Fraud is big business

Fraud is big business

Bernie Dodwell, EMEA Channel
Bernie Dodwell, EMEA Channel Director, Sipera Systems

In June, the US government announced that it had closed down a $55 million toll fraud ring operating out of Italy & Spain targeting enterprise PBXs. In January hackers accessed the VoIP PBX of a small Perth, Australia business and made over 11,000 international calls in 46 hours running up a bill of more than $120,000. These are just two cases at the ends of the toll fraud spectrum in the public domain … how many cases may go unreported?

Roger Jones, Consulting Engineer at Avaya says “The move to IP Telephony has introduced some new aspects to securing a communications environment. Telephony is now running on industry-standard server platforms; the voice is no longer on dedicated copper wires, it runs across a shared IP infrastructure. Endpoints have morphed into a range of intelligent devices. All of these need to be secured. Traditional toll fraud still exists but new ways of accessing the toll-free calls have appeared.”

There are four issues in an IPT/unified communications architecture that increase the risk of exploitation:

 

1. Inadequate user authentication and access control. Toll fraudsters have gained access to enterprise PBXs because user authentication and access controls are inadequate in many deployments. Most often, the problem is the utilization of weak or default passwords. Many enterprises deploy highly robust authentication mechanisms to secure data traffic – such as twofactor authentication – but they neglect to extend this same level of access control and authentication to their telephony end-points.

2. A security architecture that relies solely on session border controllers (SBCs) or Media Gateways (MG). As components in the typical SIP-based VoIP architecture, SBCs provide critical network interoperability and related demarcation functionality and help to manage boundaries between networks when terminating SIP trunks. However, SBCs and MGs are not dedicated security devices and their authentication, access control, encryption, and threat mitigation functionality can leave them vulnerable to application-layer exploits. Examples include the ability to conduct reconnaissance and map internal systems, to gain knowledge of extensions to exploit. They also can log-in using spoofed identities to gain access to the PSTN.

3. VLAN management. Virtual Local Area Networks are frequently used to logically segregate voice and data traffic and to then ‘bridge’ the two networks for UC-related applications. But VLAN separation is easily defeated by a moderately sophisticated attacker. Furthermore, an attacker can remotely take control over a PC running a VoIP softphone client and compromise the entire VoIP and data network. VLAN separation is not a comprehensive security measure and must be supplemented by others.

4. Encryption errors. Some security breaches that lead to toll fraud start with inadequate use of encryption, leading to the interception and misuse of user credentials. Inadequate use of encryption is one of the chief security lapses in VoIP deployments. Encryption is frequently deployed for external communications that may use the Internet or another untrusted network but encryption is frequently not used on internal networks, even though many breaches could have been prevented by it. It is important to not be misled into thinking encryption alone equals security. Encryption provides privacy, and it can be just as easy for an attacker to encrypt a threat from a compromised end-point.

Guy Koster, Director of Product Marketing at Westcon Convergence, commented: “Moving telephony off dedicated infrastructures on to the IP network, although an enabler to a richer multi-media communications experience, brings with it a number of new challenges. VARs must be educated, and then trained to understand these issues and their implications and be able to act as a trusted advisor to their customers. When it comes to toll fraud, ignorance is not bliss.” Toll fraud is not the only threat that enterprises face. Other examples of known exploits include:

1. Via an http: command it is possible to remotely activate the microphone on conference handsets in meeting rooms and record conversations.

2. There is the equivalent of a key-logger for IP phones which not only records the numbers dialed but also any keys used for punching in passcodes, pin numbers etc.

3. It is possible to inject unauthorised video into video streams e.g. in teleconferencing applications or IP video surveillance systems. As Max Clifford wrote (Radio Times 25 July) with reference to the alleged News of the World scandal – ‘Phonetapping? It’s more widespread than people thought’ – and much more sophisticated.

The increasing adoption of SIP trunks combined with the evolving UC market creates new opportunities for fraudsters and increased risk to corporations – but the benefits outweigh the risks as long as those risks are understood, managed and mitigated.