New and Current Approaches for Secure VoIP Service

New and Current Approaches for Secure VoIP Service H. Hakan Kılınç, Uğur Cağal Netas, Cyber Security Department, Istanbul hakank@netas.com.tr, ucagal@netas.com.tr Abstract: The current telecom technology uses 4G and preparations are being made for 5G. Technological generation change and the expansion of IPv6 have increased the use of VoIP. In parallel to this increase, many frauds and weaknesses are realized. There is a growing need for security products that have in-depth packet analysis capabilities in application layer in order to find the vulnerabilities of VoIP systems, to detect attacks against these systems and to protect them. However, unlike services such as e-mail and web, VoIP services are time-sensitive. Complex and time-consuming security mechanisms are not suitable for VoIP. In our study, we discuss existing and new security approaches for VoIP security issues. Keywords: VoIP, SIP, Security Threats, Security Products, DoS/DdoS, VoIP IDS (Intrusion Detection System), VoIP IPS (Intrusion Prevention System), VoIP Firewall, VoIP Security Scanner. 1. Introduction: IP(Internet Protocol) based VoIP (Voice over IP Telephony), which offers many benefits such as low cost communications and rich telephony services, is becoming more widespread everyday as the technological infrastructure of IP grows stronger. VoIP has many advantages over PSTN (Public Switched Telephony Network) and over the years, VoIP services have become a serious contender to the PSTN Systems. Figure-1 shows the constantly increasing amount of data (petabytes/month) that is transferred over VoIP networks. The VoLTE (Voice over LTE, the VoIP leg of 4G LTE) and VoWIFI technologies will further increase the VoIP traffic in the near future. Figure 1 -Annual Increase in the Amount of VoIP Services Data [1] The fact that IP communication contains security vulnerabilities and furthermore inherits all of the security problems associated with the internet points out the importance of security in next generation telecommunications technologies. Examples of VoIP security vulnerabilities include, VoIP Traffic Theft, unauthorized usage of communication infrastructure, calls to toll-free systems with malicious intent, reduction of voice quality, denial of service (DoS) attacks, fake registrations, service theft, eavesdropping, spam, malware, information theft and VoIP traffic redirection. The 2013 Global Fraud Loss Survey by Communications Fraud Control Association reports the total revenue lost to VoIP network attacks is 3,62 billion dollars [2]. Since this report only covers the attacks that were detected, the total loss is much more than this amount.

These losses are results of attacks towards VoIP and UC (Unified Communications) systems. 25% of hacker attacks are towards VoIP and UC systems, and there are over 20.000 exploits and threats discovered in these systems [3]. Toll Fraud, which is highly profitable for fraudsters and quite easy to accomplish, is one of the most widespread crimes in the telecommunications industry. Most of the attacks towards VoIP infrastructure occur on signaling technologies. SIP (Session Initiation Protocol) is the most widespread hypertext based protocol used in establishing, modifying and tearing down sessions between VoIP components [4]. It was selected as the signaling protocol of IMS (IP Multimedia Subsystem) and VoLTE because of its flexible usage and measurability. Although SIP presents great advantages, it is also vulnerable to many security threats [6] [7] [8] [9]. This paper is organized as follows: Chapter 2 summarizes the new telecommunications infrastructure. Chapter 3 discusses VoIP security issues and the current and new methods that are used to deal with these issues. Chapter 4 concludes our work by providing recommendations. 2. New Telecommunications Infrastructure and VoIP Traditional telecommunications uses an infrastructure called PSTN that is based on circuit switching method to provide stationary voice communications service. VoIP, which is the new telecommunications infrastructure, uses the internet as the voice communications medium. Voice is transferred with the packet switching method, which is the basis of data transfer over the internet. As shown in Figure-2, the new telecommunications infrastructure is abandoning PSTN in lieu of VoIP networks and components. This change takes the form of a hybrid structure at first and transforms into pure VoIP over time. The hybrid structure takes the form of a VoIP telecommunications system in intercompany telephones and is converted to PSTN for outside communications. The current infrastructure in Turkey uses the hybrid system. Telekom infrastructure is moving to pure IP, abandoning the PSTN system altogether. The next-generation mobile technology 4G LTE is purely IP based and will continue to evolve as IPv6 becomes more widespread. VoIP can use a single broadband circuit for packet switched services such as data, voice and video. Many institutions use VoIP as part of their already existing data network. Although this method is cost-effective, it also increases the performance and security requirements of the system. An integrated system increases the importance of the Quality of Service (QoS) and security processes in order to preserve call quality [10]. Figure 2 - The New Telecommunications Infrastructure

