VoIP: Paying the price for cheap calls

Depending on who you talk to these days, the security issues around IP telephony are either likely to bring about Armageddon or are massively over-hyped.

One man firmly in the former camp is David Lacey, the Royal Mail's director of information security and chairman of the Jericho Forum, an international group of IT user and vendor organisations that focuses on security issues. At the annual Business Continuity Expo in London's Docklands in March, he warned that "an electronic Pearl Harbour-type event will happen in 2006 or 2007" because "new technologies such as VoIP risk driving a horse and cart through the security in our networks".

Lacey's main concern was that companies may rush to take advantage of cheap telephony services without undertaking the necessary due diligence around security issues.

But analyst group Gartner takes a quite different stance. It believes that widely voiced concerns around malicious individuals being able to eavesdrop electronically on IP calls are overstated, not least because perpetrators would need to be hooked up to the same LAN as the IP phone they are targeting. The analyst firm is concerned that organisations will be put off moving to the technology because of hype designed to fuel fears and sell more security products.

So how much of an added security risk does VoIP actually pose and what is the reality between these two differing points of view?

Ian Williams, a research director at Datamonitor, for one, believes that both are correct, just in different ways. On the one hand, he points out that, as head of the Jericho Forum, which aims to both provide security best practice to peers and ensure that vendors are catering to users' needs, Lacey's views carry weight and he has no real reason to exaggerate.

"He's not just being a doom-monger. He's basically saying that people should take time to ensure that they've battened down all the hatches and have looked at the potential security implications rather than moving to VoIP in haste," Williams says.

The issue is that, when voice becomes an application, it also becomes subject to all of the same security threats as other applications on the data network and so, given its key role in enabling business communication, has to be adequately protected.

On the other hand, Williams feels that some of the FUD spread by suppliers with vested interests are both counter-productive and excessive.

"One of the marketing tools that security companies have used is Fud, which has been useful for shifting security solutions. But the problem is that if you go too far, you put people off," he says. Rogier Mol, senior analyst of European IP telephony at IDC, meanwhile, believes that potential security risks around the technology vary according to how it is used. "At the moment, security risks for VoIP and IP telephony aren't high. This is predominantly because most implementations aren't exposed to the Internet right now and most organisations use the technology for internal calls, which is just the same as sending your data internally around the network," he says.

But by 2007, as this situation starts to change and the use of the SIP addresses for IP phones becomes more widespread, leading to their inclusion on collateral such as business cards, so the risks are likely to increase proportionately.

"Using VoIP and SIP over the publicly accessible Internet is inherently more insecure than using a PSTN line, which is based on more proprietary equipment and doesn't go out over the Net. This means that traffic is potentially more open to abuse," says IDC's Mol.

But he agrees with Gartner that the idea of voice traffic being intercepted by a third party is "a bit over-hyped". "It's a theoretical risk, but not very likely because it's difficult to do. If you're on the same internal network, it would be easier as you have to plug into the network and collect voice packets, but you'd still have to put them back together to decipher them," says Mol.

But despite some hype there are concrete examples of VoIP systems being tampered with. Datamonitor analyst Williams recalled an incident where a router was hacked and the perpetrators re-programmed it to insert swear words into conversations going over the line, a scenario that could have potentially damaging consequences for the business concerned.

"While it's only been a one off so far, if people are able to hack into a router and insert things, they'll have the same ability to hack in and copy information, which amounts to a potential confidentiality risk," he says.

But while it may be easier in a general sense to hack into a data network because such skills are more commonplace, traditional switched circuit networks are far from 100 percent secure themselves.

"It's not as if people haven't been able to hack into traditional PBXs or voicemail or commit toll fraud in the past. It requires a highly specialised degree of knowledge, but it is and has been possible," says Williams.

As for fears of Spam for Internet Telephony (SPIT) becoming as much of a nuisance as its email equivalent, James Allen, a principal consultant at Analysys, is sceptical.

"Under UK rules, marketeers aren't allowed to use automated recording machines or you can report them. This limits their activities as does having to pay to make the call, which means that it's only worth their while if they have something valuable to sell. But just as spamming is very cheap for the person doing it because email is free, if, over time, VoIP calls also became free, you might expect many more unwanted messages," he says.

