While much has been made of President Bush’s use of wiretaps for spying on suspected terrorists, the NSA and FBI are hardly the sole proprietor of clandestine technology. New-age wire tapping might be going on at any company using IP telephony.

Unbeknownst to most companies, just about any curious, technically savvy employee or visitor with ill intent, granted access by consent or force, might be able to do some serious damage with some simple freeware available on the Internet. While adequate physical security may prevent outside intruders from accessing key communication areas, often the threats that come from within require even more protection than basic perimeter security measures.

Vulnerability example

Consider the following hypothetical scenario. Widget Ltd. is known to be a divestiture object for its parent holding company. The company’s workforce is scattered across the country, and the main headquarters building has a skeleton staff during normal business hours. After business hours, the only employee on the premises is a security officer.

John Green, an almost-executive who has been kept out of recent negotiations, decides to do a little of his own inspection to see if his personal investments in the company are safe. Since his office is in the executive wing and he is often the last person to leave, he feels safe taking a little adventure with the new IP telephony system the company recently had installed. He visits a local electronics store, purchases a small IP switch that supports port mirroring and puts the switch in line between the CEO’s administrative assistant’s workstation and the corporate LAN. Green configures the switch to mirror the port and forwards the packets from the port, into which the administrative assistant’s PC is connected, to his own PC. Using Ethereal, Green begins packet capture and analysis of the session initiation protocol (SIP) control signaling and voice media stream from that port.

What would Green be able to see in this scenario? Figure 1 below is a simple capture from Ethereal which is pretty typical of the session log.

What is visible in Ethereal is the SIP invite from the multi-media client on the PC to extension 4839 at the SIP application server for domain ssclab.com. This extension happens to be a digital phone connected to the PBX at the local site. Okay, so what? John can tell who the CEO called within the company. Since the identity of the calling party only will lead to assumptions, it’s not a major risk for the company.

Now examine the following example in Figure 2 below.

John now knows an external number that is being called from the CEO’s office and can access the actual session. What that means is that John actually can capture the packet load as a .wav file and replay and hear the conversation. The risk here is quite apparent.

This is a simple example of the important role physical security represents even with the latest high tech applications and how every employee needs to participate in implementation, not just the staff tasked with perimeter security. While there are many countermeasures that may be taken to resolve the identified vulnerability, none is more important than educating key personnel – those who might be a target for a wire tap – on how to avoid a breach.

Most companies have locked down the switch rooms that control LAN communications. Companies concentrate heavily on installing firewalls and intrusion prevention to ensure that external resources can’t compromise their confidential information. The same level of awareness and investment must be made inside the building where most vulnerability exists.

Five Top VoIP Threats

A heightened awareness for voice over IP or VoIP can help ensure effective countermeasures are in place for what are considered the most costly threats:

• Denial of Service of voice call processing (disabling the call system).
• Confidentiality and Eavesdropping.
• Call Redirection (redirecting inbound or outbound calls to unscrupulous persons).
• Improper Design/Configuration of System (E911 calls mishandled; ineffective backup).
• SPIT – SPAM over IP Telephony. Since VoIP is free it would be easy to enable a machine to call everyone on the Internet.

When implementing a VoIP system, companies must ensure that both logical and physical countermeasures are used to protect availability, integrity and confidentiality of this critical information resource.