Fighting SIP Trunk Hacking

Toll fraud, denial of service attacks, phishing and eavesdropping all are on the rise as worldwide more businesses use SIP trunks to cut communications expenses. The SIP standard’s vulnerabilities have been an open secret within the industry for several years. But the problems are getting worse as more cyber thieves and spies exploit SIP trunks to make free calls or access credit card data, disrupt or even shut down operations, and obtain confidential information. Such breaches stand to worsen, sources say, and everyone — from service providers to channel partners to end users — must share the responsibility for securing SIP trunks.

In 2013, PBX and VoIP hacking, along with account takeover/identity theft, cost operators around the world almost $12 billion, according to the Communications Fraud Control Association (CFCA). Total fraud losses for the year came to $46.3 billion, up 15 percent from the previous CFCA survey, conducted in 2011.

Anecdotal evidence confirms those findings. “The problem is very widespread and active,” said Austin Herrington, director of enterprise/CPE product marketing for SIP trunking provider Windstream. “We choose not to share stats from our own networks for very obvious reasons.” Wes Rogers, COO of NexVortex, called SIP hacking “big business, involving real money,” adding, “the bad guys are becoming increasingly sophisticated and more aggressive.” Kristian Kielhofner, CTO of Star2Star, agreed. “These kinds of attacks are escalating and escalating quickly,” he said.

Expect the circumstances to worsen as more firms adopt SIP trunking. By 2018, 42 percent of organizations — compared to 13 percent in 2013 — around the globe will send all of their toll traffic via SIP trunks, Eastern Management Group reported in September 2013. As a result, sources predict that hackers, thieves and spies will intensify their efforts. Indeed, all PBX and phone system vendors now build their products on SIP, said Graham Francis, CEO of The SIP School. For VARs, integrators, MSPs and IT-centric agents, then, it’s imperative to be able to identify potential trouble spots and know how to shore up customers’ SIP trunks.

To ensure security, it’s important to first understand the threats. Three forms of breaches are the most common:

• Crimes of opportunity (e.g., toll fraud, phishing). These usually occur because a client’s PBX has not been adequately secured. If the SIP trunk connects to a PBX with SIP-accessible user extensions, and the users have weak login details, names and passwords are easily guessed. Once a hacker penetrates the SIP system, he or she is able to pass fraudulent traffic to high-cost international and domestic destinations. “Literally thousands of dollars can be lost in as little as an hour,” said NexVortex’s Rogers. Or the hacker can highjack a phone number, point it to an IVR script requesting credit card information, and lure people into yet another iteration of the long-familiar phishing scam.

• Volume-based attacks (e.g., telephony denial of service, similar to distributed denial of service attacks within data networks). “Unauthorized users flood the system with too many access requests and prevent legitimate users from accessing the system,” said Dean Manzoori, vice president of global UCaaS for Masergy. This can cost a business customers and sales, not to mention wasted employee time.

• Eavesdropping (i.e., hackers tap into voice mail and live conversations). This attack proves “the most difficult to identify and block, particularly when SIP trunks are routing over public IP connections,” said Charles Studt, vice president of product and corporate marketing for IntelePeer. “In this case, the core concern is how to protect messages, calls and conferences from unwanted eyes and ears.”

Those are the problems. A full solution is implemented with the help of all parties. Even when a SIP trunk is connected to an on-premises PBX, the service provider holds responsibility for keeping the trunk and IP connectivity secure. Meantime, the channel partner and end user must secure the PBX, the corporate network and employee access.

With that in mind, here are the steps to take to protect SIP trunks:

1. Choose the right supplier. Not all service providers offer secure SIP trunking services, The SIP School’s Francis said. So, above all, find a provider that does, and one that allows you to view procedures and documentation around how they handle compromised networks, said Matt Hutchinson, vice president of channel sales for MegaPath. “Understand their detection capabilities and what happens when detection occurs so you can be prepared to assist your customers.”

2. Install a dedicated IP connection. This provides another layer of protection against unauthorized calls being made via the SIP trunks. Channel partners or end users also can monitor these connections for illicit activity.

3. Fortify the PBX. Change all default passwords and, if there’s an underlying OS such as Linux, lock that down. “With the basics taken care of, SIP access to the IP PBX should be restricted to know signaling nodes of the service provider,” said NexVortex’s Rogers. Then, make sure the PBX supports security mechanisms such as Secure Hash Algorithm-2, Transport Layer Security for encrypting SIP signaling and Secure Real Time Protocol for encrypting voice and video streams. SRTP is critical for regulated vertical markets such as finance, government and health care.

4. Install top-notch session border controllers and firewalls. “Session border controllers have become a must for most networks and will ensure that SIP traffic can be secured between your PBX and provider,” Francis said. The service provider ought to help by supplying the settings for correct SBC configuration. “Put the wrong settings in the PBX and more than likely, SIP trunks won’t work at all, so it really is worth pointing out again that all parties should work closely together,” Francis said. Also firewall all devices allowed to communicate with the PBX.

5. Secure the SIP trunk registration process. Work with employees to devise strong passwords that will be changed often. Again, hackers get into unprotected SIP trunks by guessing user names and passwords, whether through manual processes or online tools such as SIPVicious.

6. Keep physical hardware in a secure location. Prevent external access and allow only limited internal access.

7. Establish a monthly “trip switch” with the service provider. “If you go over that limit, you either know you’ve been really busy and then you pay the bill, or someone may have cracked your system and is using your account,” said Francis.

Kelly Teal is senior editor of Channel Partners.
Twitter: @kellymteal
LinkedIn: linkedin.com/in/kellyteal