Thursday, October 6, 2011

Why isn't everyone hacked every day? VoIP security is not the same as on PC

Michael Kassner has a good interview on TechRepublic today called Why isn't everyone hacked every day? In this article he interviews Microsoft Principal Researcher, Cormac Herley, along with Dinei Florencio, also a Microsoft Researcher about their paper “Where Do All the Attacks Go?"

Now, both the article and the paper are quite informative, but the conclusions they give are valid for personal and corporate computer networks but do not translate to VoIP Security.

So let me explain why. First the premise of the paper is what we thought we know about security is not correct.
“Internet security has a puzzling fact at its core. If security is only as strong as the weakest link; then all who choose weak passwords, reuse credentials across accounts, fail to heed security warnings or neglect patches and updates, should be hacked — regularly and repeatedly.Clearly this fails to happen.”

They go on to use an example of a person using a weak password (their dog's name) on their bank portal and the economics of of the hacker making money on it.  Thus it is not worth it to attack everyone as the chances of getting a good (profitable) hit are not worth it.
For example, suppose Alice uses her dog’s name as the password for her bank portal.
According to what we are told, her password is weak, making it an easy mark for an attacker. But, an attacker only succeeds:
  • If the username is known.
  • If he or she can figure out the dog’s name.
  • The bank doesn’t catch the transfer.
  • Another cyber-thief doesn’t get there first.
So what percent of the time can the attacker expect to succeed? Let’s say the attacker spends an hour per user, and:
  • 5% of all users choose their dog’s name as the password.
  • 5% of the time, the password is determined.
  • 5% of the time, the username is figured out.
Based on that, the attacker gets into one account for every 20×20x20=8000 accounts attacked.
Let’s say the attacker is willing to work for $7.25/hour. He needs the average compromised account to yield $7.25 x 8000 = $58,000 to meet payroll.  
For regular hackers looking to breech bank accounts this is true. But for those attacking a VoIP switch the rules and payout are different.

They can scan for VoIP switches and get some information about brand/version in the process.
Then they can use a combination of default user names and  passwords (Admin/Admin) or common passwords (1234) and using an automated script hit hundreds an hour until they find one that works.

Alternatively, they can try attacking phone extensions (either SIP) and try to find a mailbox with a weak password and then claim it. 

Either way once they are in they can co-opt part of your PBX they can try to exploit the dial out features and pretend to be a phone company providing services to others for profit (at your expense), call their own premium numbers (billing you up to $20 per min), or just make free long distance calls.

Protect yourself and your company:
  1. Do not allow the use of default passwords
  2. Require strong passwords on all phone systems
  3. Delete all unused voice mailboxes
  4. Check to make sure that you do not have extra voice mailboxes (does the phone in the conference room need voice mail? How about the visitor one in the lobby or in break rooms?)
  5. Consider proactive monitoring of your phone systems
  6. Read my white paper Benefits of Telecom Analytics and Fraud Detection for Enterprises 
With the interconnection of VoIP switches to your main network these VoIP security holes can cause the risks to grow. 

Be safe and be proactive.