Last week, my company got a $100,000 phone bill. Turns out, some enterprising types have been bouncing their calls off our voice network. This allowed them to make numerous calls to a foreign country using our equipment. And it looks like we're stuck with the bill.
The problem is that our voice over IP (VoIP) network is set up to receive incoming call requests from the general public. This is the normal way these phone calls work. We use the SIP protocol, which is designed to accept voice connections from anywhere. This protocol is not particularly secure; it's designed to promote global communication rather than validate that those connections are legitimate or authorized. The default behavior is to accept connections from anywhere. The way it works is that a call request comes in to a gateway like ours with some information about who's calling and where they are calling to, and the gateway (not being a particularly smart device) happily routes the call. Unfortunately, the "from" and "to" information can be any numbers, and attackers can simply put in any numbers they want. There's no authentication or validation built into the protocol. Our attackers took advantage of this to bounce calls off our gateway, in a way that made it appear the calls were originating from within our company.
Because our device is actually making the phone calls, the liability for the cost is ours. There's no built-in liability protection or limitation in our phone infrastructure to protect customers like us. It's kind of like having your bank account number stolen -- if somebody uses it to steal money from your account, you're out of luck, unlike with credit cards, where there is a limit to how much you owe for fraudulent purchases. And there's no way to find out who made the calls, because the source information was fake, so we can't put the blame on someone else.
So there's nothing I can do to repair the damage that was already done. All I can do is figure out a way to prevent a recurrence of this situation in the future. I don't know much about VoIP security, so I'm doing some research and trying to learn fast. I know that SIP traffic comes through the Internet to get to our gateway, which then routes calls to the phone company's voice network. This is regular TCP/IP network traffic that can be protected by a firewall that only allows connections from known good addresses and blocks connections from known bad addresses. I'm not sure how I'm going to determine which IP addresses are good and bad, so I'll have to figure that out. In addition, the SIP gateway itself is a network device that I might be able to harden with configuration entries that are more discriminating than the default settings. This requires specialized knowledge, so I may have to bring in an expert to help.
It seems like every day brings a new security challenge to light at my company. This situation is something new for me, so I'm viewing it as a learning experience. I just wish it didn't have to be such an expensive lesson.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.
To join in the discussions about security, go to blogs.computerworld.com/security.