With Voice-over-IP, secure calling becomes more and more important. In cooperation with snom, the next episode of our free webinar series discusses the importance of secure calling and how to implement it.
6. Typical threats in VoIP
Spam over Internet Telephony
Broadcast of messages via VoIP
Eavesdropping
Secretly listening to private conversations
Service Abuse
VoIP fraud
Denial of Service attacks
Attempts to prevent legitimate use
of services
Physical Access
IP phones as entry point into the network
7. Spam over Internet Telephony
Problem
• Bulk unsolicited, automatically dialled, pre-
recorded phone calls using VoIP protocols
• The spammer attempts to initiate a voice
session and then relays a pre-recorded
message if the receiver answers.
Measures
• Only accept SIP invites from trusted hosts
(SIP registrar)
• Encrypt SIP credentials (SIP over TLS)
• Enforce client cert authentication at SIP
server
8. Eavesdropping
Problem
• Capturing and Decoding VoIP Traffic on
the network
• Tools like Wireshark can decode RTP
streams into playable audio format
Measures
• Always encrypt RTP packets (SRTP)
9. Service Abuse
Problem
• Automatic dialling of toll numbers and long
distance
• Set up of blind transfer and erase setting
server URL of a hacked device
• Call forwarding from one toll number to a
second doubles the “income”
Measures
• Secure web server (HTTPS) or switch it off
completely
• Deploy phone in user mode and use a
strong admin mode password
• Always put a router between phone and
the Internet
10. Physical access to the network
Problem
• An IP phone is a possible entrance gate
into the corporate network
• Network switch can enable illicit access for
unauthorised devices
Measures
• Snom phones support 802.1x
• IEEE 802.1X is an IEEE Standard for port-
based Network Access Control (PNAC). It
is part of the IEEE 802.1 group of
networking protocols.
• It provides an authentication mechanism
to devices wishing to attach to a LAN or
WLAN.
11. 802.1x the big fear / effort
Problem
• port authentication sounds easy
• do not confuse it with MAB
• do not expect its all like Wifi or PCs
• certificate bases authentication involves
• staging or automatic rollout
• revocation / replacing / updating of
certificates
Measures
• build a skilled team
• network, switches
• radius guest and productive
• provisioning guest and productive
• sit together and plan realistically
• security audit needs
• technical draw backs
12. Denial of Service attacks
Problem
• A denial-of-service (DoS) attack is a cyber-
attack where the perpetrator seeks to
make a machine or network resource
(services) unavailable to its intended
users.
• DoS is typically accomplished by flooding
the targeted machine or resource with
superfluous requests in an attempt to
overload systems.
Measures
• Snom has secured its redirection server
against possible DoS attacks
• Service provider need to take necessary
measures to ensure the availability of their
service
14. A hack that isn’t a hack
• Snom’s security measures are sufficient to avoid a hack
• In a SoHo / do it yourself environment, if users disregard warnings and
security advice, it is their responsibility.
• Almost every phone used in a business environment is auto-
provisioned, i.e. all necessary passwords are set automatically with
the initial deployment of the phone.
• But….whats once on the www stays there forever.
15. External security audit
• Manipulation of a phone in the local network, possible by cross site
scripting vulnerabilities
• Path traversal filter bypass
• URLs “../“ could access hidden folders
• VPN profile enabled to run malware on phone
• Bypass of authentication and gain of admin rights
• when restrict_uri_queries and use_hidden_tags were set to “off”
16. Actions taken
• All detected security leaks have been closed, provided with a firmware
update
• Best practise guide was provided, as some users disregard alerts and
notifications
http://wiki.snom.com/FAQ/How_do_I_secure_my_phone
17. Further enhancements in security
• Factory installed SHA-256 certificates on the phones
• Got rid of weak ciphers (TLS), according to Mozilla.org best practises
• Disabled SSLv3 to avoid POODLE (Padding Oracle On Downgraded
Legacy Encryption)
• Regular updates of root file system with latest security patches
19. Snom new D300 series
High resolution screens
Improved audio quality
2nd screen for fkey labelling
Bluetooth built-in + USB
Font embedded icons
Features depending on model
D305/315 D345 D375
20. New D745 model
Dual high-resolution displays
8x4 configurable, self-labelling, multicolored LED keys
Gigabit switch
USB port
Wideband audio
12 SIP identities