3. VoIP Security Problems and Solution Approaches Figure 3 - Security Products and Packet Analysis Levels Telephony networks have always been a target of computer hackers since Phreaking, Telephone Hacking, became widespread in 70s/80s. The general aim of these attacks is to commit billing fraud and to make toll-free long-distance calls. The security problems of PSTN such as call forwarding and illegal interception were abused to commit these crimes. VoIP faces these problems along with the new security issues it inherits from the internet infrastructure. [10] We can classify some of the problems encountered in a VoIP network under the following five topics. We will use figure 3 in these descriptions. Figure 3 clearly displays some of these problems and their solutions. As mentioned above, most of the attacks against VoIP Networks occur over signaling technologies. The payload these packets contain should be inspected in order to detect these attacks. Problem 1: VoIP Traffic Theft and Toll Fraud: It is the foremost problem VoIP Service Providers and Customers have faced since the beginning. Many VoIP Call Servers contain solutions to this problem that uses either Classes of Restriction or Authentication Codes. Class of Restriction groups certain telephone numbers based on criteria, such as local or long-distance, and brings restrictions to calling these numbers. The other approach requires the user to enter a code before making a call. Both of these approaches are hard to manage and maintain. Also, authentication codes can easily be acquired by others. The new approach suggests monitoring the system at every step by checking certain parameters, such as call count, individual call duration or total call duration. The system administrator sets thresholds for these parameters by defining policy rules, which are used to prevent calls that exceed these threshold values. Another new approach consists of VoIP Intrusion Detection and Intrusion Prevention Systems (IDS / IPS). These systems detect calls that don t match the usual call patterns and prevent them. Problem 2: VoIP Traffic and Network Security: The second problem occurs because VoIP Traffic is transferred over the Internet Traffic. If the basic network security of an organization is lacking, then the VoIP security of the same organization will also suffer.

Internet traffic is similar to traditional circuit switching traffic. Packet Sniffers can easily capture unencrypted traffic. VPN (Virtual Private Network) is the usual method for overcoming this vulnerability. Although this method works fine, call session establishment (while receiving or making calls) might take some time. Packet encryption and decryption also causes delays in VoIP packet transfers. The fact that VPN solutions are usually hardware based is also another limitation. A vulnerability in an already existing network is also vulnerability for the VoIP system that can be abused by attackers. It is recommended to run independent security assessments and to deploy firewalls in order to overcome these vulnerabilities. It is also advisable to adopt a patching policy for the system and to periodically examine system logs. Although it is still advised to use VPN, it is not enough by itself. Discovery of new VPN vulnerabilities and the lack of security at the endpoints where VPN is used makes it essential to use a dedicated VoIP Firewall. The importance of a VoIP Firewall is evident as IP Firewalls, like shown in Figure-3, do not inspect the payloads of packets. Although it is not always required, security assessments should also include VoIP specific analyses. It is difficult to apply and manage patching procedures. Tools that track available patches for different VoIP Phones should also be used. VoIP Security Scanners, which are vulnerability assessment tools that can also be used to track patch information, should be used to assess the security of a VoIP system. Log inspection is a nice approach; however it is usually used after an attack in order to prevent future incidents. The new approach highlights products that can engage in instantaneous data analysis. These include VoIP Firewalls, VoIP IDS and VoIP IPS products. Problem 3: Malicious Calls, Dos and DDoS: The third problem, DoS and DdoS (Distributed Denial of Service), prevent telephone calls. Also, automated call generators can make VoIP Systems Unresponsive. Many out-of-the-box VoIP solutions contain unmonitored TCP/UDP ports that don t have a reason to be always left open. This creates a suitable environment for DoS/DDoS attacks. For example, VoIP systems use ports 5060 and 5061 for signaling but numerous different ports for voice packets. It is imperative to close unneeded ports and services, and to develop new patches for newly discovered vulnerabilities in order to prevent these attacks. Pre-recorded calls that contain unwanted messages are called SPIT (Spam over IP Telephony). SPIT calls consume resources (like bandwidth) and can act as DoS attacks. Preventing SPIT is like preventing SPAM and it is impossible to do so with traditional security tools. The key to prevent VoIP Signaling attacks is to generate a strong identity verification protocol. This approach can be applied in a company but it is hard to apply to the public in general. Products that observe the normal traffic patterns and define signaling and media thresholds based on these should be used. This way, sources of abnormal traffic can be blocked. However, this blocking should be implemented in a different way for VoIP systems. Blocking an IP can block a whole organization. Because of this, blocking should be done on the based on three parameters User, IP Address and Port. Besides this, smart DDoS detection technique, which also detects