According to Williams, the most likely security threats actually relate to availability and resilience. "One of the biggest inhibitors to the growth of VoIP has been the question of availability. The 'phone service' is seen as much more reliable and doesn't go down nearly as much as the average data network due to the historical time and investment that's gone into research and development," he says.

Another concern is that running voice and data over one network provides a single point of failure if something goes wrong, such as the power supply being cut off.

"If you rely on your data network as your sole source of communication for email, voice, faxes and the like and it's disrupted, you're cut off from the world. So if a denial-of-service attack occurs or network worms create a lot of traffic and dramatically reduce the amount of available bandwidth, it can cause real problems," says Williams.

In the latter scenario, for example, lack of bandwidth can result in latency problems. This causes ongoing conversations to sound garbled or leads to long pauses or echoes that make discussions difficult to listen to. "This is a serious concern when people are moving to VoIP because voice is a valuable application," Williams explains.

Jon Collins, service director at Quocirca, agrees that putting all your communication eggs in one IP basket could be a risky option. "Today, most organisations do about 50 percent of their business through voice, 30 percent via email and 20 percent using paper, so if the network goes down and you're relying on it for voice, you could lose 80 percent of your traffic rather than just 30 percent, which is both significant and serious."

But despite these risks, Collins believes that looking at VoIP and IP telephony as a potential security risk is a misnomer. "VoIP is not a security risk in and of itself. If you're looking at it as a security issue, you've got it the wrong way round. It's no more of a risk than using video-over-IP or calendar management-over-IP," Collins says.

The security issues emanate from people not putting the right level of protection in place not any inherent flaws in the technology itself. "To me, people are the top un-hyped security threat, followed by denial as number two. Too many organisations do risk management by implementing something and finding out what the problems are when things go wrong, but that's more of a psychological issue than a technical one," he explains.

As a result, it is crucial that organisations evaluate the potential security risks before even thinking about implementing any new technology, VoIP included. Mike Gillespie, principal consultant at Advent Information Management, explains: "The secret is not retrofitting security, but designing it into systems from day one. For most people, it's generally about functionality first and security second, but that simply has to change."

A good starting point, says Gillespie, is to evaluate what the organisation intends to use VoIP for and to safeguard it in a way that is commensurate with the impact of any security incident on the business.

"There's no one-size-fits-all approach. It's about implementing controls that are appropriate to what you're using VoIP for and prioritising resources in line with that. So if you're only using it to call a colleague up the road for a chat, it's a very different situation to using it to call a business associate about a top secret takeover, and how you implement your security should reflect that," he says.

VoIP and IP telephony should not be treated any differently to any other part of the organisation's IT infrastructure. The technology should be included in the existing security policy which should specify processes and procedures that are acceptable user behaviour. The policy should also details what practices should be followed in the wake of an incident and the technology that needs to be in place to shield the infrastructure from attack.

The minimum security technology that should be in place includes voice firewalls and content filtering software such as antivirus and anti-spam programs that can undertake deep packet inspection. Encrypting voice traffic is another possibility, while undertaking regular patch management on voice servers is a must. Larger companies that prefer to retain their own VoIP infrastructure in-house rather than use third-party service providers will also need to consider the ramifications of the technology in terms of disaster recovery and business continuity planning.

While it is questionable at this point how many companies would consider removing their PSTN network completely to rely solely on VoIP anyway, should they do choose to do so, they do have choices. "You might need to have a power generator to provide an alternative source of supply in the event of failure, you could go for PSTN fail-over or provide staff with mobile phones so that they can make emergency calls. It's a contingency thing, but you don't have to go overboard. You just have to provide people with options," explains Datamonitor's Williams

In the end it seems that VoIP isn't any more inherently insecure than any other technology. The problem stems from the fact that the potential of VoIP as a revolutionary cost-saving technology has been overhyped — the attention given to security concerns could be seen as a natural realignment. "Some people are saying that, despite the telephony call savings, they won't move to VoIP due to security concerns. But how you secure VoIP should be the same as how you safeguard your data. It just means that rather than having two networks to manage you only have one so rather than making makes life more complex, it could actually become simpler."