Hacking UC: The Definitive Book
As adoption of Unified Communications continues, it will attract hackers, malicious software, fraud, and abuse. The same can be said for those who implement WebRTC voice and video communications.
UC and VoIP security threats have evolved, with the primary issue being the increased threat of malicious calls from the PSTN. Attacks are easy to create, through the use of free PBX software such as Asterisk, calling number spoofing, call generators, and call origination through the Session Initiation Protocol (SIP). Attackers can easily create "robocalls"--used for Telephony Denial of Service (TDoS), harassing calls such as voice spam, new forms of toll fraud and service abuse, voice phishing (or vishing), and social engineering for the purposes of financial fraud.
Mark Collier, CTO and VP of Engineering at SecureLogix, has been working with these issues for years, and he wrote the definitive book on the subject, Hacking Exposed VOIP, for which a new edition has just been released. Mark has encountered numerous situations demanding that UC and VoIP implementers and operators attempt to avoid and mitigate before their organization loses money and reputation.
I recently had an opportunity to get Mark's perspective on the latest and most important trends in VOIP/UC security:
There is a process for using Asterisk and a call generator along with SIP-based access to the voice network to launch TDoS attacks. This process is pretty easy to do, but not yet at the "script kiddie" level. It is certainly effective, but it takes a little know-how. This capability can be used to target large enterprise contact centers, with both TDoS and call pumping. When multiple SIP trunk access providers are used for the attack, enough calls can be generated to affect even the largest enterprises and contact centers.
There are also complete turnkey TDoS generation tools, as described on the Webroot Threat Blog. These are ready to go and appear to have preconfigured means to send calls into the network, so they could pretty much be used by anyone. The tool detailed in the blog also comes preconfigured with cellular access so it is more anonymous (although you can also easily get public Wi-Fi access on just about any street corner). In addition, the tool is multi-threaded, which presumably means it can generate more concurrent calls.
Many of the recent TDoS attacks are targeting a very small location or even a single critical phone number, such as a hospital emergency room or ICU. Many of these attacks use cheap manual labor to generate the calls. The tool described above could easily be used for this same purpose, enabling many simultaneous attacks against many targets. If it can generate 100 concurrent calls, it could be used to attack up to 100 targets at a time. That is a much better model than hiring 100 people to be on the phone.
Global Toll Fraud
In their 2013 global fraud report, the Communications Fraud Control Association (CFCA) states that there was $4.3 billion of global fraud in 2013, up 15% from 2011. It is a great report and resource, which you can get upon registering.
The executive summary is below:
Hacking Exposed; Second Edition
This new edition of Collier's book, Hacking Exposed VOIP, is focused on Unified Communications (UC), Voice Over IP (VoIP), and voice security issues. The book lists threats/attacks, tools and techniques to demonstrate the attacks, and practical countermeasures. The new book has been expanded from 15 chapters in earlier editions to 17. There are 8 entirely new chapters, with the remaining 9 including relevant, consolidated, and updated material from the first edition. The new chapters include:
* Introduction and Threats
* Toll Fraud and Service Abuse
* Calling Number Spoofing
* Harassing Calls and Telephony Denial of Service (TDoS)
* Voice Spam
* Social Engineering and Voice Phishing
* Media/RTP Attacks
* Emerging Technologies and Threats
The book is divided into sections that cover:
* Attack preparation--Footprinting, scanning, and enumeration required to plan for attacks
* Application-level attacks--Toll fraud and service abuse, calling number spoofing, harassing calls and TDoS, voice spam, and social engineering/voice phishing
* UC network and infrastructure attacks--Eavesdropping, infrastructure DoS, Man-In-The-Middle (MITM) attacks, and attacks unique to Cisco systems
* UC application protocol attacks--SIP and RTP fuzzing, flooding, and manipulation
* Emerging attacks--A survey of issues with emerging technologies such as Microsoft Lync, other forms of communications, Over-The-Top (OTT) softphones, cloud, new UC deployment models, and WebRTC
You can read Mark Collier's blog on security at www.voipsecurityblog.com.