The 9 deadly security gaps: Protecting against the rising risk of toll fraud

By Satyam Tyagi

Toll fraud has started making headlines once again. Reports range from breaches that surprise small enterprises with ridiculously high long distance bills, to the break-up of highly organized international rings of toll fraudsters who are milking enterprise telephony vulnerabilities for gain. 

Although toll fraud itself is a very old crime, it is taking on new forms as enterprises deploy VoIP and Unified Communications.  Earlier forms of toll fraud focused primarily on cost avoidance, with perpetrators effectively using a Telco's resources without authorization.  Toll fraud in the new age of IP telephony just as often will target an enterprise, as perpetrators hack a PBX or otherwise gain access to PSTN connectivity trunks to make long distance charges at the enterprise's expense. 

To be sure, toll fraud itself is not specific to VoIP or SIP or any of the other technologies of the new network.  Classic TDM PBXs and infrastructure are just as likely to be targets of fraudsters.  But enterprise managers making the move to adopt IP telephony and the new applications of unified communications must be aware of security issues that can create openings for toll fraud.

Specifically, through in-depth analysis of production VoIP and UC in which toll fraud is confirmed to be taking place, three basic attack vectors have been confirmed that fraudsters commonly use:

• Attacking PBXs to control or manipulate them to gain access to long distance trunks.
• Exploiting weaknesses in end user device security or user accounts to make unauthorized calls.
• Taking advantage of security gaps in commonly deployed VoIP and UC architectures that are used for SIP trunking for PSTN hand-offs.

The first two attack vectors are not unique to VoIP or UC, as these methods of manipulating the telephony infrastructure have taken place many times in the world of TDM and traditional telephony. 

The third vector, in contrast, represents a relatively new set of vulnerabilities and configuration issues, specific to VoIP and UC that enterprise and service providers must be aware of in order to fully protect themselves against risks of toll fraud. 

In particular, the usage of SIP trunks to replace traditional TDM PRI links can make toll fraud much more lucrative for an attacker and much more costly for a victim. In a typical small enterprise, the maximum loss due to a compromised media gateway with two T1s is only about 2,750 call minutes per hour.  But a SIP trunk with 3 Mbps bandwidth and a compressed G.729 codec would enable a maximum of closer to 6,000 call minutes per hour. Usually available bandwidth for data can also be used at night, and instead of 3 Mbps one may be looking at 6 to 20 Mbps. This means the potential for toll fraud loss may be 4-15 times more in a SIP trunk scenario than with classic TDM connectivity. 

At a high-level, these security architecture flaws come about when the enterprise relies solely on a traditional session-border controller (SBC) or media gateway (MG) to provide security at the demarcation point of the SIP Trunk PSTN hand-off.  

SBCs and MGs are essential components in the VoIP and UC architecture, such as one based on SIP, providing interconnectivity between network segments, hand-off demarcation, and transcoding functionality to facilitate communications across disparate network segments.

At one level, this demarcation role does indeed provide an important function that supports the security architecture, enabling greater visibility and control over trusted and un-trusted network segments.  However, there is a common misconception that these devices provide comprehensive application layer security (they do not) and are in and of themselves an effective means of securing an enterprise perimeter at PSTN hand-off points (they are not).

This article is continued here.