Lawrence Orans, a research director with Gartner, says some of these threats are overblown and aren't likely to happen in a corporate setting. Frank Dzubeck, president of Communications Network Architects, which analyzes the industry, believes that given the lack of security built into IP, anything can happen. Network World Senior Editor Cara Garretson spoke with both, aiming to separate hype from reality. How serious are security threats to VoIP systems? LO: First of all, I'd like to clarify the term voice over IP. Voice over IP is an umbrella term. We see it used for all forms of packetized voice, whether it's Internet telephony, such as Skype, or Internet telephony services provided by cable operators. We also see Voice over IP used interchangeably with IP telephony, which is very much enterprise focused. And there the problems are very real. [VoIP] is really just another application running over the network, and it's been the most reliable, so any outage or security breach is just a huge problem. The lack of high-profile attacks has lulled people into a false sense of security. However, the actual threats are very real. With IP telephony, we've got a second computer on someone's desk; the IP telephony handset has memory, and it's got an operating system. True, it's a hardened appliance, but still it can be attacked. The PBX server itself, that can also be attacked. And also the protocols themselves, many of the signaling protocols are still relatively new or they're proprietary, so in either case they've not undergone a level of scrutiny for security vulnerabilities as a more mature protocol. So overall I would say the threats are very real and the key thing is to understand the issue well enough so that you can separate the overhyped threats from the real threats. FD: The issue is IP itself. IP was never designed with security in mind. Voice over IP, correct, it's an application, and as an application inside the enterprise it's going to be a pervasive application. But the issue is . . . it has all the vulnerabilities. If you don't take a look at the security aspects upfront for voice over IP, then you stand a tremendous disaster staring you in the face, because the holes will occur. I'm in one bit of disagreement with what was said previously [by Orans] and that is . . . the evolution into the Internet space is not a subtlety; it's a significant piece of this puzzle. Integrating the Voice over IP that may be [on a LAN] and the Voice over IP that's going to be Internet-based is going to become a reality . . . and if we don't kill the security aspects now, we never will. Reports of eavesdropping on VoIP calls make great headlines, but are these things really happening on corporate networks? LO: Eavesdropping is one example of an overhyped threat. Sure, it's technically possible to execute a man-in-the-middle attack and capture packets, but let's discuss it in the context of IP telephony, which is really a LAN-based system. To capture packets on a LAN, it typically requires physical proximity - that the easiest way to do it is to be right there in the building. The typical scenario is Joe Smith in the mail room is capturing conversations from the CEO. But Joe Smith could do the same thing just as easily with e-mail, and most organizations aren't concerned with e-mail eavesdropping, most are not encrypting e-mail, so why would you encrypt voice? The reason that we hear so much about eavesdropping is that it really does illicit this visceral reaction. The main thing is to focus on the greater threats, for example attacking an IP PBX server itself. FD: I agree [eavesdropping] is overhyped, but perception is reality. I believe encryption is the kind of thing that makes everyone feel better, so even though the threat may be overhyped, the fact is encryption is available. We should encrypt our voice inside the LAN, and I'm also a believer of doing that exact same thing with respect to data and video in the long run. What about spam over Internet telephony, or SPIT? How real is that threat? LO: This is an example of another overhyped threat. Technically, sure, SPIT is possible, but the key problem here is the business model, not the technology. We've all received spam, and the transaction model is very different for spam than for SPIT. With spam, you get an e-mail message, and you say, yes, I want to refinance my mortgage, so you click [on the Web link], and all of a sudden you're entering into that transaction. In other words, spam works. With SPIT, it's a totally different story. If I receive the message in my voice mail box, how do I complete the