VoIP Attacks by the Numbers

There are numerous protocols used in voice-over-IP (VoIP) communications. According to IBM Managed Security Services (MSS) data, the most targeted VoIP protocol is Session Initiation Protocol (SIP), which accounted for over 51 percent of the security event activity analyzed in the last 12 months.

SIP is one of the most commonly used application layer protocols in VoIP technology, so it’s not surprising that it’s the most targeted. In fact, we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second half of 2016.

In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and September were mostly the result of specially crafted SIP messages that were terminated incorrectly. Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in October 2016 was largely influenced by SIP messages with invalid characters in the SIP “To” field. These could be reflective of suspicious activity, necessitating further investigation.

The second most targeted protocol, Cisco’s proprietary Skinny Client Control Protocol (SCCP), accounted for just over 48 percent of detected security events during the same time period. SCCP is a lightweight, IP-based protocol used for communication between Cisco Unified Communications Manager and Cisco VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly over the past 12 months.

A large majority of the security events targeting the SCCP protocol — nearly 74 percent — are actually pre-attack probes that enable the perpetrators to examine device capabilities and gather information on potential targets. Finally, the H225 protocol, which is part of the H.323 protocol suite, accounted for less than 1 percent of the activity — barely a blip on the first chart.

According to WhaTech, the global VoIP services market will expand at a 9.7 percent compound annual growth rate (CAGR) between 2014 and 2020. As businesses and consumers adopt VoIP to reduce costs, are they also introducing unforeseen risks?

Nothing to SPIT At

When it comes to unsolicited information, we’ve gotten pretty good at dealing with or reducing email spam in our inbox. But what about spam over internet telephony (SPIT), also known as VoIP spam? These unsolicited, automated phone calls made from internet-provided numbers are just as annoying as junk mail.

Since it is connected to the same pipes as spam, so to speak, VoIP technology has aided the proliferation of robocalls, allowing scammers to make illegal calls from anywhere in the world. It floods consumers and businesses with marketing calls, surveys and even identity theft scams, also known as vishing.

Unfortunately, stopping these calls is not as easy as flagging unsolicited email. Despite a Federal Communications Commission (FCC) ruling in June 2015 that gave U.S. telecommunication companies permission to provide robocall-blocking technology to consumers, the problem does not seem to be subsiding. In fact, the Federal Trade Commission (FTC) hosted a contest at DEF CON that challenged contestants to create a solution to automatically block and forward robocalls to a research honeypot.

In May 2016, the National Consumer Law Center (NCLC) reported that it expected the FTC to receive more than 3.3 million complaints concerning robocalls in 2016. The FCC provided a list of resources to help consumers stop these annoying or even fraudulent robocalls.

Vish and Chips

Beyond the irritation factor, attackers have found additional ways to capitalize on VoIP technology that pose a higher risk to both consumers and businesses. Because VoIP routes calls through the same paths used by network and internet traffic, it is also subject to some of the same vulnerabilities and threats cybercriminals use to exploit these networks. VoIP traffic can thus be intercepted, captured or modified and is subject to attacks aimed at degrading or eliminating service.

VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort. This enables attackers to obtain information or facilitate additional scams against their targets. A February report, for example, highlighted issues with certain VoIP phones that had insecure default configurations, which allowed attackers to make, receive and transfer calls, play recordings, upload new firmware and even use victims’ devices for covert surveillance.

VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access to avoid paying for telephone calls. VoIP phone consumers should avoid blindly relying on the manufacturer’s default security settings and use strong passwords.

An attacker can carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone service with thousands of junk calls per minute from automated IP dialers. A phone DDoS attack could cripple an organization that relies heavily on its phone systems. The method has even been used to prevent fraud victims from calling their banks after large sums of money were stolen from their bank accounts.

Secure Your VoIP Phones

VoIP risks extend beyond spam and eavesdropping. These phones connect a large variety of devices, and cybercriminals can weaponize any internet-connected corporate or consumer device. It’s imperative that organizations and consumers take the following steps to secure their VoIP phones:

  • Use strong passwords. Leaving the default admin password or using a weak password leaves your VoIP phone vulnerable to compromise. Default VoIP passwords are publicly available, and weak passwords are easy to guess or brute force. Don’t forget to harden your voicemail password, too.
  • Enable encryption. VoIP calls are transmitted over the internet unencrypted, allowing malicious actors to easily intercept data packets and record calls. Encryption can be enabled and configured between different points, depending on your setup and equipment, to make sure calls won’t be bugged. Talk to your VoIP vendor to get more details on how to enable the encryption option.
  • Consider using a VPN. A VPN can enhance VoIP security by encrypting voice traffic, mitigating the threat of an attacker using a network analyzer to capture the data.

Exploiting VoIP vulnerabilities and weaknesses may be an old-school cybercriminal trick, but given the rise in attacks targeting the SIP protocol, it’s clear that this tried-and-true threat is still at large.

Beware of older cyber attacks — Read the complete X-Force report

More from Security Services

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

How I Got Started: Offensive Security

3 min read - In the high-stakes world of cybersecurity, offensive security experts play a pivotal role in identifying and mitigating potential threats. These professionals, sometimes referred to as “ethical hackers”, use their skills to probe networks and systems in search of vulnerabilities, ultimately helping organizations fortify their digital defenses. In this exclusive Q&A, we spoke with a seasoned offensive security professional. Benjamin Netter is a cybersecurity expert and the founder and CEO of Riot, a cybersecurity platform created for employee protection. His goal is…

3 min read

Is Your Critical SaaS Data Secure?

4 min read - Increasingly sophisticated adversaries create a significant challenge as organizations increasingly use Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) to deliver applications and services. This mesh of cloud-based applications and services creates new complexities for security teams. But attackers need only one success, while defenders need to succeed 100% of the time. Organizations are contending with an exponential rise in advanced threats that are not only increasing in volume but also sophistication. The IBM Cost of Data Breach Report 2022 found…

4 min read