Security Honeymoon Over For VoIP

Last month's FBI arrest of a man in Miami for allegedly hacking into the networks of Internet service providers has ushered in a new era for voice over IP technology (VoIP).

Naturally, VoIP inevitably was going to have to deal with the same type of security concerns that other data networks have faced. But the security space moves fast, and in recent months VoIP security has gone from an impending issue to a top-of-mind problem for vendors, VARs and users.

The Miami case, in which the alleged offender is accused of tapping into IP telephony networks to fraudulently sell more than 10 million minutes of calls, represents an escalation from simple denial- and loss-of-service threats to more serious theft-of-service attacks. Commenting on the case, Nemertes Research said that "converged networks lead to converged threats," and that such attacks are likely to continue, if not become more prevalent.

VoIP has been enjoying the "honeymoon" period during which attackers familiarize themselves with a new technology, but that honeymoon is now over, Nemertes says. As far back as 2002, Nemertes predicted four emerging stages of security threats in voice technologies: denial and loss of service; theft of service and toll fraud; eavesdropping; and social engineering through spoofing. The Miami case shows us to be halfway through those projections.

Many of VoIP's security problems arise when -- just like with other data networks -- organizations don't enforce policies or users aren't following them diligently enough."We find that breaches happen when a company lacks the proper policies, when there's nothing standardized that would have allowed them to block the bad traffic," says Steven Reese, security practice manager for Nexus Integration Services in Valencia, Calif.

For the full story on securing VoIP, read Aug. 7 issue of VARBusiness.