May 12, 2004
Security Holes Make VOIP a Risky Business
By Jim Louderback
It's the latest technology craze. Turn your phones digital, and use the Internet to bypass pricey long-distance providers. Individuals and businesses can slash phone costs by 50 percent or more, with little or no loss of quality.
But there's a very dark lining inside this silver cloud. VOIP (voice over IP) is just as vulnerable to hackers as other digital networking technologies. But it's just far less protected-which can put your entire company at risk.
According to a prominent networking and security pal of mine-who wished to remain nameless-"SIP is a very weak protocol." It uses edge-style servers, similar to FTP, e-mail and HTTP, to initiate connections between users. According to my buddy, just as hackers have attacked those servers, they're coming after VOIP too.
What sorts of vulnerabilities exist? Let's start with the basics. Because most VOIP traffic over the Internet is unencrypted, anyone with network access can listen in on conversations. That means Willy in the mailroom can overhear your CEO and HR director discuss the latest round of layoffs.
But that's just a start. Hackers can spoof SIP and IP addresses and hijack whole conversations. Imagine a phishing-style attack where your customer ends up talking to an organized crime syndicate in Russia masquerading as your telesales group. Your customer's credit cards, personal information, maybe even Social Security number, gone in a flash.
Or what about denial of service? A hacker could easily flood your SIP server with bogus requests, making it impossible to send or receive calls. Or what about spamming a 4MB file to 4,000 phones? Or transmitting 500 bogus voice mail messages instantly? It can be done. Or imagine having your phone ring forever. You pick up, no answer, hang up, and it rings again. The only way to stop it is to remove the battery. Instant doorstop.
Sure, many of these problems exist with the current switched voice network. But what's different here is the cost of mounting an attack. It's like the difference between junk mail and spam. The cost of postage keeps you from receiving a truckload of junk mail each day, but spam is free—and thus overwhelming.
VOIP is simply streaming e-mail. Traceable, expensive attacks using POTS are anonymous and free over VOIP.
Compared with the world of data, where a mature security infrastructure has evolved—with AV research labs, firewalls and appliances, VOIP is as vulnerable as a mail-order bride.
Even worse, our voice expectations are so much higher than with data. We've come to expect that e-mail and networks will go down occasionally. But phones are inviolate. Business expects a 99.9999 percent uptime for voice networks.
Do others agree that VOIP poses a huge security problem? Based on my informal survey at NetWorld+Interop, yes. Brian Burch, the chief marketing officer of conferencing vendor Raindance, agreed. He was careful, though, to make a distinction between voice over the Internet, and IP-based voice over a secure private network.
Raindance is about to launch an IP version of its popular voice conferencing system, but only over a secure and isolated network. Does Raindance think Internet-based voice is safe? "No, we do not," Burch replied emphatically. "There are not enough layers of security yet."
Kurt Jarvis, a technical engineer at MCI, agreed. However, he pointed to safeguards built into his company's Advantage VOIP product as protection enough. MCI encrypts its voice traffic, making eavesdropping more difficult.
A denial-of-service attack is "possible but unlikely," he claimed, and even if it happened, MCI's UUnet-based network would clamp down and terminate the attack within five minutes. That's fine if you're traversing just MCI's network, but not so great if you cross a boundary.
Ian Grey, a product marketing manager at Foundry Networks, is also worried. "It's absolutely susceptible" to hacks, he said. But he doesn't think a downed IP-PBX is as critical a problem as it once was. "My CEO will just pick up his cellphone" if there's a problem, Grey said.
Sure, you can tell your CEO to use his cellphone, but what about customers? What will you do when hackers demolish your voice network? How will you bring your switchboard and call center back online?
Despite the assurances from MCI and Foundry, I see VOIP and SIP vulnerability as a huge problem. Without a robust security infrastructure, Internet-based voice traffic is vulnerable to all kinds of monkey business. I'm a huge fan of VOIP, and I think it'll change the world. But until we can protect those phones and servers from criminals, I'd recommend caution.
That doesn't mean you can't save money with VOIP. Take a cue from Raindance's Burch and make a clear distinction between public and private networks. IP-based voice should work just fine over your secure corporate network. Just beware. When your pristine voice packets touch the dirty net, all bets are off.