Organizations must pay more attention to VoIP security, according to Eric Winsborrow, the chief marketing officer of Sipera Networks. The opening of the entire telecommunications architecture in Web 2.0 -- a landscape characterized by heightened interactivity and collaboration -- creates a very threatening environment that must be met head-on. Says Winsborrow:
The issue is the mindset, the change from what we call VoIP 1.0 or what people call, believe it or not, legacy VoIP. That is the scenario in which VoIP basically is just replacing Ma Bell. In that [older] environment, there were a lot of vulnerabilities, but not a lot of ways of taking advantage of them. Now, as we move to the next generation -- unified communications -- it is not just VoIP as a Ma Bell replacement network. It's about using softphones with data on laptops, dual-mode laptops with data on them, remote workers, video. You get the idea. We are not in Kansas anymore.
The fundamental difference is that a phone service requires users to have their systems open enough to accept an incoming call which, of course, can happen at any time. In the "old" days of one-way data flow, the client device was closed down until the user was ready to reach out. Winsborrow suggests that the difference is significant:
If it is a phone device, it always has to be open and waiting for someone to call. In essence, you become a server. If you have a softphone sitting on a laptop or PC, it has to be open and on and waiting for a call. All someone needs to know is your phone number. If they want to hack into you in data, they need the IP address [and other information]. If they want to hack in on a softphone, all they need is a phone number. If I want to call you, and you have a softphone on a laptop, the firewall lets me go through. It's a phone call.
There are other structural differences, Winsborrow points out. A VoIP call actually involves two channels of communications -- management and payload. The management channel gets a lot less attention, but often is the one attacked by hackers. Finally, he says that the situation is complicated by the presence of as many as 70 "states," which are snapshots of what the system is doing at a particular point in time. These can be attacked in slightly different ways by hackers.
The awareness of and reaction to the dangers by various sectors differs. It's a tricky game: Calling too much attention to the problem can scare people and hurt the nascent industry, while sweeping it under the rug can lead to more serious technical and political problems down the road. Says Winsborrow:
I think the voice vendors are more aware, but it doesn't suit their purpose to advertise this because they want to sell their services. The data security guys see this as something in the future because they don't have voice expertise and, like any good company, they look at the financial side of the market opportunity and see it only going to go mainstream in a couple of years. That doesn't help people affected now, however. Some companies have both voice and data security and are starting to realize it makes sense to invest now, but kind of secretly. The bigger companies, like very large banks, regulated industries, are more aware. They are the ones leading the charge. They want to be careful with compliance and security. The general public tends to believe what the vendors tell them. The public usually is a year or two behind.
This piece about VoIP security at Security Park starts on a reassuring note: There is not too much extra that needs to be done to protect voice networks beyond good data security procedures. There are some additional steps, however, which are described. These include keeping voice on a separate virtual local-area network (VLAN) and taking special measures to protect the Internet Control Message Protocol (ICMP). The writer says about 90 percent of VoIP threats are directed against ICMP. The author also says directory hacking is a current concern and Spam over Internet Telephony (SPIT) is likely to grow.
The dangers seem fairly immediate. This blog post at Wired describes how two people were able to hack into a hotel VoIP network using a tool call VoIP Hopper. The details are interesting. The bottom line is that procedure -- done to a Cisco-based system -- was easy, and gave the hackers access to the entire corporate network. The hackers told the writer that they could do the same thing to an Avaya system, though it would be a touch more difficult.
This blogger makes the important point that having voice and data run on the same network means the danger from traditional IP threats such as Trojans and viruses is double. The post, at Mobile-Computing-Technology, provides a good backgrounder on SPIT, eavesdropping, phishing over VoIP, Session Initiation Protocol (SIP) registration hacking and spoofing.
Registration hacking, perhaps the least well-known of these threats, occurs when packet headers intended to help set up the call in a SIP scenario are intercepted and the address of the hacker is inserted. It can be used for fraudulent toll calls, denial of service attacks, and simply to break connections.
The Jericho Forum is a consortium aimed at building e-commerce security. This writer, a member of the group, states in no uncertain terms that VoIP is insecure. The basic problem is that the marketing push was that VoIP would produce great savings for the organization. However, the writer says, those claims don't hold up to real scrutiny. The writer also says that VoIP systems routinely are delivered to companies in an insecure manner. The bottom line is very clear, in his view: "VoIP is ... a time bomb, poised for a massive exploit."