Transcript Evaluation of VoIP security vulnerabilities

Evaluation of users’ perspective
on VoIP’s security vulnerabilities
Alireza Heravi
Supervisors: Professor Jill Slay
Dr Sameera Mubarak
Research Questions
• To what extend are VoIP users aware of VoIP
security vulnerabilities and what is their attitude
towards these issues?
Research Methodology
• This thesis is a positivist quantitative research (Survey)
▫ For quantitative data collection purpose, an anonymous online questionnaire was designed.
• The questionnaire is designed by using Google Docs.
▫ The answers to the questions are stored at Google’s server
in Google Docs spreadsheet format and it is accessible by
logging in to the corresponding Gmail account.
• For analyzing the collected data SPSS (PASW Statistics
17.0 (release 17.0.2)) and Microsoft Excel 2007 were
used.
The Questionnaire
• The questionnaire contains:
▫ 20 questions
 18 closed questions (2 five-point scale question)
▫ 2 open questions
The First Transmitted Voice
“Mr. Watson, come here, I want to see you”
Sent by Alexander Graham Bell in 1876 (Flood 1976; Brittain 2005)
http://images.livescience.com/images/gm_Alexander_Graham_Bell_03_10.jpg
What is VoIP?
• Voice over Internet Protocol
• Transmits voice conversations over IP based
networks like internet
▫ Converges voice and data
• Skype, oovoo, Google Talk, MSN …
• Key drivers: low cost and flexibility
◦ Location independence
◦ Integration with other services like file exchanges
How VoIP works?
On the sender side:
• VoIP system converts voice into digital signal
• Split it into packets
• Transport it over IP networks
On the receiving side
• Digitized voice data is reassembled and decoded
Source: www.baacs.com/VoIP.html
VoIP Implementation
Figure 1 (Phone-to-Phone)
Figure 2 (PC-to-PC)
VoIP Implementation (cont.)
Figure 3 PC-to-Phone/phone-to-PC
VoIP Implementation (cont.)
PSTN
IP PBX
IP PBX
Phone
Phone
Computer
Computer
Internet
IP
Phone
Gateway/Router
IP
Phone
Fax
Site 1
VPN
VPN
Private IP Network
VPN
Private IP Network
Gateway/Router
Fax
Site 2
VoIP Security
• VoIP uses IP networks and therefore inherits its
vulnerabilities.
▫ IP Networks have various potential vulnerable points
• Adding voice traffic to IP networks complicates security issues
and introduces a range of vulnerabilities.
▫ A VoIP system may face either an exclusive attack or an attack to
the underlying IP network.
• For having a secure VoIP system, both the IP network and the
VoIP specific security issues must be addressed.
▫ Network components including switches, routers, and firewalls, must
also be VoIP aware to be able to provide specific VoIP security
features.
Results and Findings
Number of Participants by country
70
64
Sample population: Students of
the School of CIS of the UniSA
60
50
40
Population: about 300
30
20
10
8
1
1
1
2
1
1
2
1
1
1
2
South Korea
Malaysia
Maldives
Russia
South Africa
Taiwan
Trinidad and Tobago
United Kingdom
Vietnam
1
4
Japan
1
5
Italy
10
0
Number of participants: 107
from 18 different countries
Iran
India
Fiji
China
Canada
Australia
Afghanistan
Results and Findings (cont.)
- Most of the participants believe that
traditional telephony (land line/mobile)
is more secure than VoIP
Is traditional telephony (land line/mobile) more
secure than VoIP?
- Participants are most concerned about
lower cost and least concerned about
security.
The most concerned feature when making international calls
3% 2%
9%
11%
41%
Convenience
Don’t know
30%
Lower cost
No
28%
Quality
Same
56%
Yes
Others
20%
Graph -1
Security
Graph -2
Results and Findings (cont.)
• The majority of the respondents who make international call
by either VoIP or landline/mobile are concerned about
privacy (eavesdropping).
• The respondents that prefer computer over land line/mobile
for international calls are less concerned about VoIP privacy
and vice versa
• No relationship was found between nationality and
awareness/attitude towards security/privacy issues in VoIP.
Summary of participants’ opinion
about security/privacy in VoIP
• Since VoIP providers offer cheap services, it is not expected to
have best facilities and privacy.
• Security/privacy is not a major concern due to the fact that
the content of the conversations are not important (calling
family, etc …).
• Do not talk about anything sensitive/important using
VoIP/landline/mobile if you do not want it found out.
• Conversations are monitored and analyzed by government to
protect the nation.
Thank You