VoIP Security Still Falling Short

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

It may be a bit late in the month to still be posting "year ahead"-type stories, but the content of this Help Net Security piece on the security threats facing VoIP makes it worthwhile. The bottom line of this commentary is that VoIP security is not yet where it should be.


The piece, which is based on findings from Sipera's VIPER group, says that the deployment of unified communications (UC) and Session Initiation Protocol (SIP) trunking will accelerate the number of denial-of-service and distributed denial-of-service (DoS and DDoS) attacks during the coming year. (The Korea Information Security Agency predicts a proliferation of DDoS attacks, according to the Korea IT Daily.)


The second category of attacks to watch is eavesdropping. Thirdly -- and this seems like a particularly grievous threat -- Microsoft Office Communications Server (OCS) 2007 will be the unwitting staging ground for the creation and launch of botnets.


The story adds that hackers will set up their own IP PBXes for VoIP phishing (vishing) and related attacks. Finally, access through Subscriber Identity Modules (SIMs) will facilitate attacks on service providers.


Despite these issues, it seems that not enough good guys are paying attention. Voice communications are not included in security plans in an "alarming" number of instances, according to this TechLINKS piece, and the technology itself remains vulnerable.


The voice infrastructure as a whole -- which includes the PBX, voice mail platforms, modem and fax lines -- creates a tremendous amount of opportunity for hackers, the writer says. VoIP deployments have the broadest impact on an organization's security readiness, starting with the basic characteristics of the data network. The piece goes into a good deal of detail on what these changes are. They are basic and fundamental, both in terms of core technology and operations.


Despite the fact that consultants and journalists keep talking and writing about VoIP security, it seems the message is not getting through. Security Park reports upon a survey from NetIQ that agrees with the TechLinks piece. The survey focused on IT managers planning or using VoIP in medium-size and large organizations.


Fifty-nine percent said the threat of viruses and worms attacking was "low" or "very low." Spam and SIP compromises were thought likely by only 12 percent and 18 percent of respondents, respectively. Less than half of the respondents had VoIP-specific security management tools.


Comms Business asks how much has VoIP security improved during the past couple of years. The piece -- which focuses on the McAfee Virtual Criminology report -- says that the two main threats against VoIP today are vishing and phreaking. Phreaking is perhaps the more intriguing from a non-technical vantage point, since the term first appeared during the 1970s in relation to the use of tones to make free calls. The updated version uses PCs to hack soft switches.


The piece suggests that service providers are paying more attention to VoIP security, but that individuals are not as proactive. Security experts must guard against disruption and identity theft. Keys include greater awareness and education and, on the technological side, strong authentication and encryption.