transaction? Do I have to copy down the URL and walk over to my computer? Do I have to call someone back? It's a totally different business model. The other issue is a legal issue. In the U.S. we have Do Not Call lists. So there's a legal deterrent and a business-model deterrent, and both of these are against the SPIT model. I believe that's why we haven't seen much SPIT to date. FD: I'm in total agreement on the legal issue ? there are 137 million people registered on the Do Not Call list; it's the most successful program I know of in the federal environment. But I see a version of this [voice over IP spam] coming in the future. There's one wireless company called O2, and whenever I get into a country where O2 has a presence, even though I'm using [a different carrier] at the moment, I get a text message saying welcome to O2. I didn't request getting connected, but I get a text message welcoming me. Using a letter grade of A,B,C, etc., how well would you say most organizations are securing their IP telephony environments? FD: It's not an IP telephony or voice over IP issue; it's an IP issue, one should not get lulled into the suspicion that IP or the layers above it are secure. That said, I'd give a grade of probably B+. Very few are A's, and very few are F's; a lot of them are in the midrange. But they haven't experienced anything, so they're not under attack. LO: I'm a tougher grader, I would give most organizations a D. Most people don't truly understand the risks that are out there, which stems from the fact that there's a gap between a security professional and a voice professional, and they don't understand each others' worlds that well. So if you add this all up, people are just very complacent and very much at risk. What do you see happening in the next 3 to 5 years regarding VoIP threats? FD: You're going to see a serious issue come up, whether it be like Lawrence says at the server level or at massive denial-of-service attack at the desktop level in a large corporate entity within the next 24 months. The reason being that the opportunity is going to present itself, and the hole is going to exist. LO: I do agree that it's only a matter of time before we see attacks against these systems. We've already seen vulnerabilities against PBXs, against handsets, so it's only a matter of time before we see execution against these vulnerabilities.
Most Popular Reviews
- 1 LG 2017 OLED TV range full review: W7 Signature Wallpaper, G7, E7 and C7 UHD TVs
- 2 Tag Heuer Connected Smartwatch and Android Wear 2 review
- 3 Subaru XV 2017 review
- 4 Samsung 2017 QLED Q7 TV: Full, in-depth review
- 5 Kogan Atlas UltraSlim Pro laptop: full, in-depth review
Latest News Articles
- MSI GE62 7RD Apache gaming laptop review
- Tannenberg expands Verdun's World War I horrors to the Eastern front
- Logitech's excellent C920 webcam is just $50 today
- Audio-Technica ATH-AG1X review: A good gaming headset with one killer flaw
- Sennheiser GSP 350 review: A gaming headset that sounds a lot better than it looks
PCW Evaluation Team
A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.
I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.
As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.
I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.
Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!
For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.
- LG 2017 OLED TV range full review: W7 Signature Wallpaper, G7, E7 and C7 UHD TVs
- Huawei P10 smartphone review
- Huawei P10 Plus phone: Full, in-depth review
- Which flagship TV is best? Sony 4K HDR Bravia 2016 versus LG 4K HDR OLED 2016
- 10 Blu-ray movies / Best looking Blu-ray movies
- FTSocial Media Executive / Specialist (Facebook) - online gamblingNSW
- CCSenior Project ManagerNSW
- TPLevel 2/3 Technical Service AnalystOther
- TPSecurity AdvisorACT
- TPData AnalystVIC
- FTTest Manager / Test LeadQLD
- CCSalesforce DeveloperNSW
- FTSecurity Engineer (Cisco ASA) - Professional Services - Permanent - Sydney CBDNSW
- TPChange ManagerVIC
- FTNetwork Deployment ManagerVIC
- CCSAP ISU Functional ConsultantVIC
- FTBusiness Development Manager IT HealthcareQLD
- FTSolution ArchitectNSW
- FTSolution ArchitectQLD
- FTIntegration EngineerACT
- CC.Net DeveloperNSW
- TPSQL Server DeveloperNSW
- FTLead Senior Systems Engineer | 90 - 120K + Super|VIC
- FTDigital ProducerNSW
- FTInformation Security ArchitectQLD
- TPProgram Governance Lead (PMO)VIC
- CCSenior Magento DeveloperVIC
- FTNetwork EngineerSA
- FTDigital Business Analyst/Project Manager | PermanentQLD
- FTSenior Solution Designer, Investment and Trading PlatformNSW