Is VOIP the Next Target of Worms, Spam?

SINGAPORE -- While many issues remain unsettled in the area of Voice over Internet Protocol (VOIP) technology, IT security experts believe that it can be the next major target for various attacks.

Although no high-profile cases have yet been recorded, VOIP will eventually become the target for hackers and malicious code writers, said Nigel Stewart, McAfee regional sales manager for Southeast Asia and India. He gave the warning at his presentation in the recent MediaConnect security forum here.

An industry group formed last spring is studying the issue.

Popularity Jumps

VOIP enables users to utilize the Internet as the transmission medium for telephone calls. Voice data is sent in packets rather than by traditional POTS (plain old telephone system) circuits.

One advantage of VOIP is that the telephone calls over the Internet do not incur a surcharge beyond what the user is paying for Internet access, much in the same way that the user doesn't pay for sending individual e-mail messages over the Internet.

"Its growing adoption from both the business and consumer side will make it attractive for exploitation," he added.

McAfee believes that VOIP attacks would most likely take advantage of the various layers of the technology such as the transmission layer or hardware devices used to make VOIP calls.

"For the moment, VOIP security does not appear to be at the forefront of IT managers' minds," said Stewart. "But it is definitely something people should consider and be prepared for."

On the other hand, VOIP is also prone to becoming a target for spammers, added Andy Lake, MessageLabs director of partners.

Threats Heighten

Both experts believe that VOIP is still pretty much a closed structure since almost no company exposes their VOIP system to the Internet. However, by the time companies start publicizing their Session Initiation Protocol (SIP) addresses used in VOIP communications on business cards and Web sites, security will become essential.

"I really don't think people should be deploying VOIP unless they have the necessary security in place," said Lake "Even if I haven't heard about any of these abuses actually happening, eavesdropping from a competitive advantage standpoint, could be a major disadvantage for any user."

Experts recommend the use of such security appliances as firewalls that are specifically designed to filter VOIP traffic for suspicious patterns and drop those connections.

IT managers should not assume that because their data networks are protected, adding voice to their systems will be secure, as well.

"Administrators may mistakenly assume that since digitized voice travels in packets, they can simply plug VOIP components into their already-secured networks and remain secure," said Stewart. "However, the process is not that simple."

"It would be good if in addition to installing specific products that can weed out suspicious VOIP traffic, companies should consider how their VOIP networks play in their overall security efforts, said Matthew Guide, sales director for Asia Pacific at SurfControl, a Web and e-mail filtering provider.

This story, "Is VOIP the Next Target of Worms, Spam?" was originally published by Computerworld.

To comment on this article and other PCWorld content, visit our Facebook page or our Twitter feed.
Shop Tech Products at Amazon