VoIP vulnerabilities

Last updated November 26, 2024

VoIP vulnerabilities are weaknesses in the VoIP protocol or its implementations that expose users to privacy violations and other problems. VoIP is a group of technologies that enable voice calls online. VoIP contains similar vulnerabilities to those of other internet use.

Vulnerabilities

Eavesdropping

Unencrypted connections are vulnerable to security breaches. Hackers/trackers can eavesdrop on conversations and extract valuable data.^{[ how? ]}^[2]^[3]

Network attacks

Attacks on the user network or internet provider can disrupt or destroy the connection. Since VoIP requires an internet connection, direct attacks on the internet connection, or provider, can be effective. Such attacks target office telephony. Mobile applications that do not rely on an internet connection to make calls^[4] are immune to such attacks.^{[ why? ]}

Default security settings

VoIP phones are smart devices that need to be configured. In some cases, Chinese manufacturers^{[ citation needed ]} are using default passwords that lead to vulnerabilities.^[5]

VOIP over Wi-Fi

While VoIP is relatively secure^{[ citation needed ]}, it still needs a source of internet, which is often a Wi-Fi network, making VoIP subject to Wi-Fi vulnerabilities^[6]^{[ further explanation needed ]}

Packet Loss

Since VoIP runs over an internet connection, via Wired, Wi-Fi or 4G, it is susceptible to packet loss which affects the ability to make and recivie calls or makes the calls hard to hear. The susceptiblity is due to the real time nature of the communication. Packet Loss is the biggest reason for VoIP support calls. ^[7]

SIP ALG

When VoIP was first setup, a setting called SIP ALG was added to routers to prevent VoIP Packets being modified. However on more modern VoIP systems, the SIP ALG router setting causes routing issues with VoIP Packets causing calls to drop. Routers are usually shipped with SIP ALG turned on. ^[8]

Exploits

Spam

VoIP is subject to spam^{[ clarification needed ]} called SPIT (Spam over Internet Telephony). Using the extensions provided by VoIP PBX capabilities, the spammer can harass their target from different numbers.^{[ citation needed ]} The process can be automated and can fill the target's voice mail with notifications. The spammer can make calls often enough to block the target from getting important calls.^[9]^{[ irrelevant citation ]}

Phishing

VoIP users can change their Caller ID if they have admin rights on the VoIP server. Anyone who resells VoIP or manages their own VoIP server can allocate any phone number as an outgoing number. This is commonly used for genuinue reasons when a customer is porting a number, so they can use their number of a new plaform while the port takes place. But it can be used maliciously to mask any number. (a.k.a. Caller ID spoofing)^{[ how? ]}, allowing a caller to pose as a relative or colleague in order to extract information, money or benefits from the target.^[10]^{[ citation not found ]}

Related Research Articles

Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for voice calls for the delivery of voice communication sessions over Internet Protocol (IP) networks, such as the Internet.

Inter-Asterisk eXchange (IAX) is a communications protocol native to the Asterisk private branch exchange (PBX) software, and is supported by a few other softswitches, PBX systems, and softphones. It is used for transporting voice over IP telephony sessions between servers and to terminal devices.

Asterisk is a software implementation of a private branch exchange (PBX). In conjunction with suitable telephony hardware interfaces and network applications, Asterisk is used to establish and control telephone calls between telecommunication endpoints such as customary telephone sets, destinations on the public switched telephone network (PSTN) and devices or services on voice over Internet Protocol (VoIP) networks. Its name comes from the asterisk (*) symbol for a signal used in dual-tone multi-frequency (DTMF) dialing.

VoIP spam or SPIT is unsolicited, automatically dialed telephone calls, typically using voice over Internet Protocol (VoIP) technology.

A business telephone system is a telephone system typically used in business environments, encompassing the range of technology from the key telephone system (KTS) to the private branch exchange (PBX).

<span class="mw-page-title-main">Voice over WLAN</span> Use of a wireless network for the purpose of voice communication

Voice over wireless LAN (VoWLAN), also voice over Wi‑Fi (VoWiFi), is the use of a wireless broadband network according to the IEEE 802.11 standards for the purpose of vocal conversation. In essence, it is voice over IP (VoIP) over a Wi-Fi network. In most cases, the Wi-Fi network and voice components supporting the voice system are privately owned.

A session border controller (SBC) is a network element deployed to protect SIP based voice over Internet Protocol (VoIP) networks.

<span class="mw-page-title-main">VoIP phone</span> Phone using one or more VoIP technologies

A VoIP phone or IP phone uses voice over IP technologies for placing and transmitting telephone calls over an IP network, such as the Internet. This is in contrast to a standard phone which uses the traditional public switched telephone network (PSTN).

Gizmo5 was a voice over IP communications network and a proprietary freeware soft phone for that network. On November 12, 2009, Google announced that it had acquired Gizmo5. On March 4, 2011, Google announced that the service would be discontinued as of April 3, 2011.

