VoIP: The new threat

VoIP cuts costs and streamlines communication for enterprises, but are the benefits worth the security risks? Dan Kaplan and Negar Salek investigate

VoIP is a relatively new technology that transmits voice packets across data networks, and consequently inherits the flexibility and cost efficiencies that IP networks provide. The technology is set to make traditional telephone use redundant, and Australian companies are already jumping on the bandwagon.

In 2005, analyst group IDC Australia estimated one out of seven companies in Australia had already installed some kind of enterprise VoIP connection, with service and equipment forecasts showing figures reaching over $850 million by 2009. This shouldn't come as a surprise, according to Peter Warner, Commercial Director of Australian-based VoIP provider, Freshtel, who says companies are willing to overlook the initial outlay, due to the inherent benefits of VoIP.

Peter Warner, Commercial Director of Australian-based VoIP provider, Freshtel

"Driving forces swing more towards features rather than current cost saving benefits. Companies will pay a premium price due to the added features that would never be available through traditional telephony," says Warner.

But VoIP is not without its problems, and its now under the spotlight by vendors, analysts and the media due to the potential security risk it poses to VoIP-enabled companies.

"In many organisations, the IP network which in the past was used only to link desktop computers to file servers, printers and the Internet is also being used to haul the voice traffic from desktop IP telephones.

"As VoIP is essentially an IP data service, many of the risks are the same as those found on traditional IP networks and servers. A traditional PBX is unlikely to get a virus or get hacked," says Warner.

In essence, attack methods commonly found on existing data networks can have their malicious counterpart on a VoIP network. An attacker could, for example, access the built-in Web server on a VoIP handset and redirect its ingoing or outgoing calls - and bill it straight back to the company.

Furthermore, because it inherits the same security IP characteristics that affect its data counterparts, VoIP is subject to service disruptions that could grind business to a halt.

"With VoIP, the servers which replace the traditional PBX are running standard operating systems such as Linux, Solaris or Windows, and they face the same risks as any other server," says Warner.

"It's one thing to lose your email," points out John Wheeler, director of global deployment and integration for managed services at the US company ISS. "It's an entirely different matter to lose your entire in-and-out bound communication with your clients."

Additionally, intercepting voice packet transmissions between callers, which permits eavesdropping, could soon hit the VoIP community. Phil Zimmermann, who created groundbreaking email encryption software known as Pretty Good Privacy (PGP) in 1991, is a strong advocate of VoIP encryption-so much so that he recently launched Zfone, which provides secure telephony for the internet. His new software contains a cryptographic key exchange between the two parties talking that does not rely on servers. The keys are created at the start of the call and destroyed at the end.

Phil Zimmermann, creator of PGP

Zimmermann admits that the wiretap threat model for VoIP is more expansive than for the public switched telephone network (PSTN). For example, an office PC might be infected with spyware, allowing it to capture voice packets, store them as a WAV file, organise them and let hackers "pick and choose who they want to listen to."

"The manifest destiny of VoIP is to replace the PSTN," he claims. "Anyone could wiretap your company. Criminals around the world will attack it with the same vicious zeal we now see being used to attack the rest of the internet."
Because it is still in its formative years, VoIP has yet to offer a worthwhile attack vector for profit-driven hackers. However, as more people deploy the service, it will become increasingly susceptible to the scams that are already targeting data networks.

'Spit', or Spam over Internet Telephony, is likely to become the new avenue for sending vast numbers of unsolicited voice messages, a natural progression of email spam and bulk faxing.

VoIP phishing, where unknowing recipients are contacted via telephone, may also gain in popularity. Some scammers are already using VoIP lines to pose as a financial institution, in conjunction with spam emails requesting that recipients call a number to verify account information.

Viruses and worms designed to attack internet telephony have yet to make their mark, but are probably not too far off. VoIP malware may begin to propagate as soft phones, equipped with multimedia functions such as video, become more prevalent, Chris Liebert, a senior analyst at the US firm says.

Yet experts warn that simply exploiting vulnerabilities within the operating system could be all it takes to unleash a damaging payload. Warner explains company's need to have the appropriate software systems in order to protect themselves from vulnerabilities.

"Organisations must work to protect these servers by having good security and anti virus software installed, ensuring the server is appropriately fire walled and that sensible local security permissions are in place."