Recently, during the COVID-19 pandemic, hackers realized an opportunity that opened up with the exponential increase in the use of video conferencing services. In a spate of ‘man-in-the-middle’ attacks, the hackers intercepted Zoom video conferencing calls and inserted their own video in the calls causing great discomfort to users. Service providers and their customers lose billions of dollars annually to fraudulent activity initiated through such attacks. Read on to see how these attacks play out when it comes to enterprise VoIP networks and how they are a threat to SIP security.
What is a man-in-the-middle attack?
A man-in-the-middle attack happens when a hacker, masquerading as a genuine user, intercepts the signal between two devices and then exploits the system to retrieve personal information. It’s one of the most common threats to communication technology.
SIP Security: How criminals implement man-in-the-middle attacks
Criminals target real-time communications to eavesdrop on calls, tamper with the network or its components. They can intercept RTP streams and insert media. Signaling sessions can be intercepted to gain knowledge of the network topology and mess up signaling and call sessions. This can be done by capturing packets from endpoints and soft clients, which involves intercepting and logging traffic using network analyzers, such as Wireshark and Cain and Abel. Endpoints and soft clients that are not approved by SBC OEM vendors are more vulnerable to such attacks, especially in remote working scenarios.
Criminals also use packet capturing over VoIP networks to capture SIP signaling requests and RTP stream data relayed by B2BUA of session managers and launch man-in-the-middle attacks by making independent connections with the victims and acting as the information relay between the victims.
How SBCs protect against attacks
SBCs can thwart such man-in-the-middle attacks because they can identify all abnormal calls by monitoring the state of call sessions and ensuring adherence to policies. SBCs have full awareness of the network SIP stack and RTP streams used to carry voice and video traffic in VoIP-based communication systems. They detect any anomalous events in networks by analyzing traffic for anomalous behavior, attacks, and intrusions and applying the configured network policies. SBCs validate sessions and reduce incidences of man-in-the-middle attacks by decoding SIP signaling messages and media stream data.
SBCs can peel the layers of the signaling messages and trace where the packet routes, determine correct packet formation and identify malformed packets. Using this capability, SBCs can protect against attacks that occur at higher layers of the network traffic, such as multimedia streams. While SBCs with standard configurations are good enough to protect against amateur hackers, managing and monitoring SBCs on an ongoing basis can protect against more determined, professional hackers. While SBCs with standard configurations might protect against unauthorized calls and signaling sessions, dynamic configurations on your SBCs are far more effective to detect man-in-the-middle attacks.
As perimeter devices, SBCs have the most potential to detect, prevent, and stop attacks that threaten an organization’s SIP security. By giving perimeter security, i.e. SBC security the attention, resources, and investment it needs, you can be sure that you make it as hard as possible for attackers to make their way in.
If you have any questions or concerns about securing your SBCs or improving your overall SIP security posture, we will be happy to guide you. You can get in touch with us at sales@assertion.cloud