VoIP User was a community-driven and financed SIP based VoIP network. The project's aim was to allow users to experiment with VoIP by providing opportunities to work with SIP and IAX2 devices.

<span class="mw-page-title-main">Wi-Fi calling</span> Protocol that extends mobile voice, data and multimedia applications over IP networks

Wi-Fi calling, also called VoWiFi, refers to mobile phone voice calls and data that are made over IP networks using Wi-Fi, instead of the cell towers provided by cellular networks. Using this feature, compatible handsets are able to route regular cellular calls through a wireless LAN (Wi-Fi) network with broadband Internet, while seamlessly change connections between the two where necessary. This feature makes use of the Generic Access Network (GAN) protocol, also known as Unlicensed Mobile Access (UMA).

Mobile VoIP or simply mVoIP is an extension of mobility to a voice over IP network. Two types of communication are generally supported: cordless telephones using DECT or PCS protocols for short range or campus communications where all base stations are linked into the same LAN, and wider area communications using 3G or 4G protocols.

The SIP URI scheme is a Uniform Resource Identifier (URI) scheme for the Session Initiation Protocol (SIP) multimedia communications protocol. A SIP address is a URI that addresses a specific telephone extension on a voice over IP system. Such a number could be a private branch exchange or an E.164 telephone number dialled through a specific gateway. The scheme was defined in RFC 3261.

Text over IP is a means of providing a real-time text (RTT) service that operates over IP-based networks. It complements Voice over IP (VoIP) and Video over IP.

An application-level gateway is a security component that augments a firewall or NAT employed in a mobile network. It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

The 3GPP has defined the Voice Call Continuity (VCC) specifications in order to describe how a voice call can be persisted, as a mobile phone moves between circuit switched and packet switched radio domains.

An INVITE of Death is a type of attack on a VoIP-system that involves sending a malformed or otherwise malicious SIP INVITE request to a telephony server, resulting in a crash of that server. Because telephony is usually a critical application, this damage causes significant disruption to the users and poses tremendous acceptance problems with VoIP. These kinds of attacks do not necessarily affect only SIP-based systems; all implementations with vulnerabilities in the VoIP area are affected. The DoS attack can also be transported in other messages than INVITE. For example, in December 2007 there was a report about a vulnerability in the BYE message by using an obsolete header with the name "Also". However, sending INVITE packets is the most popular way of attacking telephony systems. The name is a reference to the ping of death attack that caused serious trouble in 1995–1997.

SunComm Technology Co. Ltd. is a Taiwan multinational computer technology and GSM Voice over IP gateway manufacturer. The main products in 2010 focused on GSM VoIP gateways & IP surveillance camera devices. Core members have been engaging in the communication & networks industry since 1977.

STIR/SHAKEN, or SHAKEN/STIR, is a suite of protocols and procedures intended to combat caller ID spoofing on public telephone networks. Caller ID spoofing is used by robocallers to mask their identity or to make it appear the call is from a legitimate source, often a nearby phone number with the same area code and exchange, or from well-known agencies like the Internal Revenue Service or Ontario Provincial Police. This sort of spoofing is common for calls originating from voice-over-IP (VoIP) systems, which can be located anywhere in the world.

References

↑ Securing VoIP Networks book by Peter Thermos, Ari Takanen, ISBN 978-0-321-43734-1
↑ Stephen Pritchard (March 28, 2007). "Unencrypted VoIP poses security threat". ITPro.
↑ "Security Advisories ⋆ Asterisk". Asterisk.
↑ "Mobile VOIP alternative for business international calls". www.pindo.me.
↑ "Research: VoIP Phones Can Be Exploited If Not Set Up Properly".
↑ Hickey, Andrew R. (December 18, 2007). "Top 9 VoIP Threats And Vulnerabilities". CRN.
↑ "VoIP and Packet loss issues". /telephonesystems.cloud.
↑ "What is SIP ALG and Why it Causes Problems". /telephonesystems.cloud.
↑ Messmer, Ellen (October 1, 2007). "Top 14 VoIP vulnerabilities". Network World.
↑ "The Vulnerabilities of VoIP".

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Securing VoIP Networks book by Peter Thermos, Ari Takanen, ISBN 978-0-321-43734-1

[2] Stephen Pritchard (March 28, 2007). "Unencrypted VoIP poses security threat". ITPro.

[asterisk-3] "Security Advisories ⋆ Asterisk". Asterisk.

[4] "Mobile VOIP alternative for business international calls". www.pindo.me.

[5] "Research: VoIP Phones Can Be Exploited If Not Set Up Properly".

[6] Hickey, Andrew R. (December 18, 2007). "Top 9 VoIP Threats And Vulnerabilities". CRN.

[7] "VoIP and Packet loss issues". /telephonesystems.cloud.

[8] "What is SIP ALG and Why it Causes Problems". /telephonesystems.cloud.

[9] Messmer, Ellen (October 1, 2007). "Top 14 VoIP vulnerabilities". Network World.

[10] "The Vulnerabilities of VoIP".

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]