Cameras
Camcorders
Cell Phones
Components
Desktops
HDTV
Home Theater
GPS
Laptops
Monitors
MP3 Players
Networking &
Printers
Storage
More…
Facebook
Twitter
Digg
Print3. Is VoIP safe?
VoIP safety is a broad question that touches on many aspects of how IP telephony systems operate, and the various parts of the network VoIP touches, but according to one survey one thing is clear, VoIP technology isn't safe enough for many businesses.
Sponsored by:
Only half of the IT executives polled recently in a CompTIA study said they think security technology built into corporate VoIP products and services is solid. The survey (of 350 companies with 500 employees or fewer) showed that even wireless technology - often maligned for its security weakness - was held in higher regard than VoIP in terms of security. (Sixty percent of respondents said they trusted security in Wi-Fi gear.)
With VoIP, security concerns among the respondents in the CompTIA survey were not relating just to potential attacks on VoIP gear and software, but the affect a general worm or virus outbreak could have on the quality of IP voice calls. Worms and viruses that flood corporate networks with traffic may cause e-mail delivery to be delayed, slow application response times. But the latency introduced can simply kill an IP telephony conversation.
As for VoIP products, vulnerabilities are popping up more in IP telephony gear and software. Cisco, for instance, over the last 18 months issued nine major vulnerability advisories on products ranging from IP phones and IP PBXs, to routers that perform VoIP processes and functions. These nine warnings - serious enough for the vendor to issue software patches - compares with the two VoIP-related vulnerabilities Cisco had issued in the 18 months prior (July 2005 to January 2006).
Many vendor's IP call processing and messaging products run on top of Linux, Windows, Sun or other server operating systems. Softphones generally run on Windows desktops, while applications such as VoIP-based call center platforms can touch a wide array of other applications. Taking all this into account, Avaya had 25 product security advisories relating either directly to its VoIP products, or affecting underlying software products on which Avaya's technology runs, according to security research Web site Secunia. The Internet Security Systems X-Force vulnerability database has more than 100 entries over the past five years relating to vulnerability reports in VoIP products, applications and underlying protocols.
Some security researchers say the basic technology of some VoIP protocols is by nature hackable or susceptible to denial-of-service or call-interception attacks.
Sheran Gunasekera, a researcher with Scanit, wrote in a report that VoIP call interception can be simple, if targeted against equipment and traffic using non-encrypted, standards-based protocols. Scanit says tests it conducted used standard SIP signaling protocol and Real Time Protocol (RTP) for media transmission.
Against SIP-based VoIP conversations "signaling attacks can be used to eavesdrop on conversations and re-route or hijack calls," Gunasekera writes. "It is extremely easy to replay or resend SIP messages" to SIP-based call control gear in order to add participants to a SIP call or reroute the traffic.
Additionally, "media stream attacks are as easy to perform in a typical VoIP implementation," Gunasekera writes. "Any RTP streams intercepted by an attacker can easily be decoded with the relevant audio codec and the actual voice call can be recorded or listened to."
Other new VoIP threats on the horizon include the emergence of maliciously designed VoIP audio codecs. Theoretically, these so-called "evil codecs" are a VoIP audio stream designed specifically to crash a VoIP endpoint or server. VoIP industry pioneer Henry Sinnreich, who helped develop early implementations of SIP while at carrier MCI, said at a recent trade show that researchers are already demonstrating such attacks are possible.
"Eavesdropping is one example of an overhyped threat," said Lawrence Orans, a researcher with Gartner, in a previous interview. "Sure, it's technically possible to execute a man-in-the-middle attack and capture packets. The reason that we hear so much about eavesdropping is that it really does illicit this visceral reaction. The main thing is to focus on the greater threats, for example attacking an IP PBX server itself."
"It is possible to have a secure VoIP deployment if you follow best practices," said David Endler, chairman and founder of the VoIP Security Alliance (VoIPSA) and director of security research for TippingPoint, in a previous interview. "All of these systems are securable, but they do take some knowledge to get them to that point." Using encryption on VoIP signaling (SIP and H.323) and payload streams (RTP and UDP, typically) are some approaches. Ensuring IP PBX servers are patched and configured properly, and restricting the types of traffic that can contact IP endpoints are other measures.
Orans agrees that IT security best practices can cover most common threats to a VoIP network. "Enterprises that diligently use security best practices to protect their IP telephony servers should not let [VoIP] threats derail their plans," he writes in a report.
He also has said in past interviews and reports that much of the talk around VoIP security threats is hype and conjecture, vs. actual security problems facing enterprise IT professionals. (He's even accused VOIPSA and other VoIP security alarmists of "scaremongering" in the past.)
"Threats to IP telephony implementations have been overhyped," he says. "Attacks are rare."
