A little less conversation, a little more security please

VoIP is inevitable. Should we be concerned?
VoIP is inevitable. Should we be concerned?
Nick Frost, senior research consultant for the Information Security Forum (ISF)
Nick Frost, senior research consultant for the Information Security Forum (ISF)


If the latest research is correct VoIP will be a $27 billion global market by 2010 and there will be 250 million customers using the technology.

But even as telcos, cable companies and others try rush to embrace VoIP warnings persist that all is not secure and customers should be on their guard.

While accountants and consultants, Grant Thornton, which came up with the above numbers, believes migration from fixed line to mobile and VoIP services will increase exponentially over the coming years, it tempers its enthusiasm with a warning about security.

“Security remains a major concern," said Sarika Patel, head of technology at Grant Thornton. "VoIP is more secure than it ever was, but eavesdropping, viruses and fraud are still a threat.

“Currently, software encryption products are available, but it is inevitable that encryption will be integrated directly into VoIP systems in the near future. If this is successfully managed and brought to market, VoIP will garner the confidence of business and uptake will jump."

Calling for security products to be designed specifically for VoIP, is Jonathan Zar, chairman of the threat taxonomy committee of the Voice over IP Security Alliance (VoIPSA). He was responding to an announcement by VoIPShield Systems that it had notified Cisco, Nortel and Avaya that it had discovered around 100 vulnerabilities in their products.

"Digital video and voice enabled by Voice over IP technologies are vital to commerce and are substantially at risk. It is important that products be developed that are specifically designed to protect VoIP systems. VoIPSA encourages all research leading to such products," said Zar.

Despite what the Grant Thornton study says, Nick Frost, senior research consultant for the Information Security Forum (ISF) has detected a hesitancy to move to VoIP fuelled by the perceived risks.

In the past five years or so, “I’ve seen organizations almost become religious about risk analysis” says Frost. “It has certainly given organizations a greater understanding of the risk profile, if they were to suddenly move over to VoIP. Some organizations have decided, quite vehemently, that this is not an option for the next couple of years, despite obvious cost savings.”

To illustrate, Frost explains that some organizations report a 94% rate of spam e-mail, so why, they argue, should SPIT not become as prevalent in the future, severely diminishing the return on investment from VoIP? In such a climate, a move to VoIP when the existing system operates perfectly well seems dangerous, particularly seen in the light of ‘what is possible’ rather than perhaps ‘what is likely.’

VoIP networks are just too easy to get at, says Ken Munro of penetration testing company, SecureTest.

“It’s very easy for somebody with a tiny bit of network savvy to intercept those phone calls. Okay, so there was no security on the old analogue PABX, but you had to have crocodile clips and specialist knowledge. Now we’ve gone from specialist knowledge to [a state where] any network sniffer can intercept the office phone calls.”

Munro even suggests, and this doesn’t only apply to VoIP, that firmware would make a good vector for some malware.

“Most of the network technology is made in the Far East, and it wouldn’t be that difficult to infect the manufacturing process and use that to tumble data back out to a third party. And there’s no way of finding it because it’s a firmware based infection and there are no firmware scanners.”

The criminal ear

“We never imagined the internet would be as bad as it is today. Once organized crime got into the picture it changed everything, and they will get into VoIP too.”
Philip Zimmerman,  (PGP)

Inserting malware into VoIP routers and switches might seem fanciful, but given counterfeit network equipment has been discovered for sale since at least 2004 (according to reports: http://tinyurl.com/25x2wm) and malware has been found on retail devices, (http://isc.sans.org/diary.html?storyid=3807) it’s surely not beyond the wit of determined criminals or rogue governments intent on e-warfare. (http://news.bbc.co.uk/1/hi/world/europe/6665145.stm)

It could get unpleasant, says Philip Zimmerman, inventor of pretty good privacy (PGP) and known for his work on VoIP encryption. “We never imagined the internet would be as bad as it is today. Once organized crime got into the picture it changed everything, and they will get into VoIP too.”

Zimmerman is pessimistic about the current state of VoIP security, explaining that we all rely on the vigilance of each other. “It’s not always what you’re going
to do; how clever you are, it’s also how clever is everyone collectively across all
of VoIP.”

As an example, he says, “You get spam not because you’re too lazy to protect your computer, but because some other guy who lives down the street is too lazy to protect his computer. His computer is the one sending the spam.

“Wire tapping will be used against companies to get insider trading information; to get blackmail information: people in positions of power; politicians; captains of industry; high net-worth individuals, the blackmail possibilities are endless”, says Zimmermann.

Accepting the inevitable

Indeed, Zimmermann’s concerns have led him to invent an encrypted VoIP phone system, the Zfone, using ZRTP (an encryption protocol made up from real-time transport protocol). “VoIP encryption is inevitable, we can’t do without it, we have no choice,” he says. “It’s not some luxury. We can’t jeopardize our critical infrastructure, the phone system, by not encrypting it. This is in the interest of the government, and its citizens.”

SecureTest’s Munro agrees that VoIP end-point encryption is “exactly what we need”, even though he knows the recording of calls and encryption-key management causes complications and additional overhead, particularly in a call center environment.
“If you need to record calls you’ve got all sorts of problems with decrypting the calls and storing them securely. If you’re working in a banking-retail environment and you have to store the calls, you’ve got a nightmare,” he says.

The additional overhead is one of the reasons that Gary Thomas, head of IT operations at law firm Irwin Mitchell, rejected encryption on the company’s VoIP system. “Encryption introduces its own complexities in terms of maintaining keys and overhead on packets. We run our own VPN and it is relatively secure. Voice is just another service running on the network,” says Thomas.

He is far more concerned with making sure that his overall network perimeter – both voice and data – is secure, and that the 6 000 calls per day are serviced come rain or shine. Additional
complexity would not be welcome.

Voice of reason or exaggeration?

At the ISF there is a feeling among members that the real threat profile does not match the hyperbole from the media. Members are more anxious about the reliability of equipment, the faults in software switches and the errors in VoIP infrastructure.

“As more organizations become risk aware, they are collecting their own incident data and have a better understanding of their own internal threats. Quite honestly, it doesn’t map to what the media is saying. They [ISF members] are becoming a little bit doubtful that what they are reading is actually true,” says the ISF’s Frost, who indicated that his members doubt that information security issues are truly as threatening as portrayed in the media.

But like so much in information security, risk is seen as low until bad things happen, and currently many VoIP threats are either mitigated through existing network strategies and security policies, or are merely hypothetical.

Though with VoIP sniffers like Ettercap (http://ettercap.sourceforge.net/) and Cain (www.oxid.it) available for free download, it does not seem so far fetched that Zimmermann’s VoIP dystopia is on the way.

What’s hot on Infosecurity Magazine?