Access keys | Skip to primary navigation | Skip to secondary navigation | Skip to content | Skip to page tools | Skip to footer |
Problems viewing this site
Feature News and Research title Feature News and Research image top
Featured research Feature News and Research image bottom

Is VoIP talk cheap or a potential security risk?

01 May 2005

The extraordinary growth of Voice over Internet Protocol (VoIP) as a cost effective alternative to traditional telephone networks has also exposed a range of new vulnerabilities associated with the technology.

VoIP allows for voice communication over packet-switched Internet protocol based data networks, rather than through the "circuit switched" approach used by the traditional telephone network.

The potential benefits of VoIP and IP telephony are significant for both consumer and business alike, demonstrated by the technology's uptake last year, growing 98 per cent compared with 2003.

According to the IDC Australia Quarterly IP Telephony Enterprise Equipment Tracker which tracks IP phones, single-mode IP PBX's and dual-mode IP PBX's, IP phones sales more than doubled last year, growing 176 per cent year-over-year to reach more than 200,000 IP phones shipped in 2004.

Apart from the increasing businesses sector uptake, the emerging consumer market will also dramatically boost VoIP popularity. Telstra is expected to launch a home VoIP service by mid-2005 to compete with broadband telephone companies already established in Australia.

However, new technologies also introduce security risks as those with malicious intent try to undermine or destabilise business operations.

Because VoIP calls travel over the Internet they are vulnerable to the same security problems that plague email and the web.

Potential dangers include distributed denial-of-service (DDoS) attacks, voice spam and a form of phishing in which attackers spoof the phone number of a legitimate caller on a caller ID display.

Security breaches have huge implications

CITEC Technical Product Consultant, Greg Smith says users of VoIP should apply the same stringent precautions used to protect their data services.

"The implications for a security breach through VoIP are far greater because they will bring down voice and data networks, the last bastion of outside communication for a business," Greg said.

"VoIP security needs to be handled in the overall context of data security, which most companies assign a very high level of importance.

"Securing voice traffic on such networks isn't that different from securing any data traffic on a company's IP network.

"Equipment needs to be properly locked down, placed behind firewalls, patched against vulnerabilities and frequently monitored using intrusion-detection systems."

When key business devices such as PBXs are IP enabled, they also expose a wider range of access points to a business.

Call management boxes such as server-based IP PBXs, which are used both for providing VoIP services and for logging call information, are susceptible to virus attacks and Internet worms that can render VoIP lines unusable.

VoIP gateway technologies are also a potential weak point as they can be hacked into to make free telephone calls or to monitor or alter conversations.

Tips for securing a VoIP network

While security risks are a concern, there are methods to secure VoIP traffic:

  • Encrypt VoIP traffic and run it over a Virtual Private Network.
  • Properly configure firewalls and check to see if your networking and security vendors have support for Session Initiation Protocol and the International Telecommunication Union's H.323 voice protocol.
  • Consider segmenting voice and data traffic by using a virtual Local Area Network, as this will limit the threat posed by packet-sniffing tools and minimise disruption in the event of an attack.
  • Think about using proxy servers in front of corporate firewalls to process incoming and outgoing voice data.
  • Make sure that server-based IP PBXs are locked down and protected against viruses and denial-of-service attacks.

Industry action on VoIP security issues

The Department of Information, Communication Technology and the Arts is investigating potential security risks with a study associated with VoIP phone systems, through its IT Security Expert Advisory Group.

The study, due to be delivered later this year, is primarily aimed at critical national information infrastructure; however, the findings should be applicable to all businesses using VoIP.

The recent establishment of the VoIP Security Alliance (VoIPSA), a group of vendors and service providers in the United States aiming to head off VoIP security problems, will also ensure security measures are investigated closely.

The alliance has set up a taxonomy to classify threats and establish the requirements for making VoIP secure.

Detecting a network breach is difficult

Greg says it is notoriously hard to tell if a network is being hacked into, particularly by repeat offenders who go undetected for some time.

"There is so much data streaming in and out that anyone with access to the same IP network as a VoIP phone may knock it out of service with a barrage of worms, viruses or spurious traffic without it being detected for some time," he says.

"Having strict access-control lists and making sure the gateway is configured so that only the people on this list are permitted to make and receive VoIP calls, is one method of security.

"If security measures aren't put in place, unscrupulous telemarketers could use VoIP to blast huge numbers of voice messages, access customer credit and privacy details or seriously disrupt business flow."

For more information about CITEC's security solutions, including managed firewalls, Internet content filtering, intrusion detection and prevention solutions and email security, contact Greg Smith, Technical Product Consultant on 07 3222 2566 or email info@citec.com.au.

grey line

CITEC RSS feedCITEC feed available.

Read more about RSS at CITEC. Not sure what is RSS?
Related links

» CITEC feature news

Ask a CITEC analyst