EXPLOITS & VULNERABILITIES

VoIP: When Cheaper Could Mean Costlier

Print Version
E-Mail Article
Reprints

By Jack M. Germain
TechNewsWorld
Part of the ECT News Network
04/24/08 4:00 AM PT

It's no mystery why enterprises have fallen in love with VoIP. Long-distance calling for pennies on the dollar -- what's not to love? Unfortunately, security often takes a back seat to savings in VoIP implementation. Just like any other data, VoIP is hackable, and it could turn out to be costly.


Free WiFi Hotspot Locator from TechNewsWorld
Wondering where to find the nearest publicly available WiFi Internet access? Our global directory of more than 100,000 locations in 26 countries is a terrific tool for mobile computer users.

For enterprises, the primary reason for adopting Voice over Internet Protocol (VoIP) phone service is money. Long-distance phone calls placed over the Internet typically cost a mere fraction of those placed under the business rate plans offered by traditional telephone companies.

As a result, the business world is embracing VoIP phone systems for their ability to merge phone lines with the Internet and make enterprise Rackspace now offers green hosting solutions at the same cost without sacrificing performance. Make the eco-friendly choice. communications cheaper and more manageable. However, companies making the switch often fail to consider the higher security Free Trial. Security Software As A Service From Webroot. risks posed by hackers and phishers seeking sensitive corporate data.

Without stringent controls maintained by network New HP LaserJet P4014n Printer Starting at $699 after $100 instant savings. managers and Internet service providers, VoIP communication are just as susceptible to hackers as unsecured WiFi connections to the Internet. A hacker Latest News about hacker could, for example, tap into a corporate VoIP system and listen to confidential calls. Another typical security risk involves hackers slipping into a call center using VoIP and listening as customers give sensitive information like Social Security numbers and financial account information to call center workers.

VoIP security often does not get the attention it needs, and this makes VoIP a potentially hot target for hackers.

"People love the notion of reduced calling costs. VoIP is a great way to reduce costs, but security costs extra. But users don't always want to pay that. Often companies look at reduced calling costs and fail to put security on top of that," Scott Montgomery, vice president of global technical strategy for Secure Computing, told TechNewWorld.

VoIP Highlights

To a computer, a person's voice is nothing more than bits and bytes, just like any other data. It mixes with all other data content when it is transmitted. A VoIP voice packet is transmitted over the Internet in an IP (Internet protocol) data frame.

"This has the exact same vulnerabilities as any other wireless or wired connections. So all the traditional security concerns are present," Scott Palmquist, senior vice president of product management for encryption provider firm CipherOptics, told TechNewsWorld.

He compared VoIP users' view of phone technology to their views about e-mail E-Mail Marketing Software - Free Trial. Click Here.. E-mail is not secure. However, people usually are not worried about the content of their routine e-mail. Some voice messages are the same way.

"When sending VoIP over the Internet, it is a Wild, Wild West environment . We have no idea of anybody listening in. VoIP over corporate backbone is clearly a level of more security, but the threats are identical," Palmquist noted.

Not Ma Bell

People generally expect privacy when picking up a phone and making a call over a traditional landline. Security risks in that case are generally very low, Palmquist said.

There is always the potential for telephone company workers listening in to private conversations. Generally, however, phone users know that phone taps are not common occurrences unless executed by law enforcement.

"Now we expect that same level of privacy over VoIP. But voice is part of a data packet. We don't know where that packet is going. VoIP does not have the same level of privacy," Palmquist warned.

Newness at Fault

A lot of the security issues are similar to the response people have about using unsecured wireless connections. VoIP, like WiFi, is a relatively new communications option.

"VoIP is still in the early days of development. The technology bridges traditional telco and Internet uses," Adam O'Donnell, director of emerging technologies for messaging security firm Cloudmark, told TechNewsWorld.

Because of its newness, the threat of intrusion is very significant, he added. Unlike using a computer, phone equipment has no tools to alert users about a virus or other threat is present.

How do you know when a call is insecure, he said. VoIP phones do not have monitoring tools. This makes the threat more difficult because there is no interface to monitor.

"VoIP is based on the concept that it is easier to make it work than to make it work securely. None of its inventors had security in mind," added Montgomery.

Threat Categories

Users of VoIP technology have to navigate around four types of threats. An enterprise's IT managers and VoIP service directors can see a listing of the types of hacker tools available on the Internet for compromising VoIP communications here. This same Web site provides details on protective tools to identify VoIP risks on a particular network.

  • Social threats include misrepresentation, theft of services HostMySite.com: Managed Dedicated Linux Hosting + 24x7 Service & Support and unwanted contact. Hackers who tap into a VoIP connection pretend to be somebody else on the call. This allows the intruder to use the company's phone network for his or her own purposes and gain access to others in the phone directory.

  • Eavesdropping gives a hacker the opportunity to listen to conversations and acquire information as the calling parties conduct business. Hackers can monitor for call patterns and track specific types of call purposes. Once a hacker eavesdrops, he or she can monitor for specific types of calls, record the call and capture any information transmitted along with it.

  • Service abuse is the third type of VoIP threat. This is where hackers can execute general denial of service and distributed denial of service (DDoS) attacks or target a VoIP-specific DoS attack.

  • Perhaps the most dangerous VoIP threat is an interception and modification attack. One trick, called "call black holing," prevents or terminates a communication.

    Call rerouting is any unauthorized redirection of a VoIP transmission to divert communication. Fax alteration is a trick that allows a VoIP hacker to intercept a fax sent over VoIP to alter the data during transmission. Another tactic, conversation reconstruction, is a technique for collecting, duplicating or extracting information on the audio content of a VoIP conversation.

Security Prognosis

A very successful scam affecting VoIP users is an adaptation of the classic e-mail phishing scam, according to CloudMark's O'Donnell. Phishers use fake phone numbers for businesses to lure victims. When the victim calls the number, he is asked for pertinent account information to continue.

"Because people are not used to questioning phone numbers, they trust the connection. The same old saying about security on the computer must apply to VoIP: trust or verify," said O'Donnell.

Phishers will continue to find new ways of attacking VoIP users. VoIP will be one area of attack for them, he said.

"Anything over the Internet remains a place were vigilance is always needed," O'Donnell concluded.

Social Networking Toolbox:
Talkback: Be the first to comment on this story.

Print Version E-Mail Article Reprints More by Jack M. Germain   RSS

Related News Alerts

Hacker Activate Alert | Search Archives
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]