Home » Data Protection » Wireless/Mobile

VoIP Security: When Voice Becomes Data

With voice over IP picking up speed, CSOs face the challenge of navigating an entirely new security threat landscape for the phone system

The deeply philosophical choice to switch voice platforms (though it probably won't be thought of in such lofty terms as the choice is made) upends a system that was limited to a few manageable concerns that generally required dedicated, knowledgeable attackers to exploit, to one that has innumerable unmanageable risks capable of being exploited by tyros. Threats mitigated easily before on the PSTN suddenly reach new levels of uncertainty: service outages, quality of calls (which could drop to something closer to cell phones rather than landlines), a lack of 911 availability and, worst of all, exploitation of the phone for theft, fraud and other malfeasance. To be sure, these risks existed before. But VoIP makes them harder to control. VoIP opens up voice communications to these risks in two ways. First, VoIP is easier to hack than POTS.

"Once telephony goes over IP, it's no longer eavesdropping on voice, it's eavesdropping on data, and that's so much easier," says Bruce Schneier, founder and CTO of Counterpane Internet Security. "It's like the difference between intercepting a handwritten note versus an SMS message. It's the difference between a letter and an e-mail."

If you wanted to eavesdrop on an analog phone call, Graydon of the VoIP Security Alliance likes to note, you could. But you'd have to go to your local box store, pick up a box phone, two crocodile clips, a reflective vest and a helmet. Then learn some simple but arcane ways to tap the line. When you scurry up the pole, try not to look too conspicuous. Fake credentials like logos on the helmet help. If you want to eavesdrop on a VoIP call, though, you won't need to climb a pole. You'll still need some arcane knowledge to locate the data stream, but once you have that, all you need is a packet sniffer and software that converts the data into a WAV audio file (tools like Cain & Abel, a software program that can locate and record VoIP streams, are freely available on the Internet). Think of virtually any

threat to data, whether it's malicious, accidental or a nuisance, and it will threaten VoIP in a way that it couldn't have easily threatened POTS. For example:

â¬¢ Good old-fashioned power failures.

â¬¢ Denial-of-service attacks and other nonmalicious network congestion that affects phone availability. Especially problematic if firewalls can't recognize voice traffic as distinct and requiring a higher quality of service, which immediately and severely disrupts voice availability.