Security threats Toolkit

VoIP security fears spook IT pros

Tags:
VoIP Security

Tom Espiner ZDNet.co.uk

Published: 03 May 2006 13:30 BST

Internet telephony is still not mature enough a platform to support business communications, according to senior security professionals.

In a debate at the Infosecurity conference in London last Wednesday, an audience of security and IT pros voted that Voice over Internet Protocol (VoIP) wasn't able to support mission critical communications at the moment.

Banking security professionals argued that the expense of implementing current VoIP solutions coupled with the risk of security holes and network downtime did not make IP telephony an attractive business proposition.

"Think how many times a network goes down every day -- with VoIP no one can hear you scream," said John Meakin, group head of information security at Standard Chartered Bank.

"VoIP is in danger of being a superficially compelling technology layered on top of technologies that take an enormous amount of effort and spend to make secure."

It's possible to use virtual networks to separate VoIP traffic from other data packets on a local area network. VoIP traffic can also be encrypted, in an attempt to thwart malicious hackers. But Meakin argued that both measures posed challenges to network managers.

Andrew Yeomans, vice-president of global IT security at investment bank Dresdner Kleinwort Wasserstein (DrKW), emphasised that security holes exist in VoIP, and drew attention to published lists of VoIP vulnerabilities.

"The security problems in VoIP are quite significant. Look at the vulnerability lists -- you'll find shed-loads of basic flaws," said Yeomans.

"With PSTN [a public switched telephone network], if someone breaks in the damage is confined to one local area. IP has a global reach. A hacker can drop a trojan into your system and listen to your voice communications from all over the world."

However, security experts from CapGemini said there were hard cost savings to be achieved through Internet telephony, and VoIP systems could be secured.

"Pret-a-Manger in the UK saves £10,000 per month using VoIP. This stuff really works," said Andy Thompson, head of infrastructure security services for CapGemini.

Russell Kirk, chief technology officer for Grey Convergence, an IP telephony security company, added that "PSTN is not some holy grail that can't be touched. VoIP is just another system we can secure".

And speaking this week, security vendors advised businesses implementing VoIP to build in security from the beginning.

"Ninety-nine percent of the [VoIP] focus is on getting services up and running. Getting security in place is the second or third level on the radar," warned Greg Day, security analyst for McAfee.

"The reality is businesses have seen proof-of-concept attacks, but no mainstream attacks. VoIP security is not high on the radar because it's not a big problem today."

Some parts of the Internet telephony system are mature enough to support communications securely, said Day, while others are not.

"Existing security measures could be applied to the servers that manage VoIP, the soft switches behind the routing on the phones. But for dedicated handsets, security is still in its infancy," said Day.

Day said the high short-term cost of migrating from traditional telco environments to VoIP is deterring large banking organisations from moving to VoIP, despite the potential long-term savings.

Security experts at Sophos said VoIP security can be built into systems from the ground up.

Graham Cluley, senior technology consultant at Sophos, said: "Ultimately it has to be a question for the system administrator at each individual company as to whether the advantages of VoIP outweigh the potential security issues.

"If properly protected and sensibly configured, there is no reason why a mature VoIP solution shouldn't be a useful addition to many companies' infrastructure."