat Researcher and Editor, IBM Managed Security Services

Michelle Alvarez is a Threat Researcher and Editor for IBM's Managed Security Services; she brings more than 10 years of industry experience to her role. In this role she focuses communications efforts around threat research and mitigation. Michelle joined IBM through the Internet Security Services (ISS) acquisition, where she served as an Analyst on the X-Force Vulnerability Database Team.