VoIP Security Experts Express Concern
No progress seems to come without its price: While VoIP is on track to reach 50 percent enterprise penetration in the next two years, that very success may prove the technology's Achilles heel, as adoption outstrips any established security provisions.
Could VoIP's strength also be its Achilles heel? VoIP is on track to see enterprise adoption reach nearly 50 percent in the next two years. Now industry voices are raising concern hype may outpace education and the people hawking spam and spyware could already have your numberphone number, that is.
A year ago, talk of security "emptied the room and made people hide under the pillows," says Reid Pierce, marketing vice president for the Boston-area VoIP management firm Qovia. Today, "security is a big subject" among participants at the Voice on the Net conference, says Ben Guderian, marketing director at SpectraLink. The Boulder, Colo-based company makes Voice over Wi-Fi handsets for enterprise markets.
Central to concerns is the inherent insecurity of the IP portion of VoIP. While early discussions of VoIP have concentrated on the benefits of transmitting voice through digital packets, until now little has been mentioned of the dangers marrying voice and the Internet.
Ma Bell sees VoIP threat
Since entering the VoIP landscape in 2003 with its CallVantage program, AT&T has been a strong proponent of routing telephone calls over the Internet. Yet the integration of voice and data in the enterprise are leading to more and more vulnerabilities, says Stan Quintana, vice president, AT&T managed security services.
Integration of voice and data networks will lead to a proliferation of devices able to access the Internet as well as exploiting a voice service, according to the AT&T executive.
Ashley Johnston, director of business development at Texas Instruments' VoIP Group, singles out voice interception, toll fraud and identity fraud as the top VoIP security headaches.
AT&T is a member of the recently formed VoIP Security Alliance, an effort by the industry to meet head-on security threats facing IP telephony. David Endler, chairman of the alliance, believes there is a general misconception of VoIP security.
Threats to VoIP networks are no different than those faced by data networks, says Endler.
Ron Gula, CEO of Tenable Network Security and member of the VoIP Security Alliance, believes enterprises "are not grappling with the head sales guy with all his contacts on a T-Mobile account or BlackBerry network."
"The question becomes: do you want convenience or security?" asks Gula.
Remember the basics
"Some of the most basic things are forgotten" when it comes to securing VoIP, says Quintana. While AT&T provides customers with what it calls 25 design points when creating a VoIP network, the executive points to the top three security requirements:
- Encryption of connections
- Enabling passwords in VoIP devices connected to a network.
- Ensuring multiple virtual LANs are used to separate voice and data traffic.
As more and more devices take on multiple uses, such as a PDA that also has voice functions or a softphone that connects to an office PC, "the industry will have problems with multimodal devices," says Quintana.
Creating best practices
Another sign of the urgency for greater VoIP security awareness is a list of 'best practices' the VoIP Security Alliance hopes to compile and deliver as one of the group's first projects. Although Endler hesitated to provide details, Gula says he hopes the organization will complete the project in the next six months and offer it as a bullet list.
Qovia's Reid says within months the company will announce a product able to block VoIP spam. In the meantime, he wonders if the government shouldn't step in. "Does the CAN-SPAM Act or do-not-call list apply to voicemail?" asks Reid.
In February, a New York State man was charged under the 2003 federal CAN-SPAM Act after allegedly sending 1.5 million instant messages touting mortgage refinancing and pornography.
AT&T's Quintana welcomes federal enforcement of spam laws.
If VoIP insecurity has people longing for the safety of the traditional Public Switched Telephone Network, the AT&T executive points out that those weren't really the good old days. "It's not like it's 100 percent secure," says Quintana. Nearly three decades ago, famed hacker Cap'n Crunch used a toy whistle to confound the telephone system.
Although predicting enterprises using VoIP will climb from today's 10 percent to 45 percent by 2007, Michael Osterman, principal analyst at Osterman Research, says security flaws "could put a serious dent in the market" and would certainly slow future growth.
When asked how long we have to correct VoIP security, Gula is blunt: "VoIP is already here."