More Weapons Emerge in the VoIP Security Battle


Two weeks ago, I posted a blog based on an Interop panel in which participants concluded that there were significant potential threats to VoIP security, but that for the most part, problems have so far been diverted.


That remains so, but crunch time might be closer than the panelists thought -- or at least said. This CNET piece said that developer Jason Ostrom of Sipera Systgems planned to release a VoIP-focused sniffer called UCSniff at the ToorCon X hacker show in San Diego. The tool has a learning mode, which maps conversation paths and captures calls to .WAV files. The other mode has two settings. One can eavesdrop on a specific user while the other monitors calls between two predetermined extensions. Ostrom planned to release two related tools. His goal is to bring awareness to VoIP and unified communications security.


The growing recognition of the need for VoIP security is emphasized by this review in CRN. The interesting thing abut the review -- which looks at the ShoreGear-90 and four IP phones from ShoreTel -- is that it focuses exclusively on security. This is good. After a general introduction describing the need to secure VoIP systems, the reviewer looks at the segmentation of the network supporting the product into virtual local-area networks (VLANs), system encryption, access policy integration, password protection capabilities and vendor partnerships aimed at extending security.


The writer doesn't offer an outright assessment of the product, though she seems to be impressed. Whatever her view, it's heartening that a security-only review appeared at all.


These are, of course, complex topics. Some of that complexity is evident in this InformIT article, which is a reprint of a chapter from a Cisco Press book by Patrick Park called Voice Over IP Security. The chapter, entitled "VoIP Threat Taxonomy," deals with four categories of attacks: availability threats, confidentiality, integrity and social context. The chapter, which offers detailed insights and information, identifies the threats, measures the current and future level of danger and provides insight into how to avoid the dangers and secure the VoIP infrastructure.


This post is simply an effort to draw participants into a session that was held at the Internet Telephony Conference & Expoheld earlier this month in Los Angeles. The promo, however, makes an important point. The writer says the growth of VoIP and its integration into an organization's overall data network means it can be used as a vehicle to attack the IP network overall. The example in the promo is that a vulnerability on a softphone can be used to introduce malware that attacks the data on that user's PC and, presumably, the network beyond.


Experts always have taken VoIP security seriously. The question is whether they can persuade folks who sign the checks to give them the latitude to build in security from the ground up, or whether organizations will neglect VoIP security until an incident occurs.