This attack can be successful even if the remote SIP proxy server requires authentication of user registration, because the SIP messages are transmitted in the clear and can be captured, modified and replayed. This attack can be launched against both enterprise or residential users. For example, a home network that uses a poorly configured wireless access point can be compromised by an attacker who can intercept and replay registration requests. This also includes configurations where WEP (Wired Equivalent Privacy) or WPA (Wi-Fi protected access) is used, since there are known vulnerabilities that allows an attacker to gain unauthorized access. [ref 3] As such, the attacker can perform various attacks including making fraudulent calls or redirecting communications. In an enterprise environment an attacker can divert calls to unauthorized parties. For example, calls from stockholders can be diverted to an agent that is not authorized to handle certain trade transactions for customers. In some cases this attack can also be viewed as a "feature" for employees who prefer not to be disturbed.

This attack can be suppressed by implementing SIPS (SIP over TLS) and authenticating SIP requests and responses (which can include integrity protection). In fact, the use of SIPS and the authentication of responses can suppress many associated attacks including eavesdropping and message or user impersonation.

Eavesdropping

Figure 6 demonstrates the steps require for a media capture using Ethereal. [ref 4]

Figure 6. Steps to capture VoIP media streams using Ethereal.

The steps to capture and decode voice packets include:

• Capture and Decode RTP packets. Capture packets and select Analyze -> RTP-> Show all streams options from the ethereal interface.
• Analyze Session. Select a stream to analyze and reassemble.
• Publish. Open a file to save the audio (.au) steam that contains the captured voice.

Some may argue that the eavesdropping attack can be suppressed in IP based networks with the use of Ethernet switches which restrict broadcasting traffic to the entire network, and thus limits who can access the traffic.

This argument can be discarded when ARP spoofing is introduced as a mechanism to launch a man-in-the-middle attack. We will not cover ARP spoofing in this article since it is documented in several publications. The basic concept, however, is that an attacker broadcasts spoofed advertisements of the MAC address and thus forces subsequent IP packets to flow through the attacker's host . This thereby allows the eavesdropping of communications between two users. The following Figure 7 summarizes the ARP spoofing attack.

Figure 7. ARP Spoofing attack.

Using ARP spoofing, an attacker can capture, analyze and eavesdrop into VoIP communications.

The following Figure 8 demonstrates the use of the Cain tool [ref 5] which provides the ability to perform the man-in-the-middle attack and capture VoIP traffic.

Figure 8. Using Cain to perform a man-in-the-middle attack.

Conclusion

But now since new access to the communications medium, such as IP based networks, is not controlled (whereas access to the PSTN is limited) and the vulnerabilities can be exploited by a larger number of attackers, the risk for realizing an attack increases dramatically. This also minimizes the level of trust. The difference is the access method to the network.

Of course no one argues that an attacker can not access and install a tap on a telephone pair outside your house. But that requires more visibility and there are explicit laws that prohibit eavesdropping. On the other hand, IP eavesdropping can be done from the comfort of your laptop as long as you posses the tools and expertise to carry out the attack successfully.

It is expected that the described attacks will gain popularity in the near future for personal or financial gain (such as fraud).

The investment in products and research by companies, and the proliferation of VoIP services the past three years, demonstrates that VoIP is here to stay. At the same time, it seems that security issues will become more apparent as the subscriber population increases. The IETF has made several improvements that provide protection for the VoIP signaling and media streams. The most apparent recommendations are the use of TLS to protect SIP signaling and the SRTP (Secure Real Time Protocol) to protect the media stream. One of the problems is that vendors maintain a slow adoption and implementation rate of these protocols. Furthermore, some VoIP service providers confuse what security means in packet based communications. An example of this is found at a prominent VoIP service provider in North America who claims that, "We are more secure than a regular phone line." That was a response from a recent interaction between one of their millionth VoIP subscribers and the company's tier-2 tech support after providing a detail description of these issues.

References

[ref 2] SiVuS, the VoIP Vulnerability Scanner, http://www.vopsecurity.org/html/tools.html.

[ref 3] See "WEP: Dead Again, Part 1" http://www.securityfocus.com/infocus/1814 and "WEP: Dead Again, Part 2" http://www.securityfocus.com/infocus/1824. [ref 4] Ethereal, http://www.ethereal.com.

[ref 5] Cain & Abel, http://www.oxid.it/cain.html.