Pay Attention to VoIP Security Before the Storm

Carl Weinschenk

It certainly is understandable if people are overlooking VoIP security. Though the platform has been implicated in security problems through its use by phishers, VoIP isn't the biggest threat faced by the Internet community at this point.

 

The question is whether or not people will pay sufficient attention to it before it blossoms into the security crisis de jour. The potential challenges of Internet security are made clear in this EnterpriseVoIP Planet piece, which goes into far more detail than non-technical people require.

 

The value, however, is clear: There is a lot to worry about. The Internet was not developed to carry telephone calls. An admirable -- even amazing -- job has been done in adapting it to this purpose. The problem is that vulnerabilities exist that are general to all IP networks and VoIP-specific. The writer spends a good deal of time discussing vulnerabilities of the Session Initiation Protocol (SIP), the signaling system that increasingly is used for VoIP.

 

VoIP security will become a crisis only if it is ignored. The risk was made clear during the LayerOne security conference in Pasadena, Calif., where researcher David Hulton said that the GSM mobile phone standard -- which is used by Nokia and other carriers -- is insecure. Hulton said it's not too difficult for hackers to track where call participants are and to eavesdrop on their conversations. The post also discusses a demonstration at the conference run by a Netspi consultant. The bottom line was that VoIP security is frighteningly lax. For instance, the consultant said that open system VoIP platforms are not encrypting data.

 

This NetworkWorld piece clearly can be labeled a mixed bag. On one hand, the writer outlines a healthy collection of emerging security threats to VoIP. The good news is that all is not lost: the common wisdom among experts is that the problem isn't VoIP itself. Rather, it is that enough attention has not yet been paid to securing the platform. This suggests that most or all of the challenges can be met over time.


 

The writer delivers a good deal of bad news. For instance, he says that researchers at Black Hat released tools that can be used to attack H.323 and AIX and to insert audio into calls. Another researcher noted problems with the media gateway control protocol (MGCP). The writer refers to a VON panel that indicated the top three threats to VoIP are zero-day exploits, security mechanism that aren't used because of their complexity, and vendor-specific issues.

 

This Processor piece dovetails with the point made in Network World. The piece suggests that attention to security is as big a problem as any inherent technical deficiency of VoIP or the underlying network. The writer refers to an In-Stat study that "no more than 50%" of businesses in the United States have VoIP mechanisms in place. This strongly suggests that organizations are somehow in denial. The writer offers a sidebar with seven steps for securing VoIP: clearly assign responsibility; understand what is necessary to secure the system; do not connect the PBX directly to the Internet; run audits on a routine basis; update VoIP software regularly; limit devices connected to the PBX; and have a plan in place for when things go wrong -- and test it.

 

The takeaway from all this is that VoIP security is not an immediate crisis. Whether or not it becomes one -- and, if it does, whether it is a momentary blip on the radar that fades quickly away or a long-term emergency -- depends on the steps IT staffs take today.



Add Comment      Leave a comment on this blog post
May 20, 2008 12:03 PM Joel Maloff, BandTel Joel Maloff, BandTel  says:
VoIP security is just like any form of network security - only different (to paraphrase Yogi Berra). As with any network environment, without a complete, properly articulated network security policy and plan, information systems security is an illusion. We can only hope to achieve an acceptable level of security risk rather than a completely secure environment. If we follows this path, we can achieve acceptable levels of VoIP security risk. We can recognize that VoIP is not one flavor. There is Skype and its well-documented security flaws. There are residential VoIP services like Vonage, and digital voice providers from the cable companies. There are also hosted IP PBX, VoIP conferencing, and IP trunking service providers. The risks and vulnerabilities differ greatly amongst all of these and must be well-understood in the network security policy and plan. I believe that what you do not know CAN hurt you, and bad guys know how to do such things as VoIP-based denial of service attacks to take down entire enterprises or carriers. The bottom line however, is that if you have a good policy and plan, most attack vectors can be minimized. Reply
May 21, 2008 12:38 PM sri sri  says:
this is very usefull topic on voip security... Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.