VoIP Toolkit

Tackling VoIP security concerns

Tags:
Security,
VoIP

Deb Shinder Tech Republic

Published: 27 Sep 2006 15:10 BST

When considering whether to cut the telco cord and go exclusively with IP-based telephony, transmission quality and reliability top the list of concerns among business owners. But sending your voice calls over today's attack-prone, virus- and worm-infested Internet raises a third issue: security.

Of course, the traditional telephone network (public switched telephone network, or PSTN) is not invulnerable to security breaches. In fact, some of the earliest hackers were "phone phreakers", who specialised in cracking Ma Bell's network, usually for the purpose of making long-distance calls on someone else's dime. Famous former phreakers include Steve Wozniak, co-founder of Apple, and John Draper, also known as Cap'n Crunch because he used a toy whistle from a box of eponymous cereal to produce the tones used to access long-distance lines.

Today, the threat posed by hackers to IP networks goes far beyond the cost of unauthorised long-distance calls. An attack could take down the network (and thus the company's phone service) for hours or days, and the content of calls intercepted, divulging trade secrets, confidential client information and more. That makes security a very important issue, so let's take a look at the status of VoIP today.

What are the threats?
Some of the security issues that affect VoIP are the same ones that affect any IP network, and some are unique to voice communications. Major threats include:

A virus or worm can be introduced to the network and crash the VoIP servers/gateways
A denial of service attack can overwhelm the network and bring it down
A hacker can access the call server to listen in to, record, or disrupt calls
A hacker can give himself/herself or others access to services that are supposed to be restricted
Hackers can access the trunk gateway to the PSTN and make unauthorised toll calls
A hacker who accesses the call server can register "rogue" IP phones, which can then use the company's VoIP services

A different but related problem with VoIP is the possibility of receiving SPIT (Spam over IP Telephony). Another is the phenomenon known as Vishing, or VoIP Phishing.

VoIP security threats are no longer just theoretical. In June, two men in New Jersey were charged with hacking into several companies' networks and stealing their VoIP bandwidth to resell it. At the Black Hat USA 2006 security conference in Las Vegas this summer, security researchers David Endler and Mark Collier demonstrated a tool for overwhelming Session Initiation Protocol (SIP)-based VoIP networks with millions of requests, preventing users from making calls. Another hack can modify the information a VoIP phone provides when it registers with the network, allowing the hacker to redirect calls to a different phone.

What can you do about it?
Do all these potential threats mean that your company shouldn't move to VoIP? Not at all — many organisations are benefiting from the cost savings and convenience of IP telephony…