T 3.83 Incorrect configuration of VoIP components

Regardless of whether the VoIP components come in the form of dedicated hardware (appliances) or software-based systems, their configurations play a decisive role. In addition to the settings for signalisation, which are specified during the planning phase, the transmission method plays an important role for the media streams. By applying a compression method, the size of the IP packets containing the voice information can be reduced.

The use of an unsuitable method that compresses the voice information too much leads to poorer voice quality. If, however, a method that does not compress the data enough is selected, the stream of information will not be adequately reduced and the IP network can become overloaded.

To protect the confidentiality of the telephone calls, encryption such as SRTP can be used with a few of the media transmission protocols. To avoid the requirement that the telecommunication systems support encryption, the encryption can be performed directly between the end devices with many encrypted protocols. A faulty configuration in this case, though, can result in unencrypted transmission, possibly without the users even noticing it. If an encryption method that is too weak or key lengths that are too short are selected, an attacker will be able to listen in on the communication under certain circumstances in spite of encryption.

Not only the ability to eavesdrop on conversations is of interest to an attacker. The information transmitted during signalisation can also be misused by an attacker. If the password is transmitted as plain text when a user logs in due to an incorrect setting on the end device, the attacker might be able to assume the identity of another user, for example, even though all VoIP components involved support secure (challenge-response) methods. By stealing this identity, the attacker could make telephone calls at the cost of the victim or misuse other services, such as the ability to listen in to the messages on the answering machine.

In many cases, applications such as softphones or software-based telephone systems are operated on a standard PC. For this purpose, a commercial operating system must be installed on the PC to execute the corresponding programs. Errors in the administration and configuration of the operating system can have a major effect on the operation and security of the VoIP applications.

Regardless of whether an end device (softphone) or a telecommunication system (software PBX system) is operated on the IT system, the improper distribution of access rights can lead to certain functionalities not being used on the one hand, or to the misuse of any access rights granted incorrectly on the other.

© Federal Office for Information Security. All rights reserved.