repetitive attacks that are below the established thresholds, should be used. This detection technique requires the use of products that employ statistical behavior analysis. VoIP Firewalls, VoIP IDS and VoIP IPS products designed with these problems in mind should be used to secure VoIP Networks. Problem 4: Eavesdropping: Some problems about VoIP or SIP are hard, even impossible, to solve. These vulnerabilities will continue to increase as the technology advances and protocols become more widespread. One of the hard-to-solve problems is eavesdropping. There are many applications that capture traffic on a network and convert them to.wav format. VoMIT, SIPtap, Wireshark, Voipong, Cain&Abel can be used in this manner [11]. Such applications obtain not only the voice packets but also the signaling information (call-id, call source, call destination, call duration and call initiation time) associated with the call. The only way to prevent eavesdropping is to form a secure channel and to encrypt voice data. Protocols for authentication and mutual key exchange between two endpoints should be developed. The mutual key can be used encrypt and decrypt the voice packets. Of course, the encryption methods have to be checked to not affect performance in a highly negative manner [9]. An abnormal status check can be applied on traffic data to detect eavesdroppers. A higher than normal packet flow would indicate eavesdropping. For example, a VoIP system currently hosting 10 calls would indicate 160 KB/s of traffic assuming the highest quality voice codecs are used. 300KB/s traffic on the system would indicate an abnormal situation. It is important to detect such a situation. This can be done with VoIP IDS products that support such detection mechanisms. Problem 5: Company Specific Policies and Operational Management: Some situations might prioritize certain calls over others, some users might not be able to call certain numbers and some of the phones in an office location might only be allowed to work on that location. Such situations and telephone device updates might need management. Such requirements are hard or impossible to meet with traditional security or operational management applications. Some IP PBX systems are capable of these operations by themselves. Telephone software updates are usually handled directly by the telephone s software with traditional file transfer protocols like TFTP. This approach opens a window for hackers to place other files or software into these devices. Company specific policies and rules should be applicable to VoIP calls. This might be accomplished by using a policy rule based VoIP Firewall that analyzes signaling to detect and if necessary prevent calls that defy the policy rules set by the system administrator. VoIP Security Scanners can be used for monitoring device software updates whereas VoIP Firewalls can be used to ensure that correct files are transferred for these updates. 4. Recommendations and Conclusion: Creating a secure VoIP Infrastructure begins with the detection of security vulnerabilities and reporting the results with their possible solutions. It is hard to discover the vulnerabilities and to prepare solutions for their

removal. Specialized VoIP vulnerability assessment tools can be used for this and logical problems can be solved with aid from VoIP security specialists. The second step is to deploy a VoIP Firewall that detects and prevents attacks with instantaneous deep packet inspection and generates dynamic rules and uses filtering to prevent previously unknown and smart attack types from damaging the system. This firewall should also cause minimal delay in packet transfer. VoIP Firewalls can detect known attack types with application layer analysis and also analyze the state of a call by inspecting the message flow and react to abnormal situations caused by unknown attacks. Instant alarms and termination of malicious calls and service usage prevent the operator from suffering serious losses. At the third step, VoIP IDS and VoIP IPS products that are able to prevent traffic and toll fraud as well as social engineering cases should be deployed in the network. These products are also able to aid the operational management of VoIP Systems. Lastly, the security measures in traditional data networks cannot be applied to the VoIP world. Time-critical applications that don t cause performance issues should be used to overcome VoIP security problems. References [1] Data volume of global VoIP service traffic from 2011 to 2016 (in petabytes per month), http://www.statista.com/statistics/267183/forecast-for-the-worldwide-voip-traffic/ (Retrieved: 17.10.2015) [2] Global Fraud Loss Survey, http://cfca.org/pdf/survey/global%20fraud_loss_survey2013.pdf, (Retrieved: 17.10.2015) [3] Securing UC: There are Ways, but Where's the Will? http://www.nojitter.com/blog/230600035/securinguc-there-are-ways-but-wheres-the-will (Retrieved: 17.10.2015) [4] Rosenberg J., Schulzrinne H., Camarillo G., Johnston A., Peterson J., Sparks R., Handley M., Schooler E., SIP: Session Initiation Protocol, Internet Engineering Task Force, RFC 3261, 2002. [5] Camarillo G., Garca-Martn M.-A., The 3G IP Multimedia Subsystem (IMS): Merging the Internet and the Cellular Worlds, Second Edition. WILEY, 2006. [6] Geneiatakis D., Dagiouklas A., Kambourakis G., Lambrinoudakis C., Gritzalis S., Ehlert S., Sisalem D., Survey of Security Vulnerabilities in Session Initiation Protocol, IEEE Commun. Surveys Tutorials, vol. 8, no. 3, pp. 68 81, 2006. [7] Geneiatakis D., Lambrinoudakis C., Kambourakis G., An Ontology Based-Policy for Deploying Secure SIPbased VoIP Services, Elsevier Computer and Security, vol. 27, no. 7-8, pp. 285 297, 2008. [8] S. Salsano, L. Veltri, and D. Papalilo, SIP Security Issues: The SIP Authentication Procedure and its Processing Load, IEEE Network, vol. 16, no. 6, pp. 38 44, 2002. [9] Kilinc, H.H., Yanik, T., "A Survey of SIP Authentication and Key Agreement Schemes," in Communications Surveys & Tutorials, IEEE, vol.16, no.2, pp.1005-1023, 2014. [10] Ruck, M., Top Ten Security Issues with Voice over IP (VoIP), http://www.designdata.com/wpcontent/uploads/sites/321/whitepaper/top_ten_voip_security_issue.pdf, (Retrieved: 29.10.2015) [11] VoIP Security Tool List, http://www.voipsa.org/resources/tools.php#voip%20sniffing%20tools, (Retrieved: 31.10.2015)