Can we talk?
A Harris Interactive survey conducted last year of 1,089 U.S. adults aged 18 and up shows the number of respondents who have heard of VoIP jumped from 36 percent in January 2005 to 47 percent just 10 months later.
VoIP provides noticeable upgrades for organizations compared to the traditional private branch exchange (PBX). It accommodates the mobile workforce, delivers a lower network cost of ownership, and offers a viable reason to replace aging telephony equipment with enhanced component features, such as teleconferencing and other multimedia applications, says an Internet Security Solutions (ISS) white paper.
According to analyst firm Yankee Group, the business VoIP market is expected to grow from $840 million at the end of last year to nearly $3.3 billion by 2010. Chris Liebert, a senior analyst with the Boston-based firm, says an estimated 39 percent of organizations already have deployed VoIP, 28 percent plan to do it in the next year, and 11 percent in the next two years.
Yet despite the increase in awareness and obvious reasons why VoIP makes sense to deploy, clearly not everyone is sold, Liebert says. Twenty-one percent of enterprises still have no plans to have their telephone calls routed over high-speed internet connections.
"You'd think it would be more ubiquitous," Liebert says of the number of businesses embracing the technology. "It begs the question of why the hesitation."
The possible answer, say experts: concerns over security.
"If you're going to introduce VoIP into a corporate environment, it's going to impact that environment," says Jeffrey Stern, vice president of business development at Bethesda, Md.-based security vendor KoolSpan. "The question is how?"
Because it inherits the same security IP characteristics that affect its data counterparts, internet telephony is subject to service disruptions that could grind a business to a halt, experts say. After all, being unable to make a telephone call has a more dire effect than losing web access.
"It's one thing to lose your email," says John Wheeler, director of global deployment and integration for managed services at ISS, an Atlanta-based company offering a VoIP intrusion prevention system. "It's an entirely other thing to lose your entire inbound and outbound communication to your clients."
Nuisance attacks, such as distributed denial-of-service (DDoS) assaults against phones and signaling proxies, are the likeliest problem to affect enterprises that have deployed VoIP, experts say. Attackers can generate thousands of signaling messages against one telephone by manipulating the Session Initiation Protocol (SIP), the standard for initiating a VoIP session.
"I can attack the phone and send 10,000 invites [requests to initiate calls] against one Voice over IP phone," says Peter Thermos, a consultant and founder of VoP Security, an open forum for sharing internet telephony information. "It will occupy the phone for the duration of the attack. Your phone will keep ringing and ringing and ringing."
Call centers are possible subjects of such attacks, industry leaders say. Mark Wilson, founder, president and CEO of customer contact center RYLA Teleservices, says he is aware of the threats that VoIP poses, but he says the benefits of the emerging technology outweigh the negatives.
"We, as a new company, felt we wanted to take a chance on it primarily because it offered static pricing," Wilson says, four years after deploying AT&T VoIP services. "The economics of it are really the driver."
So far, Wilson says his Kennesaw, Ga.-based firm has saved 10 to 15 percent compared to what the company's bill would have been with traditional lines. Plus, RYLA has seen "no degradation in service," he says.
Intercepting voice packet transmissions between callers, which permits eavesdropping, soon could impact the VoIP community, experts say. Phil Zimmermann, who created groundbreaking email encryption software known as Pretty Good Privacy (PGP) in 1991, is a strong advocate of VoIP encryption — so much that he recently launched Zfone, which provides secure telephony for the internet.
His new software contains a cryptographic key exchange between the two parties talking that does not rely on servers. The keys are created at the start of the call and destroyed at the end, Zimmermann says.
He contends that the wiretap threat model for VoIP is more expansive than for the Public Switched Telephone Network (PSTN). For example, an office PC might be infected with spyware, allowing it to capture voice packets, store them as a WAV file, organize them and let hackers "pick and choose who they want to listen to."
"The manifest destiny of VoIP is to replace the PSTN," Zimmermann says. "Anyone could wiretap your company. Hundreds of thousands of criminals around the world could wiretap your company. They will attack it with the same vicious zeal we now see being used to attack the rest of the internet."
