Guide to VoIP security

New ways to hack VoIP aren't fatal if you're prepared for them

Lawrence Orans, a research director with Gartner, says some of these threats are overblown and aren't likely to happen in a corporate setting. Frank Dzubeck, president of Communications Network Architects, which analyzes the industry, believes that given the lack of security built into IP, anything can happen. Network World Senior Editor Cara Garretson spoke with both, aiming to separate hype from reality. How serious are security threats to VoIP systems? LO: First of all, I'd like to clarify the term voice over IP. Voice over IP is an umbrella term. We see it used for all forms of packetized voice, whether it's Internet telephony, such as Skype, or Internet telephony services provided by cable operators. We also see Voice over IP used interchangeably with IP telephony, which is very much enterprise focused. And there the problems are very real. [VoIP] is really just another application running over the network, and it's been the most reliable, so any outage or security breach is just a huge problem. The lack of high-profile attacks has lulled people into a false sense of security. However, the actual threats are very real. With IP telephony, we've got a second computer on someone's desk; the IP telephony handset has memory, and it's got an operating system. True, it's a hardened appliance, but still it can be attacked. The PBX server itself, that can also be attacked. And also the protocols themselves, many of the signaling protocols are still relatively new or they're proprietary, so in either case they've not undergone a level of scrutiny for security vulnerabilities as a more mature protocol. So overall I would say the threats are very real and the key thing is to understand the issue well enough so that you can separate the overhyped threats from the real threats. FD: The issue is IP itself. IP was never designed with security in mind. Voice over IP, correct, it's an application, and as an application inside the enterprise it's going to be a pervasive application. But the issue is . . . it has all the vulnerabilities. If you don't take a look at the security aspects upfront for voice over IP, then you stand a tremendous disaster staring you in the face, because the holes will occur. I'm in one bit of disagreement with what was said previously [by Orans] and that is . . . the evolution into the Internet space is not a subtlety; it's a significant piece of this puzzle. Integrating the Voice over IP that may be [on a LAN] and the Voice over IP that's going to be Internet-based is going to become a reality . . . and if we don't kill the security aspects now, we never will. Reports of eavesdropping on VoIP calls make great headlines, but are these things really happening on corporate networks? LO: Eavesdropping is one example of an overhyped threat. Sure, it's technically possible to execute a man-in-the-middle attack and capture packets, but let's discuss it in the context of IP telephony, which is really a LAN-based system. To capture packets on a LAN, it typically requires physical proximity - that the easiest way to do it is to be right there in the building. The typical scenario is Joe Smith in the mail room is capturing conversations from the CEO. But Joe Smith could do the same thing just as easily with e-mail, and most organizations aren't concerned with e-mail eavesdropping, most are not encrypting e-mail, so why would you encrypt voice? The reason that we hear so much about eavesdropping is that it really does illicit this visceral reaction. The main thing is to focus on the greater threats, for example attacking an IP PBX server itself. FD: I agree [eavesdropping] is overhyped, but perception is reality. I believe encryption is the kind of thing that makes everyone feel better, so even though the threat may be overhyped, the fact is encryption is available. We should encrypt our voice inside the LAN, and I'm also a believer of doing that exact same thing with respect to data and video in the long run. What about spam over Internet telephony, or SPIT? How real is that threat? LO: This is an example of another overhyped threat. Technically, sure, SPIT is possible, but the key problem here is the business model, not the technology. We've all received spam, and the transaction model is very different for spam than for SPIT. With spam, you get an e-mail message, and you say, yes, I want to refinance my mortgage, so you click [on the Web link], and all of a sudden you're entering into that transaction. In other words, spam works. With SPIT, it's a totally different story. If I receive the message in my voice mail box, how do I complete the transaction? Do I have to copy down the URL and walk over to my computer? Do I have to call someone back? It's a totally different business model. The other issue is a legal issue. In the U.S. we have Do Not Call lists. So there's a legal deterrent and a business-model deterrent, and both of these are against the SPIT model. I believe that's why we haven't seen much SPIT to date. FD: I'm in total agreement on the legal issue ? there are 137 million people registered on the Do Not Call list; it's the most successful program I know of in the federal environment. But I see a version of this [voice over IP spam] coming in the future. There's one wireless company called O2, and whenever I get into a country where O2 has a presence, even though I'm using [a different carrier] at the moment, I get a text message saying welcome to O2. I didn't request getting connected, but I get a text message welcoming me. Using a letter grade of A,B,C, etc., how well would you say most organizations are securing their IP telephony environments? FD: It's not an IP telephony or voice over IP issue; it's an IP issue, one should not get lulled into the suspicion that IP or the layers above it are secure. That said, I'd give a grade of probably B+. Very few are A's, and very few are F's; a lot of them are in the midrange. But they haven't experienced anything, so they're not under attack. LO: I'm a tougher grader, I would give most organizations a D. Most people don't truly understand the risks that are out there, which stems from the fact that there's a gap between a security professional and a voice professional, and they don't understand each others' worlds that well. So if you add this all up, people are just very complacent and very much at risk. What do you see happening in the next 3 to 5 years regarding VoIP threats? FD: You're going to see a serious issue come up, whether it be like Lawrence says at the server level or at massive denial-of-service attack at the desktop level in a large corporate entity within the next 24 months. The reason being that the opportunity is going to present itself, and the hole is going to exist. LO: I do agree that it's only a matter of time before we see attacks against these systems. We've already seen vulnerabilities against PBXs, against handsets, so it's only a matter of time before we see execution against these vulnerabilities.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Network World staff

Network World
Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?