VoIP Attacks by the Numbers

There are numerous protocols used in voice-over-IP (VoIP) communications. According to IBM Managed Security Services (MSS) data, the most targeted VoIP protocol is Session Initiation Protocol (SIP), which accounted for over 51 percent of the security event activity analyzed in the last 12 months.

SIP is one of the most commonly used application layer protocols in VoIP technology, so it’s not surprising that it’s the most targeted. In fact, we found that there has been an upward trend in attacks targeting the SIP protocol, with the most notable uptick occurring in the second half of 2016.

In actual attacks on VoIP communications, we note various types of disruption. Spikes in July and September were mostly the result of specially crafted SIP messages that were terminated incorrectly. Persistent, invalid messages are known to cause vulnerable servers and equipment to fail. The spike in October 2016 was largely influenced by SIP messages with invalid characters in the SIP “To” field. These could be reflective of suspicious activity, necessitating further investigation.

The second most targeted protocol, Cisco’s proprietary Skinny Client Control Protocol (SCCP), accounted for just over 48 percent of detected security events during the same time period. SCCP is a lightweight, IP-based protocol used for communication between Cisco Unified Communications Manager and Cisco VoIP phones. Unlike attacks targeting SIP, those targeting the SCCP protocol have been declining slightly over the past 12 months.

A large majority of the security events targeting the SCCP protocol — nearly 74 percent — are actually pre-attack probes that enable the perpetrators to examine device capabilities and gather information on potential targets. Finally, the H225 protocol, which is part of the H.323 protocol suite, accounted for less than 1 percent of the activity — barely a blip on the first chart.

According to WhaTech, the global VoIP services market will expand at a 9.7 percent compound annual growth rate (CAGR) between 2014 and 2020. As businesses and consumers adopt VoIP to reduce costs, are they also introducing unforeseen risks?

Nothing to SPIT At

When it comes to unsolicited information, we’ve gotten pretty good at dealing with or reducing email spam in our inbox. But what about spam over internet telephony (SPIT), also known as VoIP spam? These unsolicited, automated phone calls made from internet-provided numbers are just as annoying as junk mail.

Since it is connected to the same pipes as spam, so to speak, VoIP technology has aided the proliferation of robocalls, allowing scammers to make illegal calls from anywhere in the world. It floods consumers and businesses with marketing calls, surveys and even identity theft scams, also known as vishing.

Unfortunately, stopping these calls is not as easy as flagging unsolicited email. Despite a Federal Communications Commission (FCC) ruling in June 2015 that gave U.S. telecommunication companies permission to provide robocall-blocking technology to consumers, the problem does not seem to be subsiding. In fact, the Federal Trade Commission (FTC) hosted a contest at DEF CON that challenged contestants to create a solution to automatically block and forward robocalls to a research honeypot.

In May 2016, the National Consumer Law Center (NCLC) reported that it expected the FTC to receive more than 3.3 million complaints concerning robocalls in 2016. The FCC provided a list of resources to help consumers stop these annoying or even fraudulent robocalls.

Vish and Chips

Beyond the irritation factor, attackers have found additional ways to capitalize on VoIP technology that pose a higher risk to both consumers and businesses. Because VoIP routes calls through the same paths used by network and internet traffic, it is also subject to some of the same vulnerabilities and threats cybercriminals use to exploit these networks. VoIP traffic can thus be intercepted, captured or modified and is subject to attacks aimed at degrading or eliminating service.

VoIP technology allows malicious individuals to conduct caller ID spoofing with minimal cost and effort. This enables attackers to obtain information or facilitate additional scams against their targets. A February report, for example, highlighted issues with certain VoIP phones that had insecure default configurations, which allowed attackers to make, receive and transfer calls, play recordings, upload new firmware and even use victims’ devices for covert surveillance.

VoIP services are also subject to abuses such as toll fraud, which involves taking control of network access to avoid paying for telephone calls. VoIP phone consumers should avoid blindly relying on the manufacturer’s default security settings and use strong passwords.

An attacker can carry out a distributed denial-of-service (DDoS) attack by flooding a company’s telephone service with thousands of junk calls per minute from automated IP dialers. A phone DDoS attack could cripple an organization that relies heavily on its phone systems. The method has even been used to prevent fraud victims from calling their banks after large sums of money were stolen from their bank accounts.

Secure Your VoIP Phones

VoIP risks extend beyond spam and eavesdropping. These phones connect a large variety of devices, and cybercriminals can weaponize any internet-connected corporate or consumer device. It’s imperative that organizations and consumers take the following steps to secure their VoIP phones:

  • Use strong passwords. Leaving the default admin password or using a weak password leaves your VoIP phone vulnerable to compromise. Default VoIP passwords are publicly available, and weak passwords are easy to guess or brute force. Don’t forget to harden your voicemail password, too.
  • Enable encryption. VoIP calls are transmitted over the internet unencrypted, allowing malicious actors to easily intercept data packets and record calls. Encryption can be enabled and configured between different points, depending on your setup and equipment, to make sure calls won’t be bugged. Talk to your VoIP vendor to get more details on how to enable the encryption option.
  • Consider using a VPN. A VPN can enhance VoIP security by encrypting voice traffic, mitigating the threat of an attacker using a network analyzer to capture the data.

Exploiting VoIP vulnerabilities and weaknesses may be an old-school cybercriminal trick, but given the rise in attacks targeting the SIP protocol, it’s clear that this tried-and-true threat is still at large.

Beware of older cyber attacks — Read the complete X-Force report

More from Security Services

5 Golden Rules of Threat Hunting

When a breach is uncovered, the operational cadence includes threat detection, quarantine and termination. While all stages can occur within the first hour of discovery, in some cases, that's already too late.Security operations center (SOC) teams monitor and hunt new threats continuously. To ward off the most advanced threats, security teams proactively hunt for ones that evade the dashboards of their security solutions.However, advanced threat actors have learned to blend in with their target's environment, remaining unnoticed for prolonged periods. Based…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Log4j Forever Changed What (Some) Cyber Pros Think About OSS

In late 2021, the Apache Software Foundation disclosed a vulnerability that set off a panic across the global tech industry. The bug, known as Log4Shell, was found in the ubiquitous open-source logging library Log4j, and it exposed a huge swath of applications and services. Nearly anything from popular consumer and enterprise platforms to critical infrastructure and IoT devices was exposed. Over 35,000 Java packages were impacted by Log4j vulnerabilities. That’s over 8% of the Maven Central repository, the world’s largest…