It's become conventional wisdom in the VoIP/IP telephony/UC security space that the major vulnerability for voice-over-IP traffic today remains the simple fact that it runs on IP infrastructures that may be the targets of attacks that have been plaguing data networks for years. In other words, all those exotic types of attacks with names like SPIT (spam over IP telephony); VOMIT (voice over misconfigured IP telephony); or eavesdropping via packet capture -- these have not yet materialized to any significant degree. But there is plenty of reason to stay vigilant when it comes to VoIP/UC security.I'll break the types of threat down into three categories:
1.) New types of attacks unique to voice, along with voice-oriented versions of traditional attacks -- These include eavesdropping by capturing packets, or SPIT, which would consist of overwhelming an IP telephony line with voice messages, comparable with overwhelming an e-mail box with spam. As I noted above, these aren't really being considered a top threat today.
2.) Voice traffic as collateral damage in an IP network attack -- This is the second type of attack I described above, where an attack on a router brings down the entire IP network, let's say. Since the voice is riding on that network, it suffers the same fate as all the other traffic on the network.
3.) Traditional types of attacks aimed at VoIP/IP telephony systems -- This is yet another threat that hasn't materialized to a great extent in the wild yet, but probably ought to be taken more seriously as a near-term danger than category #1 above. This is, for example, when vulnerabilities to packet flooding and other types of DoS exploits are found within IP telephony gear such as IP-PBXs and related servers. A relatively new security company called VoIPShield has been making news by discovering these types of vulnerabilities in the most popular IP telephony systems, namely those from Avaya, Cisco, and Nortel.
I recently moderated a VoiceCon Webinar (replay here) in which Ted Ritter of Nemertes Research discussed some survey data Nemertes had gathered on the issue of security. Ted reported that:
55% of respondents were concerned about denial-of-service attacks
37% were concerned about eavesdropping
36% were concerned about "vishing" or VoIP phishing, in which a hacker redirects packets from a business that takes credit card information from its customers over the phone, and sends the traffic to a phone he controls, permitting the hacker to steal the credit card information
31% were concerned about toll fraud
That's in today's environment. Ted Ritter, who's a CISSP, explained in the Webinar that the security threat will become more amorphous as enterprises migrate their IP telephony infrastructure to a Unified Communications implementation. As voice enablement moves into traditional "data" applications, the lines will blur and the notion of a security "perimeter" will further dissolve.
Ted noted that many of the most important characteristics of UC -- openness, integration -- work against the technologies and principles of security, such as confidentiality. Specifically:
Encrypting all [UC] traffic ensures confidentiality, but it may negatively affect availability
A fully open [UC] architecture may ensure availability, but it may negatively affect confidentiality and integrity
Multifactor authentication with encryption may ensure integrity, but it may negatively affect availability