Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cisco Security Alerts Serve As VoIP Wake-Up Call

Cisco Systems' revelation last week of two security alerts and fixes for CallManager, the processing component of its voice-over-IP technology, reminds us that while VoIP offers all sorts of benefits, there's no getting around its vulnerability as a software application.

CallManager's vulnerability to denial-of-service attacks--which could prevent legitimate users from accessing a VoIP network--and attacks that would let users increase their access privileges seem mild compared with threats aimed at stealing customer data or blocking Web-site access. But as more voice communication travels over the Internet, reducing that threat becomes increasingly important. Infonetics Research predicts spending on VoIP will grow from $1.2 billion in 2004 to $23 billion in 2009.

Cisco CallManager extends business telephony functions to IP phones, media-processing devices, VoIP network gateways, and multimedia apps. The denial-of-service and privilege-escalation vulnerabilities, for which patches are available, affect CallManager 3.2 and earlier, and some versions of CallManager 3.3, 4.0, and 4.1.

Telecom Momentum
Cisco's share of the office-telephone-system market

The number of its VoIP customers


The number of VoIP phones Cisco has sold

Like Microsoft in the software market, Cisco is likely to be the main target of VoIP hackers because of its market-share leadership. A Synergy Research Group report issued last week indicates that Cisco's IP telephony technology accounted for 18% of the office-telephone-system market over the past year, with more than 30,000 customers and 7 million phones sold since it entered the market six years ago.

Another danger lies in IT staff inexperience: Voice over IP hasn't been much of a target for hackers, and gaining the security know-how to protect those networks may not be top of mind during deployments, says Ofir Arkin, chief technology officer of network-management company Insightix Ltd. and a board member of the Voice over IP Security Alliance, a collection of networking and security vendors, researchers, and academics. "To knock off a voice-over-IP infrastructure is easier than traditional calls," he adds. "We all need to take these as very serious things, because if you want to dial 911, and you can't, this is life-threatening."

  • 1