The telecommunications industry is holding its breath on VoIP security. To this point, it has been spared the worst of the security nightmare faced by the traditional networked non-voice data world. VoIP has been relatively unscathed because there is no dominant target (the sinister role Microsoft played on the desktop). Until recently, security was loose enough in the data network world that crackers needed no new frontiers. It's only recently that valuable data began flowing over VoIP.
It would be a fool's errand to assume that this will last. Indeed, there is ample evidence that criminals are casting their evil eyes toward VoIP. It makes sense: Security in general is increasingly effective. This means that a higher percentage of exploits are more social than technical, and VoIP is a perfect vehicle for phishing and social engineering exploits. For instance, in this Washington Post posting describing a voice phishing (vishing) scam, Brian Krebs points out that hackers favor VoIP because these numbers are more difficult to trace.
Luckily, the security tools are growing in sophistication as well. For instance, VoIPshield is taking a granular approach to VoIP security that clearly digs more deeply into VoIP security than in the past. The product focuses on specific vulnerabilities found in IP PBXes from Cisco, Avaya and Nortel. The company says that it works with the vendors in a responsible manner and only releases enough information to alert interested parties -- not help the crooks. Commentary from a Gartner analyst suggests that most security initiatives on VoIP to date focus on the underlying Session Initiation Protocol signaling while VoIPshield aims at proprietary signaling techniques. To date, the system has found 144 major vulnerabilities in four areas: denial of service, unauthorized access, information harvesting and code execution.
Apparently, a lot of important people aren't listening to the VoIP security message. Early last week, In-Stat released a report that found that no specific means of securing VoIP is being used by more than half of the businesses queried. Low percentage use was reported of such approaches as periodic audits and pre-deployment assessments. The study also found accelerating use of VoIP.
This primer at VoIP News on VoIP security starts out with the observation that VoIP is vulnerable to the same security issues as traditional data networks -- and then some. The threats described are distributed as denial of service attacks, snooping, spam over Internet telephone, vishing and direct hacks. Securityextra adds another exploit to the list: Phreaking focuses on stealing service from the carrier or service provider. VoIP News says the keys in battening down the hatches are firewalls, intrusion detection systems, intrusion prevention systems, virtual private networks and specific DDoS protection tools.