Researchers: Skype, VoIP Are Hot And Risky

By Jim Wagner | Nov 10, 2005 | Print this Page
http://www.enterprisenetworkingplanet.com/unified_communications/Researchers-Skype-VoIP-Are-Hot-And-Risky-3563331.htm

UPDATED: Security experts are throwing up warning flags about VoIP on the corporate network and pointing to one provider in particular.

Research from VeriSign and Info-Tech Research Group said security risks surrounding increasingly-popular Internet phone software could put networks at risk and should be addressed.

Ross Armstrong, senior research analyst at Info-Tech, is also urging businesses to ban the use of free Voice over IP software provider Skype in the workplace -- especially if they already have similar policies regarding the use of peer-to-peer technologies.

Skype usage in the enterprise, he said, is in many ways similar to the steady growth of public instant messaging (IM) services the past couple years. The real danger, he said, is if Skype is downloaded and used in an enterprise as an unsanctioned software application.

While Armstrong said he has not seen any Skype vulnerability exploits in the wild, he pointed to vulnerabilities that have been patched in Skype. Last month, the company reported two high-risk security bugs.

Skype was acquired by eBay in September for $2.6 billion and counts some 54 million members in 225 countries and territories using its free software.

Beyond its free PC-to-PC calling service, voicemail, instant messaging, call forwarding and conference calling, Skype offers a paid calling service, called Skype-out, that connects PC callers to traditional landlines and mobile phones.

But as popular as it may be, researchers said if an unpatched version is sitting inside the corporate network, and malware writers capitalize on that, it could create problems for IT managers that don't even know the application is behind the firewall.

"Now, I'm not saying to be reactionary and ban Skype no matter what," Armstrong said. "What I'm saying is IT managers need to be aware whether or not it's being used without proper authorization within the enterprise."

Skype officials said administrators should be diligent with their network and user rules. The company has a security resource center on its Web site featuring a guide to help network administrators manage Skype use on the network.

If Skype is going to be allowed, it needs to be centrally managed, Armstrong said, though he advises companies to wait for an enterprise version of Skype before allowing it in the workplace. As it stands, the research firm noted in an advisory Thursday, Skype doesn't leave an audit trail and could get companies into trouble on the compliance front; there's also the question of whether VoIP calls in general constitute a business record.

The issue of VoIP security has been on the minds of industry experts for much of the year. In February, nearly two dozen VoIP companies formed the VoIP Security Alliance (VOIPSA) to keep up with the security questions posed by the telephony technology.

One of the VOIPSA members, VeriSign, published a report earlier this week pointing out some of the dangers of VoIP use in the enterprise. VoIP packets, the Internet Security Intelligence Briefing (ISIB) noted, lack clearly-recognized signatures that allow administrators to distinguish it from data packets carrying trojans.

Changes to the network protocols the VoIP industry uses for Internet telephony hasn't always matched up with with the additions security administrators want, said Phillip Hallam-Baker, VeriSign principal scientist.

"The VoIP world is a fairly complex one, there's a lot of moving parts," he said. "Changing the basic protocol, those changes are most likely to be motivated by functions and features that the VoIP world thinks it needs, rather than functions and features that the data world would like to be added into the protocol."

VeriSign's security report recommends network administrators use separate networks for voice and data traffic, or connecting through a virtual private network (VPN).