VoIP Attacks by the Numbers

There are numerous protocols used in voice-over-IP (VoIP) communications. According to IBM Managed Security Services (MSS) data, the most targeted VoIP protocol is Session Initiation Protocol (SIP), which accounted for over 51 percent of the security event activity analyzed in the last 12 months.

SIP is one of the most commonly used application layer protocols in VoIP technology, so it’s not surprising that it’s the most targeted. In fact, we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second half of 2016.

In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and September were mostly the result of specially crafted SIP messages that were terminated incorrectly. Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in October 2016 was largely influenced by SIP messages with invalid characters in the SIP “To” field. These could be reflective of suspicious activity, necessitating further investigation.

The second most targeted protocol, Cisco’s proprietary Skinny Client Control Protocol (SCCP), accounted for just over 48 percent of detected security events during the same time period. SCCP is a lightweight, IP-based protocol used for communication between Cisco Unified Communications Manager and Cisco VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly over the past 12 months.

A large majority of the security events targeting the SCCP protocol — nearly 74 percent — are actually pre-attack probes that enable the perpetrators to examine device capabilities and gather information on potential targets. Finally, the H225 protocol, which is part of the H.323 protocol suite, accounted for less than 1 percent of the activity — barely a blip on the first chart.

According to WhaTech, the global VoIP services market will expand at a 9.7 percent compound annual growth rate (CAGR) between 2014 and 2020. As businesses and consumers adopt VoIP to reduce costs, are they also introducing unforeseen risks?

Nothing to SPIT At

When it comes to unsolicited information, we’ve gotten pretty good at dealing with or reducing email spam in our inbox. But what about spam over internet telephony (SPIT), also known as VoIP spam? These unsolicited, automated phone calls made from internet-provided numbers are just as annoying as junk mail.

Since it is connected to the same pipes as spam, so to speak, VoIP technology has aided the proliferation of robocalls, allowing scammers to make illegal calls from anywhere in the world. It floods consumers and businesses with marketing calls, surveys and even identity theft scams, also known as vishing.

Unfortunately, stopping these calls is not as easy as flagging unsolicited email. Despite a Federal Communications Commission (FCC) ruling in June 2015 that gave U.S. telecommunication companies permission to provide robocall-blocking technology to consumers, the problem does not seem to be subsiding. In fact, the Federal Trade Commission (FTC) hosted a contest at DEF CON that challenged contestants to create a solution to automatically block and forward robocalls to a research honeypot.

In May 2016, the National Consumer Law Center (NCLC) reported that it expected the FTC to receive more than 3.3 million complaints concerning robocalls in 2016. The FCC provided a list of resources to help consumers stop these annoying or even fraudulent robocalls.

Vish and Chips

Beyond the irritation factor, attackers have found additional ways to capitalize on VoIP technology that pose a higher risk to both consumers and businesses. Because VoIP routes calls through the same paths used by network and internet traffic, it is also subject to some of the same vulnerabilities and threats cybercriminals use to exploit these networks. VoIP traffic can thus be intercepted, captured or modified and is subject to attacks aimed at degrading or eliminating service.

VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort. This enables attackers to obtain information or facilitate additional scams against their targets. A February report, for example, highlighted issues with certain VoIP phones that had insecure default configurations, which allowed attackers to make, receive and transfer calls, play recordings, upload new firmware and even use victims’ devices for covert surveillance.

VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access to avoid paying for telephone calls. VoIP phone consumers should avoid blindly relying on the manufacturer’s default security settings and use strong passwords.

An attacker can carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone service with thousands of junk calls per minute from automated IP dialers. A phone DDoS attack could cripple an organization that relies heavily on its phone systems. The method has even been used to prevent fraud victims from calling their banks after large sums of money were stolen from their bank accounts.

Secure Your VoIP Phones

VoIP risks extend beyond spam and eavesdropping. These phones connect a large variety of devices, and cybercriminals can weaponize any internet-connected corporate or consumer device. It’s imperative that organizations and consumers take the following steps to secure their VoIP phones:

  • Use strong passwords. Leaving the default admin password or using a weak password leaves your VoIP phone vulnerable to compromise. Default VoIP passwords are publicly available, and weak passwords are easy to guess or brute force. Don’t forget to harden your voicemail password, too.
  • Enable encryption. VoIP calls are transmitted over the internet unencrypted, allowing malicious actors to easily intercept data packets and record calls. Encryption can be enabled and configured between different points, depending on your setup and equipment, to make sure calls won’t be bugged. Talk to your VoIP vendor to get more details on how to enable the encryption option.
  • Consider using a VPN. A VPN can enhance VoIP security by encrypting voice traffic, mitigating the threat of an attacker using a network analyzer to capture the data.

Exploiting VoIP vulnerabilities and weaknesses may be an old-school cybercriminal trick, but given the rise in attacks targeting the SIP protocol, it’s clear that this tried-and-true threat is still at large.

Beware of older cyber attacks — Read the complete X-Force report

More from X-Force

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today