Is VoIP a Security Risk?
Analyst claims that VoIP networks are at risk and calls on industry association to certify security.
The security threats that plague the Internet and other data networks also poses a grave threat to the continued growth and adoption of VoIP according to Info-Tech Research Group. The research firm has called on the VoIP Security Alliance (VOIPSA) to implement standardized security certifications to combat the problem. VOIPSA agrees but is currently focused on "other projects" and won't be tackling certification anytime soon.
According to Info-Tech Research Senior Analyst Carmi Levy VoIP handsets are simply Internet-capable computers disguised as telephones. As such Levy contends that they are subject to the same security threats as other web-connected devices. Without "serious" security that includes universally defined security standards and certifications, VoIP industry growth may be stunted, as enterprises avoid committing mission-critical traffic to VoIP.
Levy notes that there are a number of potential security threats that could disrupt VoIP networks. "The one that will most likely hit the radar first is simple eavesdropping," Levy told EnterpriseVoIPplanet.com. "Having any form of communication compromised in any way can be immensely damaging to a company's ability to keep pace in its market."
"The potential for VoIP attacks to do so on a much larger scale:not simply one conversation, but every conversation:makes this a very real potential threat, and in my view the most significant one the industry currently faces," added Levy.
Other perceived threats, like an attacker potentially inserting words into conversations, are less likely to become prevalent on as large a scale as simple eavesdropping, according to Levy.
The POTS (Plain Old Telephone Service, also referred to as the Public Switched Telephone Network or PSTN) is also at risk from hackinggenerally theft of service attacks known as "phreaking". Through Levy argues that the risk to VoIP is greater. "If a hacker or phreaker compromises a conventional analog POTS-based telephony system, he or she usually ends up stealing some long distance service," Levy explained. "There's some risk of compromising the company's entire telephony system as well, but the risk in an analog telephony situation is usually limited and localized."
Due to its integration with the Internet infrastructure, the potential reach of a digital telephony network attack makes the potential damage of a VoIP attack significantly greater.
"The damage potential is so much greater with VoIP that it's not much of a stretch to say they can bring down an entire company," Levy warns. "Phreaking looks quaint when compared to the damage potential in a VoIP-enabled world."
The call for certification
To better protect the integrity and security of VoIP networks and the VoIP industry itself Info-Tech Research has called on the VoIP Security Alliance (VOIPSA) to certify VoIP security. VOIPSA is an industry association made of up a who's-who list of hardware, software, and security vendors.
David Endler, Director of Security Research for TippingPoint, a division of 3Com, and Chairman of VOIPSA agrees with Info-Tech's assessment that the VoIP industry needs to get serious about security.
"This is what VOIPSA has been preaching since its inception in February and was one impetus for VOIPSA's formation," Endler told EnterpriseVoIPplanet.com
Endler also agrees that certification is good idea and noted that VOIPSA has discussed certification in its board meetings.
"However, at this time, we have decided to focus on other projects, projects that we believe are building blocks and prerequisites to certification," Endler said. "The projects we are focused on are developing threat taxonomy and defining security requirements across VoIP networks."
The first draft of the VOPSA projects is expected to be available for public viewing by the end of July. The initial set of projected specifications will be followed with the definition of a set of best practices and a testing methodology for VoIP security.
Endler noted that VOIPSA believes certification is important, but that certification is usually a sign of a more mature market and there are other fundamental security priorities right now.
"We won't rule certification out at this time," Endler stated. "However, we have other, more immediate near-term projects."
What certification might look like
Info-Tech Research Senior Analyst Carmi Levy thinks that the industry can look at the evolution of networking and later the Internetfor some guidance on how implement universally defined security standards and certifications. For Levy, there are two major outcomes of a successful VoIP security certification campaign: a logo or branding for VoIP products and services, and a training designation for VoIP professionals.
"The more structure and marketing the telephony industry can put around security standards, the easier it will be to convince the non-technical, C-level leaders who pay for it that it's worth betting the company's future on it," Levy argues.
Though VOIPSA does not currently have any plans on the drawing board for certifications, Levy is encouraged that VOIPSA has received broad industry support early in its existence. "It's a sign that, unlike earlier generations of Internet-borne threats, companies are no longer willing to wait for the threat to become reality," Levy said. "They're taking a much more proactive approach to locking down security-related issues before the first major attack hits."