The Top 9 VoIP Threats For 2008
Whether their purpose is malicious, for financial gain or just to prove it can be done, VoIP systems are a walnut that hackers and exploiters can't wait to crack. And as VoIP continues to proliferate into 2008, those threats will only get stronger and more sophisticated, according to Sachin Joglekar, vulnerability research lead for Sipera Viper Lab, a research team bent on identifying ways VoIP can be exploited.
Joglekar said word of some VoIP threats started to spread in 2006, with toll fraud and vishing—a VoIP version of phishing—taking center stage. By 2007, those threats and vulnerabilities began to manifest further. And this year, by many accounts, exploits used to bring down VoIP systems and scam their users will continue to expand, with many exploits being used in conjunction with another to form an attack powerhouse of sorts.
The biggest VoIP threats and vulnerabilities of 2007 ran the gamut from remote eavesdropping, which entails listening in on VoIP calls—easier in VoIP than with traditional PSTN telephone networks; VoIP hopping, which can allow a PC to mimic an IP phone and could give intruders the ability to access the VoIP system; vishing, which lets hackers spoof caller ID and offer up a fake phone identity; VoIP spam, which is exactly what it sounds like and just as annoying; toll fraud, in which unauthorized users access the VoIP network and finagle free calling while stiffing someone else with the charges; and the Skype worm, which infects the often free, otherwise inexpensive PC-based VoIP service. These threats will continue to make themselves known this year, Joglekar said.
Tim Hebert, president and CEO of Warwick, R.I.-based solution provider Atrion Networking Corp., said VoIP threats have evolved and grown from a "what if?" scenario into a full-blown "what now?"situation. While Hebert said he and his clients have been lucky enough to ward off attacks, he's not resting on his laurels just yet.
"We haven't had any issues with them. Knock on wood," he said. Still, Hebert said Atrion has inherited some clients from other VARs that were ripe for the picking due to poorly designed VoIP networks.
"VoIP is on the early edge, but it's moving from early adopters to the early majority," Hebert said. "There will be more and more threats. It's definitely going to grow."
Next: VoIP Security, Not Yet Mike Cotrone, owner of Greensboro, N.C.-based solution provider Confiance IP Solutions Inc., agreed that the threats are real, but said VoIP security is not yet appearing on many companies' radar screens.
"Anything is possible when dealing with IP," he said. "It's definitely a risk that is out there. If you have a weak link in the chain, anyone can sniff anything off your network."
While Cotrone noted that he's heard no mention of VoIP threats and vulnerabilities from his customers, he said in many cases, it will take one massive outbreak for the reality of VoIP threats to hit home. Still, he said, he recommends customers use VoIP encryption to stave off threats.
"I don't know if there's a true understanding of VoIP-based attacks," he said.
Like Hebert, Sean Johnson, business development manager for Hayes Computer Systems, a Tallahassee, Fla.-based solution provider, VoIP vulnerabilities and threats aren't something he's encountered too often. Johnson said he has, however, been hired by clients who were hung out to dry by previous solution providers.
"VoIP vulnerabilities overall aren't something we've had to deal with so far," he said, adding they can be avoided by putting VoIP on separate VLANs, behind a firewall and using intrusion prevention.
"The reason people may be scared is they're not implementing the proper security with it. If you get into that kind of situation, you're wide open for an attack on that VoIP system," Johnson said.
Rany Polany, president of PWT-IT Solutions Inc., a Santa Clara, Calif.-based system integrator and MSP, said the trick is to stay one step ahead of potential threats and vulnerabilities.
"We actually deal with it all the time," he said. "A major portion of our revenue is designing and building VoIP systems."
A key to staying ahead, Polany said, is a strong security policy.
"Security policies need to be in place," he said. "When we're dealing with IP, there needs to be a security assessment across the entire network. When moving toward a fast IP environment, any VoIP system needs to have security and policy implemented into that network."
Hebert said tightening up operating systems and ensuring that the VoIP network is locked down is essential. He added that the growing variety of attacks will serve as an eye-opener to many companies, especially since each attack that comes their way has a different intent behind it.
"Half of the attacks out there are just for the challenge of doing something. There's always someone out there racing to be the first to do it," he said. "The other half is either malicious or for monetary gain."
But with VoIP deployments increasing in number, Hebert said he expects to see a shift from the "proving it can be done" phase.
"There's going to be a large element that is purely malicious, looking to sabotage or take down a call system," he said.
Joglekar agreed."VoIP is going to be looked at as one more tool in [a hacker's] arsenal," he said. "People trust their phones and someone is going to try to exploit that trust."