Six burning VoIP questions

Page 5 of 12

3. Is VoIP safe?

VoIP safety is a broad question that touches on many aspects of how IP telephony systems operate, and the various parts of the network VoIP touches, but according to one survey one thing is clear, VoIP technology isn't safe enough for many businesses.

Only half of the IT executives polled recently in a CompTIA study said they think security technology built into corporate VoIP products and services is solid. The survey (of 350 companies with 500 employees or fewer) showed that even wireless technology — often maligned for its security weakness — was held in higher regard than VoIP in terms of security. (Sixty percent of respondents said they trusted security in Wi-Fi gear.)

With VoIP, security concerns among the respondents in the CompTIA survey were not relating just to potential attacks on VoIP gear and software, but the affect a general worm or virus outbreak could have on the quality of IP voice calls. Worms and viruses that flood corporate networks with traffic may cause e-mail delivery to be delayed, slow application response times. But the latency introduced can simply kill an IP telephony conversation.

As for VoIP products, vulnerabilities are popping up more in IP telephony gear and software. Cisco, for instance, over the last 18 months issued nine major vulnerability advisories on products ranging from IP phones and IP PBXs, to routers that perform VoIP processes and functions. These nine warnings — serious enough for the vendor to issue software patches — compares with the two VoIP-related vulnerabilities Cisco had issued in the 18 months prior (July 2005 to January 2006).

Many vendor's IP call processing and messaging products run on top of Linux, Windows, Sun or other server operating systems. Softphones generally run on Windows desktops, while applications such as VoIP-based call center platforms can touch a wide array of other applications. Taking all this into account, Avaya had 25 product security advisories relating either directly to its VoIP products, or affecting underlying software products on which Avaya's technology runs, according to security research Web site Secunia. The Internet Security Systems X-Force vulnerability database has more than 100 entries over the past five years relating to vulnerability reports in VoIP products, applications and underlying protocols.

Some security researchers say the basic technology of some VoIP protocols is by nature hackable or susceptible to denial-of-service or call-interception attacks.

Sheran Gunasekera, a researcher with Scanit, wrote in a report that VoIP call interception can be simple, if targeted against equipment and traffic using non-encrypted, standards-based protocols. Scanit says tests it conducted used standard SIP signaling protocol and Real Time Protocol (RTP) for media transmission.