Cisco Security Alerts Serve As VoIP Wake-Up Call

Cisco Systems' revelation last week of two security alerts and fixes for CallManager, the processing component of its voice-over-IP technology, reminds us that while VoIP offers all sorts of benefits, there's no getting around its vulnerability as a software application.

CallManager's vulnerability to denial-of-service attacks--which could prevent legitimate users from accessing a VoIP network--and attacks that would let users increase their access privileges seem mild compared with threats aimed at stealing customer data or blocking Web-site access. But as more voice communication travels over the Internet, reducing that threat becomes increasingly important. Infonetics Research predicts spending on VoIP will grow from $1.2 billion in 2004 to $23 billion in 2009.

Cisco CallManager extends business telephony functions to IP phones, media-processing devices, VoIP network gateways, and multimedia apps. The denial-of-service and privilege-escalation vulnerabilities, for which patches are available, affect CallManager 3.2 and earlier, and some versions of CallManager 3.3, 4.0, and 4.1.

Like Microsoft in the software market, Cisco is likely to be the main target of VoIP hackers because of its market-share leadership. A Synergy Research Group report issued last week indicates that Cisco's IP telephony technology accounted for 18% of the office-telephone-system market over the past year, with more than 30,000 customers and 7 million phones sold since it entered the market six years ago.

Another danger lies in IT staff inexperience: Voice over IP hasn't been much of a target for hackers, and gaining the security know-how to protect those networks may not be top of mind during deployments, says Ofir Arkin, chief technology officer of network-management company Insightix Ltd. and a board member of the Voice over IP Security Alliance, a collection of networking and security vendors, researchers, and academics. "To knock off a voice-over-IP infrastructure is easier than traditional calls," he adds. "We all need to take these as very serious things, because if you want to dial 911, and you can't, this is life-threatening."Most VoIP attacks to date have been against specific phones and directed at stealing service or altering configurations to make the phones act strangely. Last July, Internet Security Systems Inc.'s X-Force research team posted an alert that Cisco CallManager included bugs that attackers could exploit to create what's known as a heap overflow to crash a system or gain unauthorized access. In 2002, vulnerabilities emerged in several Pingtel Corp. Session Initiation Protocol-based phones that allowed denial-of-service attacks, manipulation of SIP signaling, and unauthorized remote access to phones.

Be Prepared

Businesses can help protect their VoIP networks by segmenting their voice and data traffic using a virtual LAN, says Kevin Flynn, senior manager for Cisco IP communications and wireless security technology marketing. "If an attack occurs on the data network and there's good segmentation, the voice traffic will be fine," he says. The problem with a virtual LAN, however, is that virtual segmentation won't protect data and voice traffic if the networking equipment itself is attacked and taken down.

These concerns are only beginning to be felt among businesses using VoIP. Ruth Harenchar, CIO of legal-services staffing firm Hobart West Group, says she's never heard of any VoIP-specific attacks. Still, her company takes standard security measures with all its IP traffic, including voice. "We're pretty confident, so we think we're OK from the standpoint of the voice traffic," she says. Yet it only takes one nasty, well-publicized VoIP attack to have businesses wondering if they've done enough.