From the Hacker's Point of View: Why SIP Attacks are Child's Play

April 15th, 2015

We often talk about how important it is for enterprises to secure their SIP implementations against hackers. What we don't often talk about is how easy it is for hackers to get into an unsecured SIP. (Spoiler alert: It's pretty easy.) The media often depicts hacking as a complicated process involving obscure entries in a command-line interface, but taking control of an unsecured SIP is literally a three-step process.

Are you ready? First, get a SIP soft client. This allows you to hook your mobile phone or computer into a pre-existing SIP network. Then find a company's external SIP address. This isn't particularly difficult to do—it can be inferred from a port mapping service, the company's PBX model, or any other combination of social engineering and educated guesses. Lastly, you guess the password to that external SIP. That might be as easy as typing in the administrator's extension. Alternatively, you might need a few hours and a copy of Hashcat. Either way, once you get to the password-guessing phase, the hard part's over.

This might seem like an oversimplification, but it's not—if you don't run defenses on a SIP implementation, it's literally that easy to get in using SIP attacks and start making calls. Add this to the fact that 51% of all attacks against VoIP are directed towards the SIP protocol, and you have a recipe for widespread fraud.

How Did SIP Attacks Get Here?

What's driving these attacks? For most, it's the combination of two trends: lack of experience and ease of use. For example, most businesses are small businesses. A 10 or 20-person company probably doesn't have a lot of dedicated IT spend, or any dedicated IT personnel. There's not going to be many people with the experience to say, "hey, maybe put a strong password on our SIP trunk."

The other factor is ease of use. It's relatively easy—and getting easier—to set up a free PBX with a couple of attached IP phones. There are a number of online tutorials, such as this one from Ars Technica which explains how to set up VoIP for home or small business. As you'll note, security is only mentioned once. There's zero mention of encryption, intelligent edge devices, or any preparations that might prevent an unauthorized user from getting rid of this VoIP implementation or deny SIP attacks.

Service Providers Need to Educate SMBs

In order to protect SMB users from the consequences of setting up their networks without security, it is incumbent on service providers to educate their users. From a business perspective, security is also a pretty concrete way to market your expertise. The upfront cost for a small businesses to set up their own VoIP network, without an SP/VAR, might be nill. The downstream cost is being vulnerable to SIP attacks and getting hacked, however, will almost certainly put them out of business. There's an opening here for service providers to build customer loyalty.

As far as VoIP security is concerned, you need a solution that provides granular, high-quality security for unified communications (UC) communications. A great solution allows users to detect and mitigate DDoS attacks, flag suspicious activity, and seamlessly apply policies such as strong passwords and encryption.

Related Blog Posts

John Macario, Senior Vice President
April 29th, 2016
Walter Kenrich, Director of Solutions Marketing
November 19th, 2018
Walter Kenrich, Director of Solutions Marketing
November 14th, 2018