Internet telephony systems are becoming popular as businesses begin to see value in converging voice with other data applications such as presence, conferencing and e-mail. But many companies are unaware of the additional security baggage that voice brings along with it.
"Do not assume that because you have network security covered that you also have IP telephony covered," said Elizabeth Herrell, a vice president with Cambridge, Mass.-based Forrester Research Inc.
Once voice is converged with data on the network, a company's voice systems are suddenly vulnerable to many of the same kinds of attacks that occur on the data side.
Phones can suddenly become destinations for spam. Hackers can target phone systems with denial of service attacks, or program a company's phones to call other businesses, shutting down the second company's phone systems. People can spoof a phone's IP address and make calls that are billed back to the company. And as with a traditional phone system, calls can be intercepted and listened to.
There hasn't yet been a widely publicized attack on a voice system, but Herrell said she is certain attacks have occurred. As these systems become popular and as the underlying technology becomes more readily available, attacks are likely to increase in frequency and in their creativity, said Dan Golding, a senior analyst with Midvale, Utah-based Burton Group.
When the Franklin W. Olin College of Engineering, based in Needham, Mass., deployed Voice over Internet Protocol (VoIP) three years ago, the technology still had plenty of kinks in it, said Olin CIO Joanne Kossuth. But even from the start, security was a priority.
Because of concerns about attacks on Microsoft-based Web servers, the college decided to curtail much of the functionality on its phones. It uses no Web-based services and only uses basic features such as address books and unified messaging.
"Every time you run a Web-based service in a device, if it happens to be a Windows- based system, it becomes more vulnerable," Kossuth said. "It's just the easiest thing to get scripts to attack with."
At the time, VoIP systems often used proprietary protocols, and even where standards such as Session Initiation Protocol (SIP) were incorporated, vendors were forced to add proprietary features to the emerging standards to increase the phone's feature sets. Now most systems are based largely on SIP. And because of that standardization, businesses may see increasing attacks, Golding said.
In addition, now open source IP private branch exchange (IP PBX) software can be downloaded from the Internet for free, thanks to Huntsville, Ala.-based Asterisk. Such freeware makes VoIP technology easily accessible to hackers who can then experiment with SIP to develop more effective attacks, Golding said.
SIP phones can also now be purchased inexpensively, further opening the protocol to examination, said Doug Bundgaard, security management portfolio leader, for the enterprise multimedia security group at Nortel Networks Ltd.
"Defense through obscurity will go away quickly," he said.
But that is not to say that the vulnerabilities outweigh the benefits. Kossuth said her system has been a worthwhile investment. And there are several steps that businesses can take to ensure that their systems are better protected.
Employees should have to log into IP phones just as they would a PC to ensure that users are authenticated, Herrell said. That can also help to detect spoofing since the system will know if the same user is logged on in more than one location.
Servers should be hardened to avoid unwanted vulnerabilities, Bundgaard said.
Depending on the value of the voice traffic, encryption may be an important step to make eavesdropping on conversations harder, said Jeff Posluns, CEO of Montreal-based SecuritySage Inc.
Patch management is also very important with voice systems, Golding said. Many businesses have traditionally updated their voice systems only when necessary to add new features. But with VoIP, it is very important to install updates and patches as they arrive and to instill that as a priority with those groups that handle voice, he said.
As with VoIP systems themselves, security is evolving, Kossuth said. She continues to make adjustment to her systems, as the nature of attacks change and as the technology itself changes.
VoIP's next big step is toward wireless. Phones that can roam between Wi-Fi and cellular systems are on the way and will place further roaming and security challenges on VoIP systems.
"Our approach is always evolving," Kossuth said.