Who’s on the line? Call hijacking and disruption

In my first column, I highlighted the relatively little attention received by VoIP security when compared with web and email, and commented that VoIP system face a set of unique threats. Just what are these threats?

Imagine that you are calling your bank. You have identified yourself by entering your account number on your phone’s keypad and by answering the usual security questions when you are cut off. Should you worry?

If you are using a standard phone line probably not, but if you are on an unsecure VoIP line you should be more concerned. Your call may have been hijacked and the attacker is now calmly transferring the contents of your account to the Cayman Islands.

Farfetched? Not really. Call hijacking is one of many VoIP application security threats that I demonstrate in my VoIP security workshops.

From the attacker’s point of view it not the easiest of attacks and needs a lot of preparation, but the potential pay-back means that is it worth investing some time.

Other attacks, such as terminating calls or flooding a VoIP system to the point of failure are much easier and therefore probably more likely, but make for a less exciting demonstration.

The point is that that any unprotected VoIP system is potentially vulnerable to these threats, each of which has the potential for service disruption and direct financial cost.