TMCnet - World's Largest Communications and Technology Community

VoIP Feature Article


June 15, 2006

VoIP Security Hack Highlights Need for Proactive Solutions

Bogdan Materna, Contributor

Last week, a Miami man was charged with defrauding 15 VoIP service providers of services by hacking into their networks and reselling VoIP calls. Federal prosecutors charged that Edwin Pena hacked into VoIP service provider networks to obtain minutes for free, and then resold them to his customers, generating more than $1 million from the stolen services.

With the speed at which VoIP is being deployed, this news is a wake-up call for the VoIP industry. Pena’s hack is the tip of the iceberg, and this attack is only a sneak preview of what’s to come.

While VoIP security is often cited as a major concern, most organizations and service providers have not implemented necessary measures to address VoIP security at a level that is sufficient to prevent against even relatively unsophisticated security exploits.

The reality is that frequency of security attacks on VoIP infrastructure will only increase and it likely there are many more stealth operators in existence inflicting multi-million dollar losses. With the advent of new technologies such as IMS, wVoIP and IPTV (News - Alert) we can only expect more security problems and real financial losses.

The question is how long it will take to recognize that business and individual consequences of VoIP security attacks are very real. For the 15 service providers defrauded by Edwin Pena, the lost revenue from more than 10 million minutes of VoIP calls illustrates the impact of leaving VoIP vulnerable.

Assessing the VoIP Security Threat

Pena, along with hired hacker Robert Moore, applied a very common code cracking method called brute force to identify holes in the service provider networks. Using this method, they sent millions of test calls to VoIP equipment such as call managers until they gained access to the network. They then hacked into computers at an investment company in Rye Brook, N.Y. and set up other servers, which were connected to existing VoIP carriers. Calls were then forwarded between servers and service providers to cover their tracks and enabling Pena’s two “companies” – Miami Tech and Consulting and Fortes Telecom – to collect on charges from calls.

While nobody can claim that implementation of basic principles of VoIP security would have prevented the exploit, it is obvious that these measures would definitely lower the probability of such an event. VoIP security is an emerging field, so organizations need to carefully consider what they can do immediately to ensure they are proactively securing VoIP.

One of the first things is to recognize that VoIP security is unique. While proven methods and strategies from the data security world may apply, VoIP needs a telecom-specific approach which addresses the real-time nature of voice services, along with the critical availability and reliability requirements of VoIP networks.

Securing VoIP – A Refresher

In determining how to secure VoIP, both enterprises and service providers need to proactively identify and fix VoIP-specific vulnerabilities before they impact end-users. A commonly used approach from the data security world, vulnerability assessment (VA) is particularly effective proactive strategy. By performing a VoIP VA in the lab, before any VoIP equipment and applications are deployed, organizations are able to verify vendor claims and identify security flaws early in the deployment cycle.

Executing a VoIP VA of all components prior to the commissioning of the VoIP infrastructure is recommended as interactions and dependencies between VoIP applications and devices could potentially create additional security vulnerabilities not visible during earlier assessments in the lab.

Once VoIP is deployed, periodic (or, where required, continuous) vulnerability assessments should become a cornerstone of an overall proactive VoIP security strategy. Once security vulnerabilities are identified they should be addressed by appropriate actions such as patching, re-configuration and network tuning.

Within the VoIP network, various security architectures and solutions should be deployed to protect VoIP services from security threats during their lifecycle. Any security architectures and solutions deployed must be “VoIP aware” so they do not impact VoIP service quality and reliability. For example, firewalls should be able to deal with SIP specific requirements such as dynamic port ranges, call initiations from external sources and NAT functionality.

It is recommended to deploy multi-layer security infrastructure that provides both perimeter as well as internal network protection. In most cases, it will consists of a number of security devices and host based applications to protect VoIP networks such as SBCs, VoIP Network Intrusion Prevention Systems (NIPS), VoIP DoS defenses, VoIP Network Intrusion Detection Systems (IDS), Host IPSs, AAA servers, encryption engines and VoIP anti-virus software. All the devices and applications have to be coordinated via a higher level application providing a unified view of the end-to-end VoIP infrastructure security.

It is already widely accepted that no matter how good the prevention and/or protection in place may be, sooner or later an attacker or worm will successfully penetrate all the defenses and wreak havoc on VoIP infrastructure. In dealing with these attacks, VoIP presents a unique challenge as it is the first IP service where human-based response is not sufficient.

Currently, a combination of human intervention and security management tools are being used to mitigate the impact of attacks. As the VoIP market matures, and VoIP-specific attacks become more prevalent, these methods will not be sufficient as VoIP networks cannot tolerate multi-hour or multi-day downtimes if they are required to support 99.999 percent availability (5 minutes of downtime a year).

Expect to see solutions emerge that are designed to provide real-time, automated VoIP security mitigation solutions that can keep VoIP services running in the presence of major security threats such as SPIT, DoS or fast-spreading worms. Threat-mitigation systems should be able to respond autonomously to the detected security threats and keep their impact at the levels where VoIP services can still function albeit at lower QoS.


As highlighted by the Pena case, VoIP security should be a concern for both service providers and enterprises. These organizations need to realize that this type of attack is only the beginning of VoIP-specific attacks which will have significant consequences from lost revenue to privacy concerns to matters of national security.

In looking for strategies to secure VoIP in the short-term, organizations should look to vulnerability assessments as a starting point, as they offer an immediate and affordable method to find and fix holes in VoIP networks without impacting the quality and availability of voice services.


Bogdan Materna is the CTO and VP of Engineering at VoIPshield Systems. He can be reached at bmaterna@voipshield.com or (613) 224-4443.


Technology Marketing Corporation

2 Trap Falls Road Suite 106, Shelton, CT 06484 USA
Ph: +1-203-852-6800, 800-243-6002

General comments: tmc@tmcnet.com.
Comments about this site: webmaster@tmcnet.com.


© 2020 Technology Marketing Corporation. All rights reserved | Privacy Policy