VoIP to Avoid?

The authors of a 2004 report from KPMG, titled "Voice over IP - Decipher and Decide", have a word of warning about VoIP: "There is extensive information available from numerous sources including vendors, researchers and the media, regarding the benefits of VoIP and IP telephony. However, there is a distinct absence of information detailing the risks and associated risk management practices. As a result, organizations' preparedness for these new technologies is inadequate."

While KPMG is referring as much to business project risk as to IT security issues, the security-oriented doomsayers are now out in force, ensuring that problem of "absence of information" is being re-balanced. VoIP is vulnerable, they say, and you're either setting yourself up for a fall, or you have to make extra special efforts to ensure security and quality, if you dare implement a VoIP system.

And the naysayers are not all the usual "sky is falling" brigade. Certainly there is a fair share of bloggers and amateur commentators pounding away their stories of doom and gloom, but there are also those in positions of influence, such as the above KPMG report and the US Department of Commerce's National Institute of Standards & Technology (NIST).

As a sample, the KPMG report goes on to say that "Many organizations fail to recognize that with this increased technical complexity comes increased security and availability risks that must be appropriately assessed, and the necessary risk management measures applied."

NIST issued a report, "Security Considerations for Voice over IP Systems" in January of this year, which warns that "Designing, deploying and securely operating a VoIP network is a complex effort that requires careful preparation. The integration of a VoIP system into an already congested or overburdened network could create serious problems for the organization. There is no easy 'one size fits all' solution to the issues . . . An organization must investigate carefully how its network is laid out and which solution fits its needs best."

It goes on to say that: "VoIP systems can be expected to be more vulnerable than conventional telephone systems, in part because they are tied in to the data network, resulting in additional security weaknesses and avenues of attack. . . . Essential telephone services, unless carefully planned, deployed and maintained, will be at greater risk if based on VoIP."

Then kick in the defenders, who say that the security issues themselves are all hype - the supposed problems are, in the real world, largely negligible and no worse than you face with traditional systems.

Gartner, in particular, has responded, with recent presentations in both Melbourne and Washington placing VoIP security top of its list of "five most over-hyped IT security threats". (The others, for the record, are mobile malware, Warhol worms, regulatory compliance as a security measure - ie Sarbanes-Oxley - and unsafe wireless hot spots.)

"Eavesdropping is an over-hyped IP telephony security issue," said Amrit Williams, Gartner's director of information security and privacy. "In many respects, it is easier to eavesdrop with traditional telephony than it is with IP telephony . . . so don't believe the threats of VoIP traffic being 'captured' for nefarious purposes."

Who to believe, and what are the risks?

It's All Hype

One acronym that keeps cropping up within all IT arenas, but particularly regarding IT security, is FUD, for "fear, uncertainty and doubt". Scare tactics have been used ever since war and marketing were invented ("I have more rocks than you and they're bigger than yours"), but it has reached new heights with IT security - and VoIP has been no exception - thus eliciting responses such as those of Gartner and others.

"A lot of the security issues area is a beat-up," says Mark Ames, head of consulting and risk management company ICT Risk as well as former chair of the advisory board of QUT's Information Security Research Centre. "It is almost impossible to intercept conversations or break into the PABX unless someone uses traditional methods to hack into an internal server."

Not that VoIP is without some problems, he adds, just not the security ones: "A bigger issue is cost and ROI, plus the fact that if your network is down, so are your phones. POTS [plain old telephone system] is still more reliable!"

"This chronic over-hyping is misleading and dangerous," says Gartner's Williams. "It costs time and energy to respond to and ultimately only profits the pockets of vendors who are over-hyping threats to push more product. We recommend that companies ask the hard questions before being tricked into urgent action."

Remember the CIA

So what are the hard questions?

FUD and POTS aside, NIST helpfully categorizes VoIP information security risks under the easily-remembered and appropriate acronym of "CIA", which stands for confidentiality, integrity and availability. (The KPMG report shares the categories if not the acronym - see table "VoIP Security Risks and Controls - 'CIA'", page 20.)

NIST lists the risks and vulnerabilities associated with each of these areas:

Confidentiality and privacy - eavesdropping, switch default password vulnerability, classical wiretap vulnerability, ARP cache poisoning and ARP floods, Web server interfaces, IP phone Netmask vulnerability, extension to IP address mapping vulnerability

Integrity of information - extension reassignment, denial of service, security system abuse, sabotage, intrusion, incorrect operations, and specifically DHCP and TFTP server insertion attacks

Availability and denial of service - CPU resource consumption attack without any account information, default password vulnerability, exploitable software flaws, account lockout vulnerability.

Even Williams admits that users should "focus on preventing denial of service on IP telephone servers as this is a more likely threat".

