Home » Data Protection » Wireless/Mobile

VoIP Security: When Voice Becomes Data

With voice over IP picking up speed, CSOs face the challenge of navigating an entirely new security threat landscape for the phone system

extensible, capable of supporting limitless new applications, often traversing an insecure and unstable public network and connected to complex and vulnerable multitasking end points called computers. An enterprise.

Unlike Dagen H, though, VoIP is switching over organically, driven by market forces, not a bureaucracy. There is no four-year plan and no education program preceding its rollout. No choreographed crossover on some target date. VoIP is just kind of happening.

This would seem to create security concerns and, yes, VoIP is following IT tradition by being rushed to market before its security implications have been thought through. But this story isn't another lecture to CSOs and CISOs on the need to secure VoIP. Regardless of how well the protocol is secured, security executives have a far more substantial challenge: mapping the new threat landscape of voice communications when their organizations decide to shift from closed to open, from dedicated to shared, from utility to enterprise.

With VoIP, phone conversations move around the world in the same waysometimes on the same fiber-optic cable — that e-mail, spam, World Cup video highlights, IM conversations and malicious software attacks all move around the world, as little packets of 0s and 1s.

It is a cultural and infrastructural shift as epic as Dagen H. Soon, in a very real way, voice will no longer be voice. It will be data.

"We have this inherent belief of a certain quality of service and security with phones, of what the system can do for us," says Andrew Graydon, the chair of the VoIP Security Alliance. "Most of that is pure speculation; we don't know for real, but it doesn't matter. It's what people believe."

Just what people believe, without ever really thinking about it, is quite specific and detailed. People believe that their phone will work, perhaps even in a blackout; that the number they dial will connect to the phone assigned to that number, and the number that caller ID identifies is where that call comes from; that the call is not being surreptitiously recorded; that people taking advantage of the system, like telemarketers, can be controlled; and that breaking into this system is difficult enough to make it an undesirable criminal vector, which in turn pushes vulnerability elsewhere (to, say, computer communications).

People believe all this because of voice communications' heritage as a utility. That heritage is due in part to regulation of the technology, but also because of the limitations of the analog technology itself. It was analog, copper wires carrying electrical pulses into microphones and out of speakers. It made sense to make it a dedicated, closed network because that's all it could handle, really.