VoIP vulnerabilities

Last updated April 04, 2024

VoIP vulnerabilities are weaknesses in the VoIP protocol or its implementations that expose users to privacy violations and other problems. VoIP is a group of technologies that enable voice calls online. VoIP contains similar vulnerabilities to those of other internet use.

Vulnerabilities

Eavesdropping

Unencrypted connections are vulnerable to security breaches. Hackers/trackers can eavesdrop on conversations and extract valuable data.^{[ how? ]}^[2]^[3]

Network attacks

Attacks on the user network or internet provider can disrupt or destroy the connection. Since VoIP requires an internet connection, direct attacks on the internet connection, or provider, can be effective. Such attacks target office telephony. Mobile applications that do not rely on an internet connection to make calls^[4] are immune to such attacks.^{[ why? ]}

Default security settings

VoIP phones are smart devices that need to be configured. In some cases, Chinese manufacturers^{[ citation needed ]} are using default passwords that lead to vulnerabilities.^[5]

VOIP over Wi-Fi

While VoIP is relatively secure^{[ citation needed ]}, it still needs a source of internet, which is often a Wi-Fi network, making VoIP subject to Wi-Fi vulnerabilities^[6]^{[ further explanation needed ]}

Exploits

Spam

VoIP is subject to spam^{[ clarification needed ]} called SPIT (Spam over Internet Telephony). Using the extensions provided by VoIP PBX capabilities, the spammer can harass their target from different numbers.^{[ citation needed ]} The process can be automated and can fill the target's voice mail with notifications. The spammer can make calls often enough to block the target from getting important calls.^[7]^{[ irrelevant citation ]}

Phishing

VoIP users can change their Caller ID (a.k.a. Caller ID spoofing)^{[ how? ]}, allowing a caller to pose as a relative or colleague in order to extract information, money or benefits from the target.^[8]^{[ citation not found ]}

Related Research Articles

Telephony is the field of technology involving the development, application, and deployment of telecommunication services for the purpose of electronic transmission of voice, fax, or data, between distant parties. The history of telephony is intimately linked to the invention and development of the telephone.

Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for voice calls for the delivery of voice communication sessions over Internet Protocol (IP) networks, such as the Internet.

Asterisk is a software implementation of a private branch exchange (PBX). In conjunction with suitable telephony hardware interfaces and network applications, Asterisk is used to establish and control telephone calls between telecommunication endpoints such as customary telephone sets, destinations on the public switched telephone network (PSTN) and devices or services on voice over Internet Protocol (VoIP) networks. Its name comes from the asterisk (*) symbol for a signal used in dual-tone multi-frequency (DTMF) dialing.

VoIP spam or SPIT is unsolicited, automatically dialed telephone calls, typically using voice over Internet Protocol (VoIP) technology.

<span class="mw-page-title-main">Voice over WLAN</span> Use of a wireless network for the purpose of voice communication

Voice over wireless LAN (VoWLAN), also voice over Wi‑Fi (VoWiFi), is the use of a wireless broadband network according to the IEEE 802.11 standards for the purpose of vocal conversation. In essence, it is voice over IP (VoIP) over a Wi-Fi network. In most cases, the Wi-Fi network and voice components supporting the voice system are privately owned.

<span class="mw-page-title-main">VoIP phone</span> Phone using one or more VoIP technologies

A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet. This is in contrast to a standard phone which uses the traditional public switched telephone network (PSTN).

Gizmo5 was a voice over IP communications network and a proprietary freeware soft phone for that network. On November 12, 2009, Google announced that it had acquired Gizmo5. On March 4, 2011, Google announced that the service would be discontinued as of April 3, 2011.

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

Caller ID spoofing is a spoofing attack which causes the telephone network's Caller ID to indicate to the receiver of a call that the originator of the call is a station other than the true originating station. This can lead to a display showing a phone number different from that of the telephone from which the call was placed.

Wi-Fi calling refers to mobile phone voice calls and data that are made over IP networks using Wi-Fi, instead of the cell towers provided by cellular networks. Using this feature, compatible handsets are able to route regular cellular calls through a wireless LAN (Wi-Fi) network with broadband Internet, while seamlessly change connections between the two where necessary. This feature makes use of the Generic Access Network (GAN) protocol, also known as Unlicensed Mobile Access (UMA).

Mobile VoIP or simply mVoIP is an extension of mobility to a voice over IP network. Two types of communication are generally supported: cordless telephones using DECT or PCS protocols for short range or campus communications where all base stations are linked into the same LAN, and wider area communications using 3G or 4G protocols.

