Home » Data Protection » Wireless/Mobile

VoIP Security: When Voice Becomes Data

With voice over IP picking up speed, CSOs face the challenge of navigating an entirely new security threat landscape for the phone system

By Scott Berinato

Page 5

â¬¢ Eavesdropping and wiretapping. Used to log voice and keyed-in data, such as account numbers.

â¬¢ Spoofing. Used in VoIP phishing, where a call will be ID'd as from your bank but is really being collected by baddies (doubly bad since it's a hack that preys on our inherent trust of the phone

network; where most people have learned to distrust e-mail, the same is not true for the phone).

â¬¢ Viruses and bots. Used to either destroy data or the device or to co-opt the phone into some other activity such as toll fraudcharging toll calls to other numbers, which Graydon says is "a lot easier on VoIP than the PSTN." It will be easier to place these viruses and bots into telephony because of the mix of devices interacting with the VoIP networks such as phones, cell phones, BlackBerrys, computers and whatever other potentially vulnerable or infected application data happens to be on the network.

The second form of risk is that with VoIP, there are simply more threats to exploit than there are on the phone. The openness — of protocols like IP and of infrastructure like the Internet's — that makes VoIP application-rich also makes it unimaginably hard to control, since it's open to everyone, including those who want to exploit it. As anyone who uses e-mail will tell you, along with the good — instant, cheap communications — you have to accept the bad — spam and malware. Bringing more applications to voice may increase its power and usefulness but it also opens up more threats, and that has to be balanced against the potential gains in productivity or efficiency.

New threats include:

â¬¢ SPIT, or spam over Internet telephony. An offshore alternative to telemarketing that could

sidestep the national Do Not Call Registry. Graydon notes that a computer overseas could deliver 20,000 phone calls with a recorded sales pitch in five seconds.

â¬¢ Logging. Privacy concerns abound for a technology that's far easier to capture, log and

mine (maliciously or as a marketing tool) than analog voice.

â¬¢ Unsanctioned use. Internet voice services, such as Skype, can be downloaded and used by individuals as easily as an instant messenger, introducing all the threats of Internet voice without any of the controls.

â¬¢ More computers. Advanced voice applications require advanced phones, and VoIP phones are essentially small computers. "IP phones are trickier than PBX digital phones," says Bob Litterer, information security manager at Genzyme, noting that IP phones constitute an additional burden to the telecom administrators who must adequately provision and configure network resources and maintain IP phone firmware and software. "They require specific VLAN [virtual LAN] tagging in DHCP scopes, require tricky firmware upgrades, and they can crash at inconvenient times." In other words, they're as reliable (and risky) as PCs, not phones.