Voice over Internet Protocol (VoIP) can save money, make communications more efficient and extend features of the office phone system to remote workers. It can also create new security headaches.
Winn Schwartau, president of security consulting firm Interpact in Seminole, Fla., says few companies implementing VoIP pay enough attention to security and involve data communications people. Any VoIP installation should involve data security experts from early design and evaluation onward, he says. “It’s your own damn fault if it collapses.”
All data security issues apply equally to VoIP, says David Endler, chair of the VoIP Security Alliance, an association of VoIP vendors and others. VoIP also introduces new twists by adding potential for security breaches, increasing the possible impact of others and causing some complications in implementing network security.
Experts say VoIP security issues are manageable, and so far there are more warnings than actual incidents. Nonetheless, VoIP illustrates how new technologies sometimes introduce vulnerabilities.
Phishing over VoIP
Unwanted phone calls are nothing new, but VoIP opens up the possibility – through improper access to servers used to route VoIP calls – of delivering junk messages to multiple mailboxes at once. This spam over Internet telephony (SPIT) might be telemarketing messages that are merely a nuisance, or what Endler calls voice phishing. Just as phishing e-mails request personal data for bogus account verification and the like, a voice phishing message might ask someone to call a toll-free number masquerading as, say, a bank call centre, where they would be asked for personal information that could be used to defraud them.
Another threat is registration hijacking. An intruder might divert calls to somewhere else – maybe even to a competitor. Proper authentication should prevent this, Endler says.
Voice calls could also be subject to eavesdropping, especially over unsecured external networks, such as hotel and coffee shop hotspots. Tom Slodichak, chief security officer at WhiteHat Inc. in Burlington, Ont., recommends both voice and data traffic from mobile machines go through a virtual private network (VPN).
Voice traffic feels the effects of distributed denial of service attacks more severely. Denial of service on a data network may mean “your Web browsing experience is a little slower than normal,” Endler says. But for voice, “it may mean calls coming in are unintelligible or they’re not coming in at all.”
VoIP “doesn’t always play nice” with security devices such as network firewalls, says Ross Armstrong, senior research analyst at Info-Tech Research Group Inc., in London, Ont. Older firewalls in particular may not distinguish voice from data traffic. If voice packets aren’t prioritized, it can impair voice quality.
When using Session Initiation Protocol (SIP), there is another problem, says Andrew Graydon, chief technology officer at BorderWare Technologies Inc., in Mississauga, Ont. SIP assigns IP ports dynamically, so the range of ports it may use must be open. “All I’ve done is created a 10,000-port hole in my firewall,” Graydon says. It takes SIP-aware firewall – one that reads the ports and IP addresses from the application layer and opens the ports dynamically – to solve this.
None of these issues are a reason not to implement VoIP, but they illustrate that those responsible for security must look at any new technology with healthy suspicion.
Take public wireless hotspots. Consulting firm Deloitte & Touche warned recently of an emerging phenomenon called Wi-Phishing. It’s a Wi-Fi access point that masquerades as a public hotspot, and when an unsuspecting road warrior connects, it displays a login screen like those many hotspots use to collect billing information. The visitor enters credit card information, which is used to defraud the victim. Or, says Steve Rampado, senior manager of security services at Deloitte, the victim connects to his or her corporate network and the scammer captures confidential information.
It’s not always easy to guard against this, Rampado admits. Users should look for professional-looking logins that have encryption, and use a firewall.