VoIP: Can we talk?

BT, meet your newest competitor, voice over internet protocol (VoIP).

The technology, just a few years old, is growing up fast as enterprises and home users abandon traditional telephone lines so that they can converge voice and data communication onto one network - and significantly cut costs in the process.

VoIP provides noticeable upgrades from the traditional private branch exchange. It accommodates mobile workers, carries a lower network cost of ownership and offers a viable reason to replace aging telephony equipment with enhanced features such as teleconferencing and other multimedia applications, according to Internet Security Solutions (ISS), a US-based company offering a VoIP intrusion prevention system.

In a report published earlier this year, analyst firm Yankee Group predicted that the global business VoIP market will grow from $840 million (£440 million) at the end of last year to nearly $3.3 billion (£1.7 billion) by 2010. Chris Liebert, a senior analyst at the US firm, says an estimated 39 per cent of organisations have already deployed VoIP, 28 per cent plan to do it in the next year, and 11 per cent in the next two years.

But clearly not everyone is sold, admits Liebert: 21 per cent of companies still have no plans to have their telephone calls routed over high-speed internet connections. "You'd think it would be more ubiquitous. This begs the question: 'Why are so many people hesitating?'"

Genuine concerns over security could play a big part. "If you're going to introduce VoIP into a corporate environment, it's going to have an impact on that environment," says Jeffrey Stern, vice-president of business development at LAN security outfit KoolSpan.

Because it inherits the same security IP characteristics that affect its data counterparts, internet telephony is subject to service disruptions that could grind business to a halt. "It's one thing to lose your email," points out John Wheeler, director of global deployment and integration for managed services at ISS. "It's an entirely different matter to lose your entire in- and outbound communication with your clients."

Nuisance attacks, such as distributed denial-of-service assaults against phones and signalling proxies, are the likeliest problem to affect enterprises that have deployed VoIP. Attackers can generate thousands of signaling messages against one phone by manipulating the session initiation protocol, the standard for launching a VoIP session.

"I can target the phone and send 10,000 invites (requests to initiate calls) against one voice-over-IP phone," says Peter Thermos, a consultant and founder of the Voice over Packet Security forum, an online community dedicated to sharing internet telephony information. "It will occupy the phone for the duration of the attack. Your phone will keep ringing and ringing and ringing."

Intercepting voice packet transmissions between callers, which permits eavesdropping, could soon hit the VoIP community. Phil Zimmermann, who created groundbreaking email encryption software known as Pretty Good Privacy (PGP) in 1991, is a strong advocate of VoIP encryption - so much so that he recently launched Zfone, which provides secure telephony for the internet. His new software contains a cryptographic key exchange between the two parties talking that does not rely on servers. The keys are created at the start of the call and destroyed at the end.

Zimmermann admits that the wiretap threat model for VoIP is more expansive than for the public switched telephone network (PSTN). For example, an office PC might be infected with spyware, allowing it to capture voice packets, store them as a WAV file, organise them and let hackers "pick and choose who they want to listen to".

"The manifest destiny of VoIP is to replace the PSTN," he claims. "Anyone could wiretap your company. Criminals around the world will attack it with the same vicious zeal we now see being used to attack the rest of the internet."

Golden opportunities

Because it is still in its formative years, VoIP has yet to offer a worthwhile attack vector for profit-driven hackers. However, as more people deploy the service, it will become increasingly susceptible to the scams that are already targeting data networks.

Spit, or spam over internet telephony, is likely become the new avenue for sending vast numbers of unsolicited voice messages, a natural progression of email spam and bulk faxing.

VoIP phishing, where unknowing recipients are contacted via telephone, may also gain in popularity. Some scammers are already using VoIP lines to pose as a financial institution, in conjunction with spam emails requesting that recipients call a number to verify account information.

Viruses and worms designed to attack internet telephony have yet to make their mark, but are probably not too far off. VoIP malware may begin to propagate as soft phones, equipped with multimedia functions such as video, become more prevalent, Liebert says.

"VoIP is sensitive to delays and latency, so if you're doing this across a local area network or the internet and there is a virus moving around, that could cause a problem in service," says Gus de los Reyes, lead security architect for VoIP services at AT&T.

Yet experts warn that simply exploiting vulnerabilities within the operating system could be all it takes to unleash a damaging payload.

"If you can compromise the Windows operation the call manager relies on, there's no point in performing complicated VoIP attacks because you already own that box," explains David Endler, director of security research at IPS provider TippingPoint.

Liebert recommends that companies running VoIP systems have a solution in place to block threats, such as a multilayered VoIP-enabled intrusion prevention device.

Firewalls may not be effective because users open up ports on a firewall to complete calls, KoolSpan's Stern points out. "You opened up the firewall for another reason, and some malicious attacker drives his traffic through," he says. "Basically, the firewall becomes a screen door and, at that point, it could be penetrated by a rogue interest. This is one of the fundamental challenges an enterprise has to deal with when it considers bringing in VoIP."

In all forms of internet technology, security often takes a backseat to a market rush or a push to include features, says Endler. VoIP is no different, and manufacturers and providers must follow best practices, especially in the case of a managed solution, when a provider takes on the security burden for the client.

"The responsibility should be on the product vendors and the providers," Thermos says. "The product vendor may support a feature, but the provider may not implement it for various reasons."

- Visit www.scmagazine.com/us/podcasts to hear encryption pioneer Phil Zimmermann discuss the emerging VoIP threat landscape.

PROTECTING VOIP IN THE ORGANISATION

While standard perimeter security measures may provide some safety for organisations deploying internet telephony, companies must implement voice over internet protocol-specific security solutions to protect their networks.

Companies cannot count on vendors to patch new vulnerabilities. They must have measures in place to combat threats as VoIP becomes more attractive to cybercriminals.

There are several ways for companies to shield themselves from popular VoIP threats such as denial-of-service attacks, eavesdropping, spam and call-spoofing:

- Deploy a VoIP-enabled firewall and a host-based intrusion prevention system to protect the IP-PBX (private branch exchange) from attacks

- Segregate VoIP traffic from other internet traffic by using virtual local area networks (VLANs)

- Strengthen access controls by requiring employees to log onto IP telephones before making calls

- Harden VoIP-specific servers

- Implement encryption software.