Protect Yourself Against The Worst VoIP Dangers

If the Voice over IP Security Alliance (VOIPSA) proves anything, it's that voice over IP (VoIP) security is something that a whole lot of people take very seriously. "The reason why our membership has mushroomed is that the industry as whole is saying 'we're concerned," VOIPSA secretary and Sonicwall senior director Jonathan Zar says. "The carriers are saying 'we're ultimately responsible for integrating all of these products and we know there are problems."

Many of VoIP's security vulnerabilities are nothing new; they are simple the consequence of routing voice traffic over IP networks. Traditional telephony has been spared the kind of denial of service (DoS) attacks and worms that have bedeviled the Internet since Robert Tappan Morris set the first worm loose in 1988. However, the transport medium changes everything, even if VoIP lets users make and receive telephone calls with the same ease as with traditional phone service.

"You have to consider the underlying infrastructure," Infonetics directing analyst for enterprise voice and data Matthias Machowinski says. "If worms and viruses bog down your network, it's a data security issue, of course, but that's also going to affect voice quality and reliability."

In fact, real-time traffic like voice is particularly susceptible to any attacks on the IP network carrying it. Few users, Machowinski notes, will notice a network hiccup when they're downloading an e-mail attachment, but the same minute delay could play havoc with voice data. The bottom line is that VoIP security is only as good as the overall security of the network it's on, but even that's just a starting point.

"VoIP inherits every one of the denial of service vulnerabilities that you have on the net," Zar says. "It's also vulnerable to DoS attacks that are protocol-aware."With that in mind, the first step to ensuring VoIP security is to plug the holes in the network. "It's important to look holistically at security," Machowinski. "It has to be an overall strategy for data as well as voice."

Nevertheless, VoIP's vulnerabilities don't end with the IP network. Zar says that there are a number of security risks specific to IP telephony that VOIPSA has categorized, catalogued and presented in a thorough taxonomy. A good number of these relate specifically to the perils inherent in moving voice traffic from the closed circuits of the public switched telephone network (PSTN) to the wide-open Internet.

Traditional telephone calls aren't usually encrypted, primarily because they don't have to be. They're carried end-to-end on a managed network subject to rigorous regulation and controls. In theory at least, tapping a traditional phone requires some kind of physical intervention.

"Internet phone traffic isn't protected like that," he says. "The IP protocols were never really intended to be attack resistant, but there's also the question of privacy."

Unencrypted voice packets can be intercepted. Neither Zar, nor Machowinski think that packet interception is a widespread problem -- yet -- but it will probably become more common as VoIP goes increasingly mainstream. And it's not technically difficult, Zar says. "You have to know the art, but it's not a black art," he says. "As with viruses, there are two groups of people who are interested in these things. There are those who like to develop the tools to do it, and the less sophisticated people who use the tools."Few users regularly encrypt their e-mail, gambling that, with the number of packets flying around the Internet, interception is unlikely, so why encrypt voice calls? "Yes, it's a needle in a haystack," Zar says. "But not all haystacks are the same."

The bad news is that hackers already know how to target specific organizations and networks, but there is good news, too. The first use of VoIP by midsized and large organizations is typically to connect branch offices with each other and the head office and consolidate traffic on a central IP private branch exchange (PBX). Since remote office traffic is typically carried over a virtual private network (VPN), Zar says, the voice signals are already protected from the outside world.

"In most cases like that, the business user doesn't have to worry for now," he says. "But it's a different story for consumers, and will become more of an issue for businesses as VoIP use becomes more pervasive."

Indeed, if you make a call on an IP phone from a hotel, or with a soft phone at a local hotspot, there could be a kid hacking in down the hall or at the next table. VPN technologies will only protect VoIP security if the call is actually made over a VPN.

VoIP is also vulnerable to what Zar calls bypassing refuse-consent. This category of problems ranges from crank and obscene calls to fraud and spam over IP telephony (SPIT). The potential for fraud is enhanced by the ability VoIP gives users to change their caller IDs. It's virtually impossible for a telephonic grifter to change his caller ID using the PSTN, but it's much easier on a VoIP call. With a caller ID identifying him as a member of a company's IT department or service provider, a con man could easily garner even the most security-conscious victim's trust.

SPIT also bypasses refuse-consent, but its effects are indirect. Nevertheless the scourge of e-mail spam and its ability to clog network arteries like its gelatinous meat byproduct namesake makes it a threat worth watching out for – if not now, then soon. "It's definitely something to be aware of," Machinowski says. "Most VoIP systems connect remoter site and are still relatively well protected by VPNs, but when companies move to true open-ended VoIP, it could become a real problem."For now, Machinowski says, the best thing any organization can do to minimize its VoIP vulnerabilities is to maintain traditional network security, develop and observe consistent security policies and invest in VoIP-specific security tools and hardware where possible.

Zar agrees. "What you have to do is isolate voice traffic and ensure that you have good overall security," he says. "If you are using VoIP, you should be using a VoIP-aware firewall and secure your network against denial of service and intrusions. It starts with good network security."