Betting against VOIP security

After more false dawns than a TV soap opera, IP Telephony (IPT) is finally happening in the mass market.

You can bet your second-last dollar that when the amount being written about a technology in the hi-tech press begins to decline, the amount of the same stuff being installed in real networks increases dramatically.

Why your second last dollar? Well with your last dollar you can place a spread bet on how long it will take before we read our first 'IPT DOS or DDOS Attack' headline. Or 'VoVoIP attack' – where the first Vo stands for Virus over...

Not a lot has been said or written about this subject, hence not a lot is known about the potential vulnerabilities or consequences of the mass deployment of IPT. In some respects both vendors and users are in denial: Vendors through the rush to prove the technology and users through the rush to make the cost savings and realise the added benefits of a far more flexible solution.

As in the data world, IPT attacks vary from the simply mischievous to the purely malicious. On some kind of sliding scale:

- It's relatively simple to borrow another user's identity and make calls without their consent

- Eavesdropping on IPT conversations is easier than in the traditional, TDM/PBX world

- IP Gateways are susceptible to a variety of DOS attacks, such as brute force gateway overloads, and phone deregistration

I'm not trying to cause panic here. These problems can be avoided. But I am questioning whether the voice vendor community as a whole, as well as the user community, is treating the issue with the respect that it deserves.

Ask an inexperienced driver what their chances are of ending up in a car accident of their own making, and they'll quote long odds. It's the 'Stuff happens to other folks' syndrome, and it takes some real-life experience to wear it down. Consequently, selling them a 'premium security' package – defensive driving coaching, all-round airbags - is an up-hill struggle.

It's a bit like that in the world of voice at the moment. Having not benefited directly on the learning curve that has forced the data world to take information security seriously, the voice guys are both underestimating the threat and overestimating the cost of facing up to it. This is a dangerous mix.

Our industry, especially the network and systems integrators at the sharp end of building solutions, have to stop talking merely about convergence and start educating clients and vendors about a new imperative – Secure Convergence.

Secure Convergence represents a holistic approach to information and network security.  It means designing processes, networks and technology that inclusively secures wired and wireless networks, public (internet) and private infrastructures, and the voice and data services that increasingly run side by side on them.

Every security consultant I speak to says the same thing: 'Just wait until the script kiddies turn their attention to voice. It just that they're having too much fun with all the other stuff at the moment.'  During this lucky period of grace, can we collectively as an industry begin this education process and debate the steps that need to be taken to converge securely. Otherwise, just like any other soap opera, there's a scandal coming.  And for the victim it won't be a false dawn – more like a rude awakening.

Denny Meijer is Technical Director at Scalable Networks Plc.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.