Because it is still in its formative years, VoIP has yet to offer a worthwhile attack vector for profit-driven hackers, experts say. However, as more people deploy the service it will become more susceptible to the scams that target data networks today.
SPIT, or Spam over Internet Telephony, will become the new avenue for sending mass numbers of unsolicited voice messages, a natural progression following in the footsteps of email spam and bulk faxing, industry leaders predict.
VoIP phishing, where unknowing recipients are contacted via telephone, also may gain in popularity, experts warn. Some scammers are already using VoIP lines to pose as a financial institution after they send out spam emails requesting that recipients call a number to verify account information.
Viruses and worms designed to attack internet telephony have yet to make their mark, but they may not be too far off, expert say. VoIP malware may begin to propagate as soft phones, equipped with multimedia functions such as video, become more prevalent, Liebert says.
"VoIP is sensitive to delays and latency, so if you're doing this across a LAN or the internet and there is a virus moving around, that could cause a problem in service," said Gus de los Reyes, lead security architect for VoIP services at AT&T.
Yet experts warn that simply exploiting vulnerabilities within the operating system could be all it takes to unleash a damaging payload.
"If you can compromise the Windows operation that the call manager relies on, there's no sense in performing complicated VoIP attacks because you already own that box," says David Endler, director of security research at Austin, Texas-based TippingPoint, a division of 3Com, and a leader in intrusion prevention.
Liebert recommends that companies running VoIP have a solution in place to block threats, such as a multilayered VoIP-enabled intrusion prevention device. Firewalls may not be effective because users "open up a large range of ports on a firewall to complete the calls," says Stern of KoolSpan.
"You opened [the firewall] up for another reason, and some other [malicious attacker] drove his traffic through that," he says. "Basically, the firewall becomes a screen door and, at that point, it could be penetrated by a rogue interest. This is one of the fundamental challenges that an enterprise has to deal with when they consider bringing in VoIP."
Still, much of the burden to secure the technology falls on the product vendors and service providers, Thermos says.
In all forms of internet technology, security often takes a backseat to a market rush or a push to include features, Endler says. VoIP is no different, and manufacturers and providers must follow best practices, especially in the case of a managed solution, when a provider takes on the security burden for the client.
"The responsibility should be on the product vendors and the providers," Thermos says. "The product vendor may support a feature, but the provider may not implement it for various reasons."
Visit www.scmagazine.com/us/podcasts to hear encryption pioneer Phil Zimmermann discuss the emerging VoIP threat landscape.
At the enterprise
While standard perimeter security measures may provide some safety for enterprises deploying internet telephony, companies must implement Voice over Internet Protocol (VoIP)-specific security solutions to truly protect their networks.
And companies cannot count on vendors to patch new vulnerabilities. They must have measures in place to combat threats, as VoIP becomes more attractive to cybercriminals.
Experts seem to be in agreement on several ways that companies can shield themselves from popular VoIP threats, such as denial-of-service attacks, eavesdropping, spam and call spoofing.
- Deploy a VoIP-enabled firewall and a host-based intrusion prevention system to protect the IP-PBX (private branch exchange) from attacks.
- Segregate VoIP traffic from other internet traffic by using VLANs (virtual local area networks).
- Strengthen access controls by requiring employees to log onto IP telephones.
- Harden VoIP-specific servers.
- Implement encryption software. — DK
Seeks best practices
As Voice over Internet Protocol (VoIP) becomes common vernacular in the company IT department, one industry group is racing to devise best security practices for the deployment of the technology.
The 100-member Voice over IP Security Alliance (VOIPSA), consisting of providers, vendors and other industry figures, has launched a "best practices project," says David Endler, alliance chairman and director of security research at Austin, Texas-based TippingPoint.
"The average end-user doesn't know anything about VoIP security," says Peter Thermos, a researcher who is authoring a book on the topic.
"I think VoIP can be secure," Endler says. "We are helping consumer confidence that VoIP can be secured against many of the threats out there and many of the threats to come."
As internet telephony replaces traditional telephone lines, users will expect it to work.
"You pick up the phone and you get a dial tone," says Les Goldman, product manager of Verizon Business managed network services. "People have done that for years, and they [expect] it's going to work." — DK