The Security Risks of VOIP
Increasing standardization and prevalence means VoIP will likely be a
growing target for attacks. Here's a look at the dangers, and how to
keep your business safe.
By Jim Rendon, SearchCIO News Writer
VoIP is becoming popular as businesses begin to see value in
converging voice with other data applications such as presence,
conferencing and e-mail. But many companies are unaware that
converging voice with data on the network suddenly makes a company's
voice systems vulnerable to many of the same kinds of attacks that
occur on the data side.
"Do not assume that because you have network security covered that
you also have IP telephony covered," said Elizabeth Herrell, a vice
president with Cambridge, Mass.-based Forrester Research Inc.
Eavesdropping and spam are both concerns. Hackers can target phone
systems with denial-of-service attacks, or program a company's phones
to call other businesses, shutting down the second company's phone
systems. People can spoof a phone's IP address and make calls that
are billed back to the company.
There hasn't yet been a widely publicized attack on a voice system,
but Herrell said she is certain attacks have occurred. As these
systems become popular and as the underlying technology becomes more
readily available, attacks are likely to increase in frequency and in
their creativity, said Dan Golding, a senior analyst with Midvale,
Utah-based Burton Group.
When the Franklin W. Olin College of Engineering, based in Needham,
Mass., deployed VoIP three years ago, the technology still had plenty
of kinks in it, said Olin CIO Joanne Kossuth. Because of concerns
about attacks on Microsoft-based Web servers, the college decided to
disable Web-based services and only uses basic features such as
address books and unified messaging.
"Every time you run a Web-based service in a device, if it happens to
be a Windows- based system, it becomes more vulnerable," Kossuth
said. "It's just the easiest thing to get scripts to attack with."
At the time, VoIP systems often used proprietary protocols, and even
where standards such as Session Initiation Protocol (SIP) were
incorporated, vendors were forced to add proprietary features to the
emerging standards to increase the phone's feature sets. Now most
systems are based largely on SIP. And because of that
standardization, businesses may see increasing attacks, Golding said.
In addition, now open source IP private branch exchange (IP PBX)
software can be downloaded from the Internet for free, thanks to
Huntsville, Ala.-based Asterisk. Such freeware makes VoIP technology
easily accessible to hackers who can then experiment with SIP to
develop more effective attacks, Golding said.
But that is not to say that the vulnerabilities outweigh the
benefits. Kossuth said her system has been a worthwhile investment.
And there are several steps that businesses can take to ensure that
their systems are better protected.
Employees should have to log into IP phones just as they would a PC
to ensure that users are authenticated, Herrell said. That can also
help to detect spoofing since the system will know if the same user
is logged on in more than one location.
Servers should be hardened to avoid unwanted vulnerabilities, said
Doug Bundgaard, security management portfolio leader, for the
enterprise multimedia security group at Nortel Networks Ltd.
Depending on the value of the voice traffic, encryption may be an
important step to make eavesdropping on conversations harder, said
Jeff Posluns, CEO of Montreal-based SecuritySage Inc.
Patch management is also very important with voice systems, Golding
said. Many businesses have traditionally updated their voice systems
only when necessary to add new features. But with VoIP, it is very
important to install updates and patches as they arrive and to
instill that as a priority with those groups that handle voice, he
As with VoIP systems themselves, security is evolving, Kossuth said.
She continues to make adjustment to her systems, as the nature of
attacks change and as the technology itself changes.
VoIP's next big step is toward wireless. Phones that can roam between
Wi-Fi and cellular systems are on the way and will place further
roaming and security challenges on VoIP systems.