Lawrence Orans, a research director with Gartner, says some of these threats are overblown and aren't likely to happen in a corporate setting. Frank Dzubeck, president of Communications Network Architects, which analyzes the industry, believes that given the lack of security built into IP, anything can happen. Network World Senior Editor Cara Garretson spoke with both, aiming to separate hype from reality. How serious are security threats to VoIP systems? LO: First of all, I'd like to clarify the term voice over IP. Voice over IP is an umbrella term. We see it used for all forms of packetized voice, whether it's Internet telephony, such as Skype, or Internet telephony services provided by cable operators. We also see Voice over IP used interchangeably with IP telephony, which is very much enterprise focused. And there the problems are very real. [VoIP] is really just another application running over the network, and it's been the most reliable, so any outage or security breach is just a huge problem. The lack of high-profile attacks has lulled people into a false sense of security. However, the actual threats are very real. With IP telephony, we've got a second computer on someone's desk; the IP telephony handset has memory, and it's got an operating system. True, it's a hardened appliance, but still it can be attacked. The PBX server itself, that can also be attacked. And also the protocols themselves, many of the signaling protocols are still relatively new or they're proprietary, so in either case they've not undergone a level of scrutiny for security vulnerabilities as a more mature protocol. So overall I would say the threats are very real and the key thing is to understand the issue well enough so that you can separate the overhyped threats from the real threats. FD: The issue is IP itself. IP was never designed with security in mind. Voice over IP, correct, it's an application, and as an application inside the enterprise it's going to be a pervasive application. But the issue is . . . it has all the vulnerabilities. If you don't take a look at the security aspects upfront for voice over IP, then you stand a tremendous disaster staring you in the face, because the holes will occur. I'm in one bit of disagreement with what was said previously [by Orans] and that is . . . the evolution into the Internet space is not a subtlety; it's a significant piece of this puzzle. Integrating the Voice over IP that may be [on a LAN] and the Voice over IP that's going to be Internet-based is going to become a reality . . . and if we don't kill the security aspects now, we never will. Reports of eavesdropping on VoIP calls make great headlines, but are these things really happening on corporate networks? LO: Eavesdropping is one example of an overhyped threat. Sure, it's technically possible to execute a man-in-the-middle attack and capture packets, but let's discuss it in the context of IP telephony, which is really a LAN-based system. To capture packets on a LAN, it typically requires physical proximity - that the easiest way to do it is to be right there in the building. The typical scenario is Joe Smith in the mail room is capturing conversations from the CEO. But Joe Smith could do the same thing just as easily with e-mail, and most organizations aren't concerned with e-mail eavesdropping, most are not encrypting e-mail, so why would you encrypt voice? The reason that we hear so much about eavesdropping is that it really does illicit this visceral reaction. The main thing is to focus on the greater threats, for example attacking an IP PBX server itself. FD: I agree [eavesdropping] is overhyped, but perception is reality. I believe encryption is the kind of thing that makes everyone feel better, so even though the threat may be overhyped, the fact is encryption is available. We should encrypt our voice inside the LAN, and I'm also a believer of doing that exact same thing with respect to data and video in the long run. What about spam over Internet telephony, or SPIT? How real is that threat? LO: This is an example of another overhyped threat. Technically, sure, SPIT is possible, but the key problem here is the business model, not the technology. We've all received spam, and the transaction model is very different for spam than for SPIT. With spam, you get an e-mail message, and you say, yes, I want to refinance my mortgage, so you click [on the Web link], and all of a sudden you're entering into that transaction. In other words, spam works. With SPIT, it's a totally different story. If I receive the message in my voice mail box, how do I complete the transaction? Do I have to copy down the URL and walk over to my computer? Do I have to call someone back? It's a totally different business model. The other issue is a legal issue. In the U.S. we have Do Not Call lists. So there's a legal deterrent and a business-model deterrent, and both of these are against the SPIT model. I believe that's why we haven't seen much SPIT to date. FD: I'm in total agreement on the legal issue ? there are 137 million people registered on the Do Not Call list; it's the most successful program I know of in the federal environment. But I see a version of this [voice over IP spam] coming in the future. There's one wireless company called O2, and whenever I get into a country where O2 has a presence, even though I'm using [a different carrier] at the moment, I get a text message saying welcome to O2. I didn't request getting connected, but I get a text message welcoming me. Using a letter grade of A,B,C, etc., how well would you say most organizations are securing their IP telephony environments? FD: It's not an IP telephony or voice over IP issue; it's an IP issue, one should not get lulled into the suspicion that IP or the layers above it are secure. That said, I'd give a grade of probably B+. Very few are A's, and very few are F's; a lot of them are in the midrange. But they haven't experienced anything, so they're not under attack. LO: I'm a tougher grader, I would give most organizations a D. Most people don't truly understand the risks that are out there, which stems from the fact that there's a gap between a security professional and a voice professional, and they don't understand each others' worlds that well. So if you add this all up, people are just very complacent and very much at risk. What do you see happening in the next 3 to 5 years regarding VoIP threats? FD: You're going to see a serious issue come up, whether it be like Lawrence says at the server level or at massive denial-of-service attack at the desktop level in a large corporate entity within the next 24 months. The reason being that the opportunity is going to present itself, and the hole is going to exist. LO: I do agree that it's only a matter of time before we see attacks against these systems. We've already seen vulnerabilities against PBXs, against handsets, so it's only a matter of time before we see execution against these vulnerabilities.
Most Popular Reviews
- 1 Panasonic Ultra HD OLED TV Review
- 2 Oppo A77 smartphone: Full in-depth review
- 3 Huawei GR5 phone: Full, in-depth review
- 4 Ring Video Doorbell review
- 5 Sony Bravia 2017 TVs: Full, in-depth review
- Huawei Y5 (2017): Full, in depth review
- Fullbright Founders To Headline Melbourne International Games Week 2017
- Nest jumps into home security with Nest Secure
- Google kicks off Android One in the U.S. with the Project Fi-equipped Moto X4
- Shopping site leaks Microsoft Surface Pro LTE price, features, and December ship date
PCW Evaluation Team
The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.
The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.
The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic
I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.
It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.
The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.
- Dishonored - Death Of The Outsider review:
- LG G6 Plus: Full, in-depth review
- MSI GE73 VR Raider Gaming Laptop review
- Which flagship TV is best? Sony 4K HDR Bravia 2016 versus LG 4K HDR OLED 2016
- 10 Blu-ray movies / Best looking Blu-ray movies
- FTSocial Media Executive / Specialist (Facebook) - Online PokerNSW
- FTSitecore DeveloperNSW
- FTTechnical Delivery ManagerNSW
- FTSenior Tester - HardwareOther
- FT.NET DeveloperWA
- FTChange Management LeadOther
- CCLinux / Devops EngineerNSW
- FTPrint Sales Manager - Geelong basedOther
- CCSOC AnalystVIC
- CCMiddleware SpecialistNSW
- FTJunior .NET DeveloperOther
- FTNetwork Data EngineerOther
- CCDevOps ConsultantQLD
- FTSAP ISU Device management-FunctionalVIC
- CCDigital Business AnalystNSW
- TPScrum MasterNSW
- CCGuidewire Business Analyst - Brisbane basedNSW
- CC.Net DeveloperQLD
- FTSystem EngineerOther
- CCProject CoordinatorNSW
- FTData Scientist/Java LeadVIC
- FTTest Engineer - Insurance BackgroundQLD
- CCTest Data Management AnalystACT
- CCSenior PMO ManagerNSW
- FTIT Systems Administrator - Multiple Positions!Other