Security concerns over IP telephony continue to persist among small and mid-sized businesses, according to research commissioned by the Computing Technology Industry Association (CompTIA).
In a survey of 350 SMBs across North America, 50 per cent said they trusted the security offered today by IP telephony vendors – up a mere two per cent over last year. IP telephony continues to lag behind traditional telephony systems (82 per cent) and wireless LANs (60 per cent).
“We would have thought perhaps that the concerns about security would have dropped more significantly,” said CompTIA spokesman Steven Ostrowski. But potential customers need to be shown that a VoIP solution is secure and isn’t going to take down their business, he added.
“What we’ve told our members, the reseller community, is they need to acknowledge the fact there is some concern about security and make sure they address it upfront and not as an afterthought,” he said. “Once it’s deployed you don’t want to find out there are security issues.”
It can also be an opportunity for additional business, he said, if security expertise is part of your portfolio. “Perhaps there’s an opportunity for some sort of managed services arrangement with security at the centre of it.”
In the past, legacy systems were typically unique to the vendor or service provider and it was difficult to attack those systems. But hackers have experience with infiltrating an IP network on the data side. “When VoIP was relatively new and there were few deployments, there wasn’t really any incentive for a criminal or a hacker to go after it,” said Ortrowski. “Now that it’s more broadly deployed, there is an opportunity.”
An IP PBX is simply a server, so it’s susceptible to the same sorts of vulnerabilities as any server or PC running on a Microsoft operating system, said Mark Tauschek, senior research analyst with Info-Tech Research Group.
But when it comes to IP telephony, there are more specific types of attacks or security concerns, including service disruption, the possibility for eavesdropping (by packet-sniffing a call) and protocol-specific attacks that target SIP, which is becoming the de facto standard for signalling in IP telephony.
“There are some things you can do directed at the protocol – not necessarily vulnerabilities in the protocol but vulnerabilities in the implementation of it – that can allow you to perpetrate fraud,” he said.
The way to deal with those types of attacks is not any different than the way you go about securing your network, your server infrastructure and your client infrastructure, he said. “To some extent there’s some FUD involved here – some fear, uncertainty, doubt – [where] people maybe make a bigger deal out of it than they should.” If you implement IP telephony properly, he added, the potential for a security breach is pretty small.
One issue that we don’t see a lot of right now but will in the coming years is SPIT – or spam over IP telephony. Rather than having to actually dial you, spammers can deliver a message to your voice mailbox so you end up getting voice spam such as sales calls or even phishing attempts where the caller tries to get you to provide personal information.
But, despite the FUD, the VoIP market is accelerating. A few years from now, Tauschek expects up to 90 per cent of all telephone ports shipped to be IP telephony.