Pay Attention to VoIP Security Before the Storm


It certainly is understandable if people are overlooking VoIP security. Though the platform has been implicated in security problems through its use by phishers, VoIP isn't the biggest threat faced by the Internet community at this point.


The question is whether or not people will pay sufficient attention to it before it blossoms into the security crisis de jour. The potential challenges of Internet security are made clear in this EnterpriseVoIP Planet piece, which goes into far more detail than non-technical people require.


The value, however, is clear: There is a lot to worry about. The Internet was not developed to carry telephone calls. An admirable -- even amazing -- job has been done in adapting it to this purpose. The problem is that vulnerabilities exist that are general to all IP networks and VoIP-specific. The writer spends a good deal of time discussing vulnerabilities of the Session Initiation Protocol (SIP), the signaling system that increasingly is used for VoIP.


VoIP security will become a crisis only if it is ignored. The risk was made clear during the LayerOne security conference in Pasadena, Calif., where researcher David Hulton said that the GSM mobile phone standard -- which is used by Nokia and other carriers -- is insecure. Hulton said it's not too difficult for hackers to track where call participants are and to eavesdrop on their conversations. The post also discusses a demonstration at the conference run by a Netspi consultant. The bottom line was that VoIP security is frighteningly lax. For instance, the consultant said that open system VoIP platforms are not encrypting data.


This NetworkWorld piece clearly can be labeled a mixed bag. On one hand, the writer outlines a healthy collection of emerging security threats to VoIP. The good news is that all is not lost: the common wisdom among experts is that the problem isn't VoIP itself. Rather, it is that enough attention has not yet been paid to securing the platform. This suggests that most or all of the challenges can be met over time.


The writer delivers a good deal of bad news. For instance, he says that researchers at Black Hat released tools that can be used to attack H.323 and AIX and to insert audio into calls. Another researcher noted problems with the media gateway control protocol (MGCP). The writer refers to a VON panel that indicated the top three threats to VoIP are zero-day exploits, security mechanism that aren't used because of their complexity, and vendor-specific issues.


This Processor piece dovetails with the point made in Network World. The piece suggests that attention to security is as big a problem as any inherent technical deficiency of VoIP or the underlying network. The writer refers to an In-Stat study that "no more than 50%" of businesses in the United States have VoIP mechanisms in place. This strongly suggests that organizations are somehow in denial. The writer offers a sidebar with seven steps for securing VoIP: clearly assign responsibility; understand what is necessary to secure the system; do not connect the PBX directly to the Internet; run audits on a routine basis; update VoIP software regularly; limit devices connected to the PBX; and have a plan in place for when things go wrong -- and test it.


The takeaway from all this is that VoIP security is not an immediate crisis. Whether or not it becomes one -- and, if it does, whether it is a momentary blip on the radar that fades quickly away or a long-term emergency -- depends on the steps IT staffs take today.