TELECOM Digest OnLine - Sorted: Severe Vulnerabilities Possible in VOIP According to Experts

Severe Vulnerabilities Possible in VOIP According to Experts

Lisa Minter (
Sun, 26 Jun 2005 19:02:30 -0500

By Wayne Rash
April 5, 2005

Dr. Shashi Phoha, director of the Information Technology Laboratory at
the National Institute of Standards and Technology, said she thinks
that the growth of VOIP technology brings with it some significant
risks that users need to be prepared to address.

"The vulnerabilities are severe," she said, pointing to a list that
included ways to spoof or spy that aren't easily available on regular

One of the biggest sources for vulnerabilities is the involvement of
personal computers in creating VOIP solutions.

She said that while it may not appear to be that critical, the fact
that it can be relatively easy to hack into computers can also expose
the phone system to fraud and abuse.

Phoha's list went on to address the availability of open source
eavesdropping tools, that digital phone calls could be edited by
digital voice editors to add, remove or change words without any
possibility of detection.

She also said that the government was worried that it would be
relatively easy with VOIP phones to bug a room using on-hook audio.

This is a technique in which hackers or spies can turn on the
microphone in a VOIP handset while it remains on its cradle.

This way, the phone would appear to be operating properly while
actually transmitting every sound within its range to a remote site.

Other things that keep Phoha worried, she says, are the
vulnerabilities related to soft phones, which are applications that
work like phones, but are entirely software and are run on personal

She said that these phones are vulnerable to worms, viruses and Trojan
horses, and could spread these problems throughout the voice network.

[Lisa notes: And you know, she has good points. Consider how many
computers are 'Zombies' which spend their time attacking other
computers. Would it be that much of a hassle to continue the
'zombification' to include the VOIP terminals on computers? Read my
third article today in this series about SPIT (spam over Internet
telephony) which has begun to make its appearance.]

She says that what worries her the most, however, are "attacks we
haven't thought of yet."

Phoha made her remarks at a panel discussing VOIP held at the National
Press Club a few weeks ago.

Phoha said that it's possible to combat some of the threats her
organization is finding by careful design and risk analysis.

She said that risk can also be reduced by using encryption of the
voice traffic, and by using VOIP-specific intrusion detection systems
and firewalls.

She also advocated keeping data traffic and VOIP on logically separate
networks. She noted that her group is also working to develop new
security architectures for use by the government, but that commercial
and private users should also consider following the NIST
recommendations, which are available on the agency's Web site.

Check out's VOIP & Telephony Center for the latest news,
views and analysis on voice over IP and telephony.

Copyright 1996-2005 Ziff Davis Publishing Holdings Inc.

Post Followup Article Use your browser's quoting feature to quote article into reply
Go to Next message: Lisa Minter: "Spit in Here, Please"
Go to Previous message: Lisa Minter: "Should VOIP be Put on 'Hold' For Now?"
TELECOM Digest: Home Page