VoIP: When Cheaper Could Mean Costlier
It's no mystery why enterprises have fallen in love with VoIP. Long-distance calling for pennies on the dollar -- what's not to love? Unfortunately, security often takes a back seat to savings in VoIP implementation. Just like any other data, VoIP is hackable, and it could turn out to be costly.
Apr 24, 2008 4:00 AM PT
For enterprises, the primary reason for adopting Voice over Internet Protocol (VoIP) phone service is money. Long-distance phone calls placed over the Internet typically cost a mere fraction of those placed under the business rate plans offered by traditional telephone companies.
As a result, the business world is embracing VoIP phone systems for their ability to merge phone lines with the Internet and make enterprise communications cheaper and more manageable. However, companies making the switch often fail to consider the higher security risks posed by hackers and phishers seeking sensitive corporate data.
Without stringent controls maintained by network managers and Internet service providers, VoIP communication are just as susceptible to hackers as unsecured WiFi connections to the Internet. A hacker could, for example, tap into a corporate VoIP system and listen to confidential calls. Another typical security risk involves hackers slipping into a call center using VoIP and listening as customers give sensitive information like Social Security numbers and financial account information to call center workers.
VoIP security often does not get the attention it needs, and this makes VoIP a potentially hot target for hackers.
"People love the notion of reduced calling costs. VoIP is a great way to reduce costs, but security costs extra. But users don't always want to pay that. Often companies look at reduced calling costs and fail to put security on top of that," Scott Montgomery, vice president of global technical strategy for Secure Computing, told TechNewWorld.
To a computer, a person's voice is nothing more than bits and bytes, just like any other data. It mixes with all other data content when it is transmitted. A VoIP voice packet is transmitted over the Internet in an IP (Internet protocol) data frame.
"This has the exact same vulnerabilities as any other wireless or wired connections. So all the traditional security concerns are present," Scott Palmquist, senior vice president of product management for encryption provider firm CipherOptics, told TechNewsWorld.
He compared VoIP users' view of phone technology to their views about e-mail. E-mail is not secure. However, people usually are not worried about the content of their routine e-mail. Some voice messages are the same way.
"When sending VoIP over the Internet, it is a Wild, Wild West environment. We have no idea of anybody listening in. VoIP over corporate backbone is clearly a level of more security, but the threats are identical," Palmquist noted.
Not Ma Bell
People generally expect privacy when picking up a phone and making a call over a traditional landline. Security risks in that case are generally very low, Palmquist said.
There is always the potential for telephone company workers listening in to private conversations. Generally, however, phone users know that phone taps are not common occurrences unless executed by law enforcement.
"Now we expect that same level of privacy over VoIP. But voice is part of a data packet. We don't know where that packet is going. VoIP does not have the same level of privacy," Palmquist warned.
Newness at Fault
A lot of the security issues are similar to the response people have about using unsecured wireless connections. VoIP, like WiFi, is a relatively new communications option.
"VoIP is still in the early days of development. The technology bridges traditional telco and Internet uses," Adam O'Donnell, director of emerging technologies for messaging security firm Cloudmark, told TechNewsWorld.
Because of its newness, the threat of intrusion is very significant, he added. Unlike using a computer, phone equipment has no tools to alert users about a virus or other threat is present.
How do you know when a call is insecure, he said. VoIP phones do not have monitoring tools. This makes the threat more difficult because there is no interface to monitor.
"VoIP is based on the concept that it is easier to make it work than to make it work securely. None of its inventors had security in mind," added Montgomery.
Users of VoIP technology have to navigate around four types of threats. An enterprise's IT managers and VoIP service directors can see a listing of the types of hacker tools available on the Internet for compromising VoIP communications here. This same Web site provides details on protective tools to identify VoIP risks on a particular network.
- Social threats include misrepresentation, theft of services and unwanted contact. Hackers who tap into a VoIP connection pretend to be somebody else on the call. This allows the intruder to use the company's phone network for his or her own purposes and gain access to others in the phone directory.
- Eavesdropping gives a hacker the opportunity to listen to conversations and acquire information as the calling parties conduct business. Hackers can monitor for call patterns and track specific types of call purposes. Once a hacker eavesdrops, he or she can monitor for specific types of calls, record the call and capture any information transmitted along with it.
- Service abuse is the third type of VoIP threat. This is where hackers can execute general denial of service and distributed denial of service (DDoS) attacks or target a VoIP-specific DoS attack.
- Perhaps the most dangerous VoIP threat is an interception and modification attack. One trick, called "call black holing," prevents or terminates a communication.
Call rerouting is any unauthorized redirection of a VoIP transmission to divert communication. Fax alteration is a trick that allows a VoIP hacker to intercept a fax sent over VoIP to alter the data during transmission. Another tactic, conversation reconstruction, is a technique for collecting, duplicating or extracting information on the audio content of a VoIP conversation.
A very successful scam affecting VoIP users is an adaptation of the classic e-mail phishing scam, according to CloudMark's O'Donnell. Phishers use fake phone numbers for businesses to lure victims. When the victim calls the number, he is asked for pertinent account information to continue.
"Because people are not used to questioning phone numbers, they trust the connection. The same old saying about security on the computer must apply to VoIP: trust or verify," said O'Donnell.
Phishers will continue to find new ways of attacking VoIP users. VoIP will be one area of attack for them, he said.
"Anything over the Internet remains a place were vigilance is always needed," O'Donnell concluded.