Voice phishing, or vishing, is the use of telephony to conduct phishing attacks.

The SIP URI scheme is a Uniform Resource Identifier (URI) scheme for the Session Initiation Protocol (SIP) multimedia communications protocol. A SIP address is a URI that addresses a specific telephone extension on a voice over IP system. Such a number could be a private branch exchange or an E.164 telephone number dialled through a specific gateway. The scheme was defined in RFC 3261.

A residential gateway is a small consumer-grade gateway which bridges network access between connected local area network (LAN) hosts to a wide area network (WAN) via a modem, or directly connects to a WAN, while routing. The WAN is a larger computer network, generally operated by an Internet service provider.

The 3GPP has defined the Voice Call Continuity (VCC) specifications in order to describe how a voice call can be persisted, as a mobile phone moves between circuit switched and packet switched radio domains.

An INVITE of Death is a type of attack on a VoIP-system that involves sending a malformed or otherwise malicious SIP INVITE request to a telephony server, resulting in a crash of that server. Because telephony is usually a critical application, this damage causes significant disruption to the users and poses tremendous acceptance problems with VoIP. These kinds of attacks do not necessarily affect only SIP-based systems; all implementations with vulnerabilities in the VoIP area are affected. The DoS attack can also be transported in other messages than INVITE. For example, in December 2007 there was a report about a vulnerability in the BYE message by using an obsolete header with the name "Also". However, sending INVITE packets is the most popular way of attacking telephony systems. The name is a reference to the ping of death attack that caused serious trouble in 1995–1997.

A softphone is a software program for making telephone calls over the Internet using a general purpose computer rather than dedicated hardware. The softphone can be installed on a piece of equipment such as a desktop, mobile device, or other computer and allows the user to place and receive calls without requiring an actual telephone set. Often, a softphone is designed to behave like a traditional telephone, sometimes appearing as an image of a handset, with a display panel and buttons with which the user can interact. A softphone is usually used with a headset connected to the sound card of the PC or with a USB phone.

Mobile Dialer is a software application installed and used on mobile phones. Various software providers offer branded mobile dialers. They are used to make VoIP calls from a mobile hand set. The "Mobile Dialer" or "Mobile VoIP Dialer" uses SIP signaling and can be mapped to a Softswitch or an IP device to work a device for voice communication. Newer mobile dialers also allow users to originate a Voice Call or SMS using their mobile handset. In many countries, VoIP is considered as "illegal Business" and is banned by the government. Mobile Dialer application can run behind network address translation (NAT) and on private IP and can pass through firewalls or blocked networks when combined with tunneling software.

SunComm Technology is a Taiwan multinational computer technology and GSM Voice over IP gateway manufacturer. The main products in 2010 focused on GSM VoIP gateways & IP surveillance camera devices. Core members have been engaging in the communication & networks industry since 1977.

STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legitimate source, often a nearby phone number with the same area code and exchange, or from well-known agencies like the Internal Revenue Service or Ontario Provincial Police. This sort of spoofing is common for calls originating from voice-over-IP (VoIP) systems, which can be located anywhere in the world.

References

↑ Securing VoIP Networks book by Peter Thermos, Ari Takanen, ISBN 978-0-321-43734-1
↑ Stephen Pritchard (March 28, 2007). "Unencrypted VoIP poses security threat". ITPro.
↑ "Security Advisories ⋆ Asterisk". Asterisk.
↑ "Mobile VOIP alternative for business international calls". www.pindo.me.
↑ "Research: VoIP Phones Can Be Exploited If Not Set Up Properly".
↑ Hickey, Andrew R. (December 18, 2007). "Top 9 VoIP Threats And Vulnerabilities". CRN.
↑ Messmer, Ellen (October 1, 2007). "Top 14 VoIP vulnerabilities". Network World.
↑ "The Vulnerabilities of VoIP".

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Securing VoIP Networks book by Peter Thermos, Ari Takanen, ISBN 978-0-321-43734-1

[2] Stephen Pritchard (March 28, 2007). "Unencrypted VoIP poses security threat". ITPro.

[asterisk-3] "Security Advisories ⋆ Asterisk". Asterisk.

[4] "Mobile VOIP alternative for business international calls". www.pindo.me.

[5] "Research: VoIP Phones Can Be Exploited If Not Set Up Properly".

[6] Hickey, Andrew R. (December 18, 2007). "Top 9 VoIP Threats And Vulnerabilities". CRN.

[7] Messmer, Ellen (October 1, 2007). "Top 14 VoIP vulnerabilities". Network World.

[8] "The Vulnerabilities of VoIP".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]