VoIP: Security Risks and Internet Telephony
The Internet brought with it a wealth of amazing technology and cool new ways to communicate–and it also brought endless ways to spy on people. Most companies of any size, as well as people with home networks, now deploy firewalls, along with anti-virus, anti-spam, URL filtering, intrusion prevention and detection, and much more.
Now the Internet and telephony are starting to cross over into one another’s territory. Some providers send phone calls, at least partially, over huge IP networks, or even through a protected tunnel across the Internet called a Virtual Private Network (VPN). The so-called “triple play” of Internet, telephony, and television coming into homes over the same pipe is also likely to expand VoIP (Voice over Internet Protocol) substantially. What’s particularly challenging to service providers is the fact that the reliability and perceived security of ordinary telephone service has set the bar high for VoIP–and subscribers expect their VoIP connections to be at least equivalent to, if not better than, their POTS line.
The end result will be consolidated billing, better quality of service, and lower costs, as both incumbent providers and startups compete in a fierce battle to gain a greater wallet share and reduce customer churn. But the inevitable move to VoIP also brings up concerns over security. Every day, the news media carries stories about a major security breach, identity theft, or some hacker breaking into a network that was thought to be unbreakable. Will those same hacks be used against VoIP telephone networks? Absolutely. VoIP is based on the same technology as the Internet, and it is just as vulnerable to attack. Besides simple eavesdropping, hackers will be able to use common Internet hacks to steal long distance time and bill it to your account, and they will be able to use those hacks to record when you enter PINs and credit card numbers onto your touchtone pad. They will be able to initiate Denial of Service attacks and other malicious hacks.
A new threat, which is not yet very widespread but definitely possible, is called Spam over Internet Protocol (SPIT), which is a type of caller ID spoofing. In this attack, a hacker hijacks a phone number, so that when they place a call, the recipient’s caller ID shows that the call is from a trusted third party, such as a bank. The attacker can then trick the recipient into revealing personal or financial information.
Despite the fact that these threats are very real, they are, perhaps, a bit overblown. Attacks against VoIP are very rare, and with adherence to best security practices, the risk is at an acceptable level. Gartner Group echoes this sentiment, nothing in a recent report, “threats to IP telephony implementations have been overhyped. Attacks are rare. Enterprises that diligently use security best practices to protect their IP telephony servers should not let these threats derail their plans. For these enterprises, the benefits of IP telephony far outweigh any security risks.”
At the enterprise level, companies moving towards VoIP are likely to take a gradual migration strategy, to give themselves time to address concerns such as security. There’s no doubt the technology has matured, but it’s a lot more complicated than just turning on a switch. Nonetheless, a recent In-Stat survey indicates that half of all decision-makers surveyed plan to deploy emerging telecom services such as VoIP within the next year.
Recommendations:
Providers– The security burden lies mainly with service providers, who must ensure availability, integrity, and confidentiality, while creating an overall security framework to make sure that the entire VoIP infrastructure has been protected. A voice proxy firewall in the service provider network is a cost-efficient method of protecting VoIP services, guaranteeing that voice traffic sent to customer networks is protected. In addition, an access list will limit packets that can penetrate the voice proxy firewall to packets that originate only from specified IP addresses.
Enterprises–Take a gradual migration strategy. Run encrypted VoIP over a VPN for maximum security, and make sure that your server-based PBXes are protected against Denial-of-Service attacks. Review the policies on your firewall, and make sure your providers support SIP and the H.323 voice protocol. Additionally, a proxy server located in front of the corporate firewall, for processing both incoming and outgoing voice data, will protect the internal network from attack.
Individuals–If you use VoIP directly from your telephone, and not through your PC, there’s little you can do directly, but do research your provider to find out what security measures they have taken. If you are using Internet telephony directly through your PC, a good personal firewall will mitigate many of the risks. Be cautious about giving out personal information over the phone. To avoid being a victim of a SPIT attack, before giving out personal or financial information over the phone–even if your caller ID shows the call is from your bank–call the bank back directly to verify that they have indeed placed the call.
In the foreseeable future, service providers can look forward to a robust market for VoIP services if they play their cards right and address key security concerns. Enterprises can save money by deploying VoIP solutions, and consumers will enjoy the convenience, value added services, and lower costs that providers will have to provide in order to gain consumer acceptance.