Because VoIP is a rapidly developing technology, the focus of many business users and service providers is on functionality. Security measures tend to take a back seat putting both the business’s telephone and data network at risk.
However, says Graeme Victor, CEO of telecommunications solutions company Du Pont Telecom, this approach is dangerously short-sighted in light of known hacking attacks on VoIP users in South Africa, and at least one reported conviction in the United States of a VoIP hacker.
“VoIP offers many advantages to businesses, but it also places new demands on the security of IP networks. A proactive approach is essential and this should start with a risk analysis as the first step in the implementation of measures to protect against attacks,” he adds.
According to Victor, VoIP systems are much more vulnerable than traditional analogue telephone systems because the VoIP system is an open network with signalling and data transmitted over the Internet and the location of the end-devices is not definable. The analogue system, on the other hand, is a closed network with signalling and data transmitted across private networks with end devices in defined locations.
At the same time, the analogue system’s network elements are reliable and controllable while those of the VoIP system are not. Stricter authentication and authorisation are therefore required.
In addition, while ‘old fashioned’ analogue end-devices are safe from attack, VoIP end-devices have the same weak spots as other IT systems.
“The most prevalent threats to VoIP deployment stems from the same threats inherited from the data network environment,” Victor says.
Some of the threats to the VoIP network include:
- Vulnerabilities on standard IP system components such as servers, workstations and network equipment that can lead to the compromise of the VoIP infrastructure either directly or as a platform for an attack on the entire network.
- Vulnerabilities in the configuration and management of VoIP devices. These should always be viewed as an extension of the network infrastructure and thus locked down.
- Threats to the VoIP application which can result in risks that range from Denial of Service (DoS) to identity theft. A successful DoS attack can influence transmission speed so significantly that the end-user perceives the service as not available. DoS attacks can also result in the disconnection of current calls; or preventing the use of VoIP applications such as voicemail.
- Content-based threats that could include unwanted calls, call flooding and attacks against the voice transport service.
- The ability of attackers to bypass certain network protection mechanisms and take over phone calls. This is also known as call hijacking: the connection is reported as unavailable and the call is rerouted.
- The fact that many VoIP devices provide a system management facility via a web management interface which can be accessed via VoIP devices that attackers locate by scanning the network.
- VoIP soft phone software, if not adequately protected, can be manipulated. Dialers, Trojans or spyware may be able to gain access to settings and configurations, enabling an attacker to make telephone calls at a third party’s expense.
- VoIP call interception and eavesdropping is a major challenge. An attacker potentially has the ability to record and replay conversations without the knowledge of the parties involved in the call.
“When migrating from a pure data network to a VoIP-enabled network, the existing network must first be checked as VoIP imposes different requirements than pure data applications. The main VoIP security requirements relate to quality of service and network access and should never be put off or delayed,” Victor concludes.