A controversial series of articles about VOIP came across my desk over
the weekend; I am sharing them with you to get some opinions on the
topic.
Lisa
Let's Put VOIP on Hold
By David Coursey May 17, 2005
Opinion: Until better defenses are available against phone hackers and
voice spam, hang up.
So you think your buying a VOIP telephone system for your company was
really smart? You certainly have reason to: Your users love the tight
integration between the phone system, their e-mail, and other PC
features. And the chief financial officer loves the "deal" you got on
long-distance rates. Everyone agrees: You're a hero.
Not so fast-and, probably, not for long.
How do you think people are going to feel about your VOIP (voice over
IP) system when they arrive one morning to find their voice mail boxes
completely filled with voice spam? When they read about hackers
listening in on what's being said in people's offices, even though the
phone is still on the hook?
VOIP has been around for a few years and, so far, seems to have been
pretty secure. But that's only because the bad guys have yet to turn
it into a major target. When they do, life promises to be very
different. And not in a good way.
Last week, I moderated another of our eSeminars, this one an
eye-opening discussion of VOIP security issues. I say "issues" because
there weren't too many solutions to discuss.
The panel included Wayne Rash, who writes much of our VOIP security
coverage; Andrew Graydon, of the VOIP Security Alliance, a trade
group; and Tom Leh, of VOIP Inc. a vendor.
[Lisa notes: See another article today here regards VOIP security threats.]
If you've got an hour, you can watch and listen to a replay of the
presentations. I walked away from the event convinced there shouldn't
be any more VOIP installations until we have a better idea of how to
protect them.
VOIP takes all the security problems associated with PCs and all the
security problems associated with the Internet, and throws in a bunch
of new telephony hardware, new protocols, and different user behavior
and expectations. The possibilities for voice spamming, called SPIT,
for SPam over Internet Telephony, ought to give every network
administrator pause.
[Lisa notes: We also talk about SPIT {or VOIP spam} in this issue and
the potential for SPIT, or voice spamming.]
Then comes eavesdropping, both of phone calls and room conversations,
and a whole new set of opportunities for what used to be called phone
phreaking.
We really don't know what's possible for the VOIP hacker, but we do
know that the hobby hacker has been replaced by the criminal
hacker. On thing's certain: This time phone phreaking won't be a
fairly harmless bunch of kids blowing Cap'n Crunch whistles to get
free long-distance calls.
ost people don't realize how secure our telephone network has
been. Sure, you get spam phone calls, despite the "no-call" list.
But, on the whole, your hardwired telephone is quite secure,
especially the one in your home. Getting at your conversations
generally requires a physical tap on your line. Modern cordless
telephones can be hacked, but you still have to be close enough to
pick up the radio signals.
With IP telephony, an intrusion can be launched from almost
anywhere. And even if the VOIP system is well-protected, each PC with
a "soft phone" application installed provides a potential door for a
hacker to exploit.
On basic principles, I am not wild about running our nation's critical
telecom infrastructure entirely over the Internet. Or even mostly.
There is too much at stake and the network is too insecure and perhaps
too brittle for the job.
Despite my grave misgivings, however, VOIP is here to stay. But until
we have seen what the hackers can do, I'll keep VOIP away from my
network and I recommend you do the same.
Check out eWEEK.com's VOIP & Telephony Center for the latest
news, views and analysis on voice over IP and telephony.
Copyright 1996-2005 Ziff Davis Publishing Holdings Inc.
[TELECOM Digest Editor's Note: Next, Lisa presents an article on
security concerns when you install VOIP. PAT]
Lisa Minter (lisa_minter2001@yahoo.com)