VoIP was designed with the core priorities of reliability, interoperability and quality of service and as such, concern for security has generally been secondary to these in early VoIP implementations. Unfortunately VoIP suffers from a number of overarching security issues, including:
- Transmission over IP / Internet – Since VoIP utilises the same infrastructure as that utilised by data services, VoIP suffers from the underlying data security problems as well as problems unique to VoIP.
- VoIP does not have a standardised protocol for sending & receiving information. Different protocols exist (e.g. SIP and H.323), though many devices support more than one. This increases the chance of poorly written applications / implementations to be exploited maliciously.
- Security may reduce Quality of Service (QoS)– Security measures may add to the data being transmitted in a VoIP session thus increasing the risk of lower quality of service due to network congestion.
|
Case study – Theft of VoIP calls
|
|
One of the few publicised VoIP breaches involved the theft of VoIP services from 15 IP telephony companies by a Miami man, Edwin Pena. Pena hired a hacker to infiltrate the providers’ VoIP networks and force them to accept routed calls from Pena’s own IP network. He then sold VoIP call time at highly discounted rates to customers for profit.
The attack utilised vulnerable networks of non-phone organisations to propagate customer’s VoIP calls. A brute force attack identified authorisation codes of the VoIP providers, which Pena then fraudulently used to authorise his clients’ calls.
|
Despite the fact that only a few security incidents that relate directly to VoIP systems have been publicly reported, securing a VoIP solution is an important task for all organisations deploying such technology to mitigate VoIP related risks and threats highlighted later in the Threats section of this site. Security is an essential consideration when looking into VoIP as a new technology investment, and should be a fundamental requirement for an SME who has already implemented a VoIP solution (or is in the process of doing so).
The scope of information security used in this booklet is based on the “CIA” acronym, covering:
-
Confidentiality – ensuring that sensitive data is safeguarded from prying ears, and ensuring the privacy of conversations.
-
Integrity – detecting whether information has been altered (maliciously or accidentally), and assessing whether the voice message data can be trusted and relied upon as authentic.
-
Availability – ensuring that reliability and timely access exists to voice data and resources.
One of the challenges highlighted by the addition of a VoIP system into an SME’s technology environment is the dependency on a single communication network. If VoIP becomes the sole land based telephony solution, the uptime of Internet / Broadband may become critical to the organisation, as it then carries the majority of communication links for a business (email, web and telephone). This may drive the need for a higher-grade Internet / Broadband service and such changes will need to be factored into any cost savings associated with the move.
Most organisations will elect to have (non VoIP) mobile telephone services and a PSTN phone available in the event of Internet access failing.