The VoIP Risk Factor

Still, as VoIP adoption continues to grow, vendors and integrators are stressing the importance of building layers of security into VoIP deployments. Last November, the SANS Institute, in its annual ranking of the Top 20 security threats, for the first time included VoIP servers and phones, in recognition of the fact that collaboration technologies that weave VoIP into messaging systems provide new pathways for hackers to exploit.

The current generation of VoIP technology has transformed the IP phone into an application that can integrate with other enterprise applications, said Krishna Kurapati, founder and CTO of Sipera Systems, a VoIP security software vendor in Richardson, Texas.

VoIP today also extends beyond the network perimeter and facilitates more open access to the network, but that creates new security risks, according to Kurapati. "You're removing the restriction of being only in one place, but opening up vulnerabilities by doing things like connecting to partners via SIP trunks," he said.

With traditional e-mail-based attacks, hackers have relied on being able to dupe users into clicking on an attachment or link containing an executable file. But since VoIP acts as a client and server simultaneously, a phone can be both the source of an attack and the target, which adds to the challenge of securing it, Kurapati said.

"The big advantage of moving to an IP-based telephony network is integration with applications, which is why you find VoIP systems connected to the data network. But these systems definitely need to be protected as much as any server on the network," said Chris Labatt-Simon, president and CEO of D&D Consulting, an Albany, N.Y.-based solution provider.

In some cases, VoIP security issues stem from existing vulnerabilities in the underlying network infrastructure. For example, the Blaster worm affected deployments of Cisco Call Manager running on Microsoft IIS (Internet Information Services) Web servers, said David Endler, director of security research at Marlborough, Mass.-based 3Com and its TippingPoint security business.

In other cases, the vulnerabilities stem from security issues in VoIP protocols. More of these types of vulnerabilities are being discovered in VoIP, not because of careless developers, but because VoIP is being integrated into other applications such as instant messaging, which increases the attack surface, Endler said. In addition, VoIP "fuzzers," or tools that are designed to root out vulnerabilities by bombarding applications with malformed data, also are being used to automate discovery of VoIP vulnerabilities, he added.

Next: Hacking VoIP In addition to causing a denial-of-service situation, attackers can also hack into VoIP systems and gain access to streams and data being transmitted through signaling protocols, said Peter Thermos, CTO of Palindrome Technologies, a Red Bank, N.J.-based security consultancy. This so-called eavesdropping is a major area of concern for VoIP, according to Thermos.

Exploiting softphones on laptops is another way hackers could gain control over a PC and steal confidential information, Kurapati said. This vulnerability affects a part of the VoIP protocol and implementation that can be exploited as a buffer overflow, according to Kurapati.

Microsoft's unified communications strategy will provide hackers with even more avenues for exploiting VoIP vulnerabilities, Kurapati said. Part of the reason is that the software employs scripting mechanisms such as ActiveX, which have been used by hackers in previous attacks, he said.

Peter Bybee, president and CEO of Network Vigilance, a San Diego-based solution provider, said his clients have grown more concerned about VoIP security over the past year. But in light of the trend of hackers exploiting security vulnerabilities for financial gain, and the fact that this type of tactic has yet to be used against VoIP systems, Bybee said that these fears are based more on theory than reality.

"There is certainly the potential for VoIP to be exploited, and the fact is that SIP is a pretty vulnerable protocol. But we haven't had any cases where it has actually happened," Bybee said. "People are afraid of VoIP exploits categorically, but I think it's a somewhat unqualified threat. There just haven't been enough VoIP-specific exploits, and we haven't seen anyone hurt by it."

People too often don't concern themselves with VoIP security because they haven't seen the impact of the threat and won't be convinced until something actually happens, agreed Labatt-Simon. "But it's only a matter of time before we'll see widespread attacks in which confidential information is breached through VoIP systems," he said.

Security experts say the key to protecting VoIP systems—now and in the future—is to carefully consider security requirements during the design phase prior to implementing the technology. Thermos says that he has seen organizations deploy VoIP and then start thinking about security six months or a year afterward. "People need to stop thinking of security as an added cost to a VoIP deployment. If you do your homework early on, before deployment, you'll have security controls in place and be able to assess if they're implemented correctly," he said.

The fact that the VoIP industry is paying more attention to security best practices bodes well for reaction times once VoIP-related attacks do begin to materialize, 3Com's Endler said. "VoIP security is a shared responsibility between vendors, service providers and the integrators that set up VoIP deployments. I would say it's a group effort," he said.