To deal with these vulnerabilities, NIST has a checklist (see http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf for the full explanation) :

» Develop appropriate network architecture.
» Ensure that the organization has examined and can acceptably manage and mitigate the risk to their information, system operations, and continuity of essential operations when deploying VoIP systems.
» Special consideration should be given to emergency services communications [E-911 in NIST's case], because automatic location service is not available with VoIP in some cases.
» Agencies should be aware that physical controls are especially important in a VoIP environment and deploy them accordingly.
» Evaluate costs for additional power backup systems that may be required to ensure continued operation during power outages.
» VoIP-ready firewalls and other appropriate protection mechanisms should be employed. Agencies must enable, use and routinely test the security features that are included in VoIP systems.
» If practical, "softphone" systems, which implement VoIP using an ordinary PC with a headset and special software, should not be used where security and privacy are a concern.
» If mobile units are to be integrated with the VoIP system use products implementing WiFi Protected Access (WPA), rather than 802.11 Wired Equivalent Privacy (WEP).
» Carefully review statutory requirements regarding privacy and record retention with competent legal advisers.

On the measures you may already have in place to cover your data network, NIST warns that "VoIP systems include a variety of other components, including call processors/call managers, gateways, routers, firewalls and protocols. Most of these components have counterparts used in data networks, but the performance demands of VoIP mean that ordinary network software and hardware must be supplemented with special VoIP components. . . . Security measures implemented in traditional data networks are simply not applicable to VoIP in their current form."

Ever the contrarian, in his presentation notes Williams agrees that security measures are not always the same for voice and data networks, but in his case he sees this as a positive for VoIP: "One area where IP telephony security differs from data-only environments is endpoint protection. This is because IP telephony handsets differ from windows-based PCs. To date, IP telephony handsets have not been the subject of hacker attacks, so they do not require the same level of protection as PCs (eg antivirus, anti-spyware, personal firewalls, etc)."

The Users Speak

Those IT and security managers on the shopfloor, and therefore bearing the brunt of all these complexities, vulnerabilities and risks, do not seem particularly perturbed.

Despite NIST's warning, Karl Hanmore, IT security manager for the Bank of Queensland, describes VoIP security as "a different note on an old song".

"If you've got IT security, it's a building block for handling VoIP. The security of a VoIP network is the same as any other IP network - the concept, approach and principles are all the same."

The bank installed what Nick Young, head of technology, describes as "a valuable but modest VoIP implementation" within its corporate HQ a year ago.

Young says they leveraged their existing experience on the implementation, and he definitely feels the benefits achieved (which include integrated telephone directory, expanded voicemail "without blowing costs out", a flexible voice recording system and mini-call-centre capability) outweigh any security concerns and technical implications.

Hanmore says his security unit was heavily involved in the implementation from the beginning, studying everything there was on VoIP issues. He feels the cautious view in the media has some validity, and that "if you apply VoIP without managing it appropriately you could get into problems".

"You need to readjust your method of looking at VoIP, as it is a blending of two different systems."

Overall, though, Hanmore feels it's all about understanding the technology so that you can mitigate the risks. "If security in the bank says no, it doesn't happen," he says.

As a sign of its confidence, the bank is planning to expand VoIP to its interstate offices and selected branches, with the Sydney office acting as a pilot. Later integration of voice with other applications, such as video services, will follow as demand requires.

Andrew Buckeridge, IT director of Western Australian building and construction products and services company BGC, agrees that VoIP security was not a particularly worrying consideration.

"Other technologies can also suffer from sniffing, in addition to man-in-the-middle attacks. The VoIP solution we used would require a man-in-the-middle attack, but this IS traffic is only ever carried by a licensed provider or ourselves," he says.

BGC has connected four sites across Perth with VoIP, but uses standard analog telephones served by a secure VoIP-capable PBX running GNU/Linux.

"The few nodes we have running VoIP all run a secure environment and will only accept VoIP traffic from designated peers. These nodes are also on a separate subnet and there is no routing between PCs and this subnet.

"We haven't completely rejected the idea of VoIP to the desktop, and we keep this option for new small sites where we'll be able to avoid additional voice cabling. However, expectations of a telephone are higher than those of a PC, so we would use embedded IP-capable phones. For larger sites, the IP-capable telephones are still too expensive."

As if to accentuate the users' confidence, at least in relative terms, at the time of writing, a report came out of the dangers of traditional phone systems. Telecom Security, which undertakes telephone system security audits, reported that 70 organizations had been hit in recent telephone hacking attacks with damages topping the multimillion dollar mark.

While these were largely traditional telephone systems, managing director David Stevens told Computerworld magazine that "With VoIP gaining momentum the problem is likely to get worse; just recently one carrier lost $100,000 a day when its VoIP system was hacked."

The FUD just never stops.

NOTE: Karl Hanmore, IT security manager with the Bank of Queensland at the time of interview, has since joined AusCERT as operations manager.
Show Comments