7 UNCONVENTIONAL VOIP SECURITY THREATS
In addition to protocol attacks on SIP, H.323, IAX, and RTP, as well as attacks against specific VoIP products, many unconventional attacks against VoIP networks can cause a lot of harm. For example, in the email world, a spam attack is neither sophisticated nor complex to perform; how- ever, the headaches spam has brought to email users, from the nuisance of bulk email to phishing attacks, make spam a major issue for email users. This chapter will take a similar approach to VoIP by showing existing attacks that have the potential to be a major nuisance. The focus of this chapter will be how VoIP technologies, while very com- plex themselves, are still open to many simple attacks that can cause a lot of damage. When these minor flaws are applied to trusted entities, such as a user’s telephone, they have the ability to trick users into doing things they normally would not do. When, for example, an email asks you to click a link and submit your personal information, most users are wise enough to ignore that request. However, what if users received an automated phone call pur- portedly from their credit card company’s fraud detection services? Would
Hacking VoIP (C) 2008 by Himanshu Dwivedi users follow the directions in the message? Would they check if the 800 num- ber provided in the message matches the one on the back of their credit card? This scenario, along with many others, is discussed in this chapter. The attacks shown in this chapter combine the weaknesses of VoIP networks, the ability to perform social engineering attacks on human beings, and the ability to abuse something we all feel is trustworthy (our telephone) to compromise VoIP end users. Specifically, the attacks shown in this chapter are the following: