VoIP Security: Is Anyone Listening?

There is every indication that 2002 will be the year of voice over Internet protocol (VoIP).

Adoption rates are set to achieve exponential growth in the aftermath of the September 11 attacks, as more corporations realize the cost benefits of converged networks in comparison to trunk networks. Successful VoIP implementations have made a remarkable difference to the enterprise segment, which had remained ambivalent for a long time. The hassles of setting up customized networks for each medium - data, voice and video - have driven enterprises toward IP networks, which can easily accommodate sudden spurts in usage at relatively lower costs.

Companies that want to combine voice and data traffic cannot afford to overlook VoIP. Apart from the compelling economic reasons, new and exciting IP-based applications may prove to be the next biggest driver. Call control, bandwidth optimization, centralized configuration and maintenance, as well as multimedia and multi-service applications such as unified messaging and web conferencing, which are beyond the scope of traditional telephone systems, are proving to be powerful market elixirs. After being brushed aside as nothing but hyperbole, VoIP products have reached the level of sophistication that would allow them to handle enhanced functionality.

Is Everything Fine on the VoIP Front?

However, VoIP has been dogged by its share of problems for a number of years now. The tantalizing range of convergent services promised by these networks has taken a long time to arrive. Early adopters were made to realize, rather painfully, that this is still an emerging technology. Poor voice quality, bandwidth bottlenecks, the melee of standards, and resultant interoperability issues had forced many to overlook cost benefits. Consequently, a number of companies are content to do things the traditional way, by sticking to trunk networks and operating individual networks for voice, video and data transfers.

Apart from concerns about the quality of service (QoS), the issue of security has also been a bother. Most of the gateway vendors have not yet implemented packet encryption. Internet telephony is not quite secure, when compared to voice traffic over circuit-switched networks. Even encrypted data packets traveling over IP networks enjoy greater security than voice. Though it has been several years since the technology was billed a big breakthrough, security is still not a priority among VoIP implementations.

Let us look at a few aspects of VoIP that make it vulnerable.

The Internet is No Safe Place

The volatility of the Internet is enough to give any network administrator a nightmare. For hackers, who have exhibited remarkable skills in capturing encrypted data packets, capturing unencrypted voice packets may prove child's play. IP-based VoIP deployments are not only open to such attacks, but could also expose the entire network. As voice packets travel through the same networks that carry data, packet-sniffing and denial-of-service (DoS) attacks are distinct possibilities.

The enormity of the situation can be better comprehended when one considers the fact that VoIP is fast getting into the mainstream and is also used to facilitate e-commerce transactions. IP packet monitors are freely available and their source code is open to modification, which means these can be used to sniff out and capture voice packets traveling over the network. A hacker can very well trigger a DoS attack by flooding the network with voice packets. The greater confidentiality required by voice conversations makes the security issue more complex.

As Good as the Weakest Link

There are three popular VoIP protocols - the H.323, the session initiation protocol (SIP), and the media gateway control protocol (MGCP) - all of which promise to enable the intelligent network.

The H.323 has four main constituents: the terminal, the gateway, the multi-point control unit and the gatekeeper. The gatekeepers typically take care of the authentication process for the VoIP network. SIP employs user call agents to invite users to calls while MGCP employs media gateway controllers.

The three protocols differ in terms of where the intelligence is present. While SIP has intelligent endpoints, MGCP has intelligent networks, whereas the H.323 boasts of pervasive intelligence. Though all of them have well-defined security mechanisms (all three support authentication and encryption), none of them are flawless.

Facets of VoIP Security

There are four basic aspects to VoIP security. Apart from the voice that travels over the network, account information such as statistical data about users, the number of calls made, and information about the origin of the calls is prone to theft. Security in a VoIP environment can be broadly slotted into four aspects - authentication, non-repudiation, integrity, and privacy.

Let us look at each of them briefly.

Authentication and encryption: Both SIP and H.323 offer a variety of mechanisms for authentication and encryption. While the H.323 supports symmetric and subscription-based authentication, SIP has basic, digest, multi-proxy and pretty good privacy (PGP) authentication. However, SIP does have encryption limitations. Many of the vendors do not use encryption because encryption of data packets and their subsequent decryption increases latency.

Non-repudiation: Issues relating to non-repudiation may become critical in e-commerce-intensive environments. Ensuring non-repudiation or proof-of-involvement becomes important when it comes to billing and credit verification.

Integrity: Moving voice over a packet network presents challenges of its own, without any contributions from malevolent elements. While complaints about packet delays (delays that occur when a number of packets begin to clog a network) are recurrent, the networks are also prone to ping sweeps at the simplest level and full-blown DoS attacks as adoption by enterprises increases rapidly.

Privacy: When phones can be tapped and cell phone conversations can be logged, why can't calls over a converged network be eavesdropped upon? Voice cannot be tapped on a public-switched telephone network (PSTN) unless there is physical access to the line. The intelligence offered by VoIP networks means the administrator can keep logs of usage and user-activity for accurate billing. However, this information can be easily tapped into. As said before, protecting unencrypted voice packets also presents a unique set of challenges.

Should You Worry about VoIP Security?

VoIP has unique vulnerabilities, just like data networks and PSTNs. However, this does not argue the case for vendors that have put security implementations on the backburner. While great strides have been taken in making the quality of voice equivalent to that of the switched networks, security has been the least of priorities. However, it is heartening to know that capturing data packets between two gateways needs a superior degree of knowledge (of algorithms and protocols) and tools.

All the popular VoIP protocols have well-defined security features. Despite this, implementing them has for long remained the prerogative of the vendors. At a time when enterprises are becoming serious about IP telephony, security will resurface as the most important feature that they would want. Without it, it is not just the organization that is at risk, but also its customers, vendors, and suppliers.

Vendors such as Cisco, Avaya and Nortel already have products that have an impressive array of security features. Cisco's VoIP solution for SIP comes with a proxy server and a firewall. In fact, Cisco has been at the forefront of pushing the VoIP technology. It has recently launched a slew of products and services. These include software for IP-based teleconferencing systems and gateways that can connect analog phones to a VoIP network.

Admittedly, VoIP is vulnerable, just like any other IP-based technology and vendors seem more preoccupied with QoS rather than security. As the technology becomes popular, telephony theft, hacker attacks and packet-sniffing are expected to pose substantial threats. However, as the technology matures, standards evolve, and adoption rate increases, security features are expected to receive top billing. Already, digital certificates and PKI are being bandied as technologies that can be used in tandem with existing security features for VoIP networks. Once the fine-tuning happens, even its worst critics will acknowledge that VoIP is not all hype.

R. Subha Vivek is a research analyst in Frost & Sullivan's India office.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.