VoIP Growth Brings Focus on Security Holes

Use of the Internet for telephone calls brings to the fore how security concerns could now spread to your once-secure communications system.

As voice over IP (VoIP) usage grows, what of its security?

Previously the denizen of call centers and customer-support representatives, VoIP is edging into the mainstream with promises of lower-cost telephone bills for businesses and consumers. AT&T, for example, rolled out an unlimited-domestic-calling VoIP service available to any of its broadband subscribers for an extra $40 per month, and aims for one million customers by the end of 2005. Verizon introduced a nearly identical service for the same price. Relative newcomer Vonage is selling its technology and plan through Circuit City.

Many organizations, including government agencies, are running VoIP pilot projects. Research firm IDC says the cost savings is driving a 71-percent growth rate this year. For businesses, phone equipment vendors make it easy to switch private branch exchange (PBX) hardware to VoIP servers, while retaining the same handsets, and last year, VoIP server sales beat PBX for the first time. Experts say by 2007, VoIP could be a $16 billion market and comprise 75 percent of global voice communications.

While issues that plagued earlier generations of VoIP technology—such as reliability and interoperability—are being solved, challenges remain.

The first is an existential question; what exactly is VoIP? While the Federal Communications Commission (FCC) so far has taken a hands-off approach to regulating VoIP as if it was a traditional phone service, which would include making VoIP providers pay into the universal service fund or support 911 emergency services, that could change, with VoIP service prices rising as a result. In addition, law enforcement agencies argue current wiretap laws—which allow them to get immediate wiretaps, with a court order—should be applied to VoIP equipment as well. In other words, they want backdoors. With Congress set to adjourn soon and a presidential election in the wings, many experts predict the status quo will reign for at least another year.

Another VoIP challenge is network reliability. When it comes to VoIP, “we sometimes refer to it as a data network on steroids, because you have much more difficult timing, and a much more difficult task, to move packets from point A to point B, and not have reliability or quality problems,” says Pierce Reid, vice president of marketing at Qovia, a VoIP monitoring and management vendor. For example, while phone network uptime is regarded as five-nines reliability—it’s up 99.999 percent of the time—networks tend to get about 99 percent. “If you lose one of those lines, you lose eight hours of phone systems a year; two is 80 hours per year. If you’re a hospital, or financial firm, or sheriff’s department, pick which hours you’d like to lose.”

Security is also a VoIP challenge. Since VoIP products transmit information via packets, they’re vulnerable to some well-known types of attacks. TippingPoint Technologies, which makes VoIP intrusion prevention hardware, notes in its report, “The Future of VoIP Security,” that “many of the VoIP devices in their default configuration may have a variety of exposed TCP and UDP ports. The default services running on the open ports may be vulnerable to [denial-of-service], buffer overflows, or weak passwords, which may result in compromising the VoIP devices.” Also, “multiple installations of the Cisco Call Manager that runs [a Microsoft] IIS server were reportedly compromised by the Nimda and the Code Red worms.”

Spam may also challenge future VoIP phone installations. “VoIP Spam must be stopped before it even starts,” notes Winn Schwartau, an analyst with Interpact. “If it even becomes half the nuisance e-mail spam has become, there will be a tremendous need for tools that protect users.”

Qovia recently received a patent for blocking VoIP spam. “The ‘do not call list’ doesn’t cover Internet telephones, and Can-Spam covers e-mail applications, not voice,” notes Reid.

VoIP spam could derive operating efficiencies similar to those of e-mail spam. “With VoIP, because you’re using Internet protocols, you can do a one-to-many broadcast, much as you can with e-mail, because you know the endpoints. And you can send a large number of VoIP calls to a number of endpoints simultaneously, dramatically lowering your costs of telemarketing,” says Reid. Note a VoIP denial-of-service attack might look similar.

Of course, blocking VoIP spam isn’t the same as blocking e-mail spam. For example, while e-mails can be held until they’ve been scanned, calls need to go through. Thankfully, “VoIP spam is not here today. I’d say it won’t be here for at least another few years,” says Reid. What might drive it: a critical mass of users.

How might technology block VoIP spam? “We could look at the length … If we had hundreds of messages coming in at the same time that [were] exactly 22 seconds [long] … or if the location it’s originating from is a massive block of calls coming in from one place,” says Reid, it could be a tip off. On the other hand, security hardware has to be able to distinguish between a block of spam messages and an emergency services broadcast using VoIP, both of which might look very similar.

In the short term, however, there’s another problem to tackle: “securing phones against the rogue criminal hacker who … decides to go after a phone.”

Cue security managers: With the adoption of VoIP comes the need for security experts to get involved in telephony. “Your voice system has really been your key lifeline, and that’s never really been vulnerable before. So making sure your chief security officer and others are involved in the purchase, installation, and securing of a VoIP system right from the get-go is important,” says Reid.

Related Article

Dangerous Voice Over IP Vulnerabilities Common

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.