VoIP: Is the tech ready?
Published: 26 Nov 2004 09:45 GMT
How secure is voice-over-IP (VoIP) as a technology platform?
The debate is not new, but the question will remain relevant until this technology reaches the dependability and resilience of existing circuit-switched telephony systems.
There are no quick answers. This is a complex technology that has valid -- and for now, incomplete -- arguments on both sides.
The security vendors that I recently spoke with had their knives out. McAfee chief executive George Samenuk called the VoIP platform "the next big area for attack".
Robert Graham, chief scientist from ISS, is equally leery of the resilience of VoIP. He said in a recent interview that the technology in its current guise is "completely insecure", and that its vulnerabilities will blow up in the same way Microsoft's vulnerable remote procedure call (RPC) allowed Blaster and Sasser to wreck the havoc that they eventually did.
Safe enough?
Unsurprisingly, the VoIP players that I quizzed painted a different picture. Cisco, which had trumpeted its corporate IP telephony platform indefatigably for the past three years, discounted talks about VoIP being unsafe as alarmist. It conceded that VoIP platforms will never be immune to the determined hacker, but emphasised that it would unfair to single out the technology as being a weak link in a long network chain.
"People who criticise the unsafeness of the VoIP platform seemed to have forgotten that people used to attack PBXes before," said Michael Frendo, vice president of voice systems engineering, voice technology group.
"Remember back in the eighties, when the cool hack was to use a signal generator to steal a long-distance line?" he asked. "If you knew what were the right tones to play, you could steal any service. And you could buy a tone generator for fifty bucks each -- easily. The fact is this: people will always find ways to attack."
He continued: "You have to remember that with VoIP, we are building an application that sits on top of a network -- we are not building something from ground up. If you don't secure the network with say, perimeter defence, than the potential of being comprised is the price that you pay for enjoying the flexibility of this technology."
Fair argument. But Frendo's point on VoIP applications being dependent on the resilience of the networks they ride on isn't very comforting.
Given the alarming reports we read daily on PC virus outbreaks, exposed system vulnerabilities and the rise of organised hacking activities like phishing, network security isn't likely to improve very much from current levels in future. And if it doesn't, is that good enough for a telephone system?
Secondly, like ISS' Graham, I am concerned with how the increased exposure to public data networks will hurt VoIP systems as they gain traction. While the backbones of circuit-switched telephone systems are pretty obscure, IP networks are within the reach of thousands of script kiddies and millions of bots that roam the Web each day.
Previous
Did you find this article useful?
37 out of 70 people found this useful
- Share this article:
