VoIP Security through Responsible Software Development

While most IP-based communications technologies could use security improvements, Codenomicon's chief technology officer Ari Takanen thinks that VOIP should be higher on the list than most. Takanen spends much of his time finding ways to break the security on such networks and finds that it's really way too easy. As he explains here, however, securing VOIP is not without hope.


When Peter Thermos and I wrote our book, "Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures," our goal was to collect all the various aspects of VOIP (voice over IP) security together. Our purpose was to write a book that could be used by both telecommunication staff and IP experts. We wanted to develop material in a way that would not become immediately outdated. Since both Peter and I are academics, we also labored to develop the book so that it could be used at colleges and universities worldwide.

As part of my professional experience, I have looked at hundreds of different communication technologies. I think security is crucial in all of them. So why did I focus on VOIP? Why not choose VPNs, e-mail or industrial automation? Since 2002, VOIP has always been my preferred focus.

The Challenge of Security Integration

All emerging technologies have an interesting challenge: New technology is driven by innovative but, unfortunately, inadequately-funded startups. Dedicated resources and tools for integrating security into the software-development lifecycle may not initially be available. As a result, the new technology can get a bad reputation.

Fuzzing is a testing approach in which random or semi-random data is sent to a system in an attempt to crash it. It's also called syntax testing or robustness testing. A fuzzer company uses such an approach. So, from the perspective of a commercial fuzzer company, we have observed a huge improvement in performing due diligence in VOIP security over the past two years.

Use of Security Testing Tools on the Rise

Free and commercial security-testing tools have been available in the VOIP and IMS (the VOIP architecture used in telecommunications) space since 2002. However, the use of these (and other security-related software development tools) has become an increasingly popular trend. This was seen especially during 2007. This trend is also apparent when studying the adaptation of various security mechanisms. Included in these mechanisms is the use of TLS (Transport Layer Security), or DTLS (Datagram Transport Layer Security), for signaling encryption and the adaptation of SRTP (Secure Real-Time Transport Protocol) for the media.

The FUD Factor

I would like to think that the sudden awakening in the VOIP space is because VOIP just began selling. My concern, however, is that the major influencer might have also been plain old FUD: Fear, Uncertainty and Doubt. This is the same FUD that makes the security market grow and prosper. You hear FUD in most of the presentations and stories written by security solutions vendors. Without the media writing about threats and attacks in VOIP, we would still be where we were in security testing just couple of years ago.

In our studies, we have seen repeatedly that simple fuzzing breaks 80 percent of all VOIP devices. But without that FUD, the VOIP market might have emerged earlier. Scaremongering also has the tendency to slow down the adaptation of new technology. "Security research" that focuses on just pointing out the weaknesses does not help anyone to improve.

Resolving VOIP Security Issues

So how do you resolve security issues in VOIP? First, you need to forget about the trees and try to see the forest from all that FUD around there. For example, why care about Asterisk vulnerabilities if you do not use Asterisk? So pick your information channels carefully to improve the signal-to-noise ratio. Close your eyes to FUD. Try to see the real and valuable information about VOIP threats and attacks.

After you have taken a deep breath, and entered the calm and peaceful mode of the security analyst, you will start to recognize patterns in how the attacks emerge, and about which products they affect. Attacks and security compromises exist because vulnerabilities exist. We have all been brainwashed to focus on the latest attacks and exploits. But we have ignored the root cause for security problems; the actual flaws in the software. In a dream world, if you are able to resolve all vulnerabilities in the products you use, you would not need security mechanisms (such as anti-virus or firewall products) to protect every single network element in the network.

Protecting Against Security Vulnerabilities

There are four means of fighting vulnerabilities-protocol design, code audits, robustness testing and deployment. The availability of security mechanisms in the protocol level is a design choice that will help you deploy secure VOIP. Using strong encryption and fool-proof authentication will protect you against many confidentiality issues in VOIP.

As a VOIP engineer or system administrator, you need to understand the basics of various protocol extensions to help you select the appropriate equipment to provide adequate protection for your VOIP traffic. As a software developer, you need to know what programming structures cause vulnerabilities. You also need to be aware of which tools can be used to automatically find those flaws for you.

In testing, the final hardening and security verification is performed using fuzzing tools and other negative testing tools. These same tools are also used at the procurement practices-in acceptance testing and system testing.

Finally, in deployment, you need to turn security on and conduct the final penetration tests. You can do this by either using automated tools for that purpose or by consulting third-party security experts.

Security is a Continuous Process

Security is not just a product that you add to your network. It is a process that starts from the specification of the communication protocols and the systems used in the network architecture. It is a continuous process that improves as the software matures and is deployed to the market.

Even after deployment, frequent security assessments are used to ensure that security is maintained. This is done so that there is no regressing back to the time when security was just "reactive crisis management" controlled by hackers and secretive security consultants.

My final words of wisdom: Be in control of your security.


Ari Takanen is a founder and CTO of Codenomicon. He is a distinctive member of the global security testing community and a regular speaker at various testing and security conferences. His professional background is in academic software security testing research, where he has been active since 1998. Before Codenomicon, Takanen was part of the security research team at the University of Oulu, which is a small city of about 200,000 people in the northern part of Finland. More information can be received by sending an e-mail to info@codenomicon.com.


Ari Takenen and Peter Thermos co-wrote the book, "Securing VoIP Networks: Threats, Vulnerabilities, and Countermeasures", which was published by Addison Wesley Professional. ISBN-10: 0321437349, U.S. SRP: $44.99.