Lawrence Orans, a research director with Gartner, says some of these threats are overblown and aren't likely to happen in a corporate setting. Frank Dzubeck, president of Communications Network Architects, which analyzes the industry, believes that given the lack of security built into IP, anything can happen. Network World Senior Editor Cara Garretson spoke with both, aiming to separate hype from reality.
How serious are security threats to VoIP systems?
LO: First of all, I'd like to clarify the term voice over IP. Voice over IP is an umbrella term. We see it used for all forms of packetized voice, whether it's Internet telephony, such as Skype, or Internet telephony services provided by cable operators. We also see Voice over IP used interchangeably with IP telephony, which is very much enterprise focused. And there the problems are very real.
[VoIP] is really just another application running over the network, and it's been the most reliable, so any outage or security breach is just a huge problem. The lack of high-profile attacks has lulled people into a false sense of security. However, the actual threats are very real. With IP telephony, we've got a second computer on someone's desk; the IP telephony handset has memory, and it's got an operating system. True, it's a hardened appliance, but still it can be attacked. The PBX server itself, that can also be attacked. And also the protocols themselves, many of the signaling protocols are still relatively new or they're proprietary, so in either case they've not undergone a level of scrutiny for security vulnerabilities as a more mature protocol. So overall I would say the threats are very real and the key thing is to understand the issue well enough so that you can separate the overhyped threats from the real threats.
FD: The issue is IP itself. IP was never designed with security in mind. Voice over IP, correct, it's an application, and as an application inside the enterprise it's going to be a pervasive application. But the issue is . . . it has all the vulnerabilities. If you don't take a look at the security aspects upfront for voice over IP, then you stand a tremendous disaster staring you in the face, because the holes will occur.
I'm in one bit of disagreement with what was said previously [by Orans] and that is . . . the evolution into the Internet space is not a subtlety; it's a significant piece of this puzzle. Integrating the Voice over IP that may be [on a LAN] and the Voice over IP that's going to be Internet-based is going to become a reality . . . and if we don't kill the security aspects now, we never will.
Reports of eavesdropping on VoIP calls make great headlines, but are these things really happening on corporate networks?
LO: Eavesdropping is one example of an overhyped threat. Sure, it's technically possible to execute a man-in-the-middle attack and capture packets, but let's discuss it in the context of IP telephony, which is really a LAN-based system. To capture packets on a LAN, it typically requires physical proximity - that the easiest way to do it is to be right there in the building. The typical scenario is Joe Smith in the mail room is capturing conversations from the CEO. But Joe Smith could do the same thing just as easily with e-mail, and most organizations aren't concerned with e-mail eavesdropping, most are not encrypting e-mail, so why would you encrypt voice?
The reason that we hear so much about eavesdropping is that it really does illicit this visceral reaction. The main thing is to focus on the greater threats, for example attacking an IP PBX server itself.
FD: I agree [eavesdropping] is overhyped, but perception is reality. I believe encryption is the kind of thing that makes everyone feel better, so even though the threat may be overhyped, the fact is encryption is available. We should encrypt our voice inside the LAN, and I'm also a believer of doing that exact same thing with respect to data and video in the long run.
What about spam over Internet telephony, or SPIT? How real is that threat?
LO: This is an example of another overhyped threat. Technically, sure, SPIT is possible, but the key problem here is the business model, not the technology.
We've all received spam, and the transaction model is very different for spam than for SPIT. With spam, you get an e-mail message, and you say, yes, I want to refinance my mortgage, so you click [on the Web link], and all of a sudden you're entering into that transaction. In other words, spam works. With SPIT, it's a totally different story. If I receive the message in my voice mail box, how do I complete the transaction? Do I have to copy down the URL and walk over to my computer? Do I have to call someone back? It's a totally different business model.
The other issue is a legal issue. In the U.S. we have Do Not Call lists. So there's a legal deterrent and a business-model deterrent, and both of these are against the SPIT model. I believe that's why we haven't seen much SPIT to date.
FD: I'm in total agreement on the legal issue ? there are 137 million people registered on the Do Not Call list; it's the most successful program I know of in the federal environment.
But I see a version of this [voice over IP spam] coming in the future. There's one wireless company called O2, and whenever I get into a country where O2 has a presence, even though I'm using [a different carrier] at the moment, I get a text message saying welcome to O2. I didn't request getting connected, but I get a text message welcoming me.
Using a letter grade of A,B,C, etc., how well would you say most organizations are securing their IP telephony environments?
FD: It's not an IP telephony or voice over IP issue; it's an IP issue, one should not get lulled into the suspicion that IP or the layers above it are secure. That said, I'd give a grade of probably B+. Very few are A's, and very few are F's; a lot of them are in the midrange. But they haven't experienced anything, so they're not under attack.
LO: I'm a tougher grader, I would give most organizations a D. Most people don't truly understand the risks that are out there, which stems from the fact that there's a gap between a security professional and a voice professional, and they don't understand each others' worlds that well. So if you add this all up, people are just very complacent and very much at risk.
What do you see happening in the next 3 to 5 years regarding VoIP threats?
FD: You're going to see a serious issue come up, whether it be like Lawrence says at the server level or at massive denial-of-service attack at the desktop level in a large corporate entity within the next 24 months. The reason being that the opportunity is going to present itself, and the hole is going to exist.
LO: I do agree that it's only a matter of time before we see attacks against these systems. We've already seen vulnerabilities against PBXs, against handsets, so it's only a matter of time before we see execution against these vulnerabilities.