VOIP requires attention to security best practices

New ways to hack VoIP aren’t fatal

VOIP more secure than PSTN

Despite the genuine possibilities of attack, some experts say that VOIP is more secure than the traditional public switched telephone network (PSTN).

"The VOIP system is much more secure than traditional systems," says Ari Takanen, founder and CTO of Codenomicon, which makes software security-testing tools. Speaking at the recent VON Europe 2007 conference, he acknowledged VOIP vulnerabilities, but said they were not insurmountable. "IP systems are more exposed, but you have more security that you can install," he says. "If you don't use it -- that's stupid."

Cullen Jennings, a distinguished engineer at Cisco's VOIP group, who also spoke at the conference, notes that PSTN caller ID is easily spoofed, and toll fraud via traditional PBXs is still common.