Home » Data Protection » Wireless/Mobile

VoIP Security: When Voice Becomes Data

With voice over IP picking up speed, CSOs face the challenge of navigating an entirely new security threat landscape for the phone system

As a corollary to the problem of unlimited applications, combining voice and data on a single network creates a new opportunity for blended threats. That is, attackers can infiltrate voice through applications that previously weren't connected to voice, and the other way around. They can use voice to get to the applications. A simple example is using a corporate presentation being shared over a VoIP system as an attack vector.

If all of this seems like doomsaying, consider that most of the above threats have already emerged in the real world, despite the fact that VoIP and voice over Internet are technological infants. One vendor documented four cases of VoIP phishing in which caller ID identifies the call as from your bank and the recorded message asks you to punch in account information, which is logged. (That vendor also sells anti-phishing software, so take its "research" with a grain of salt.) Vonage, a VoIP vendor, provided a notorious early proof of concept of VoIP spam when it planted in its customers' voice mails a prerecorded advertisement for its upcoming IPO.

But the most notorious case of VoIP's fallibility yet to come to light involved spoofing. A Florida man named Edwin Pena allegedly paid a hacker in Washington state $20,000 to exploit router vulnerabilities so he could spoof VoIP providers. Federal prosecutors allege Pena stole minutes of service — 10 million in total — and resold them at cut rates for pure profit, which turned out to be hundreds of thousands of dollars.

The type of attack used in the scheme was a "brute force" scan for router vulnerabilities, a simple old hack in the data world that's not capable of affecting the PSTN. Is that because the PSTN is technically more secure? Not necessarily. "PSTN switches are all based on the same system as IP routers and switches," Graydon says. "All that's happened is we ourselves have more access to the routers and switches in the IP world."

You'd be forgiven for thinking, "Here we go again." The tech industry, notorious for rushing to market with "revolutionary" products only to have their lack of security and stability embarrassingly exploited, looks like it has just another case of putting the revenue cart before the security horse. (And then selling more products to secure the original product, at an additional cost: Already vendors are

marketing anti-SPIT software, VoIP firewalls, and VoIP monitoring and management software. These

costs will eat into any savings the VoIP offers over traditional phone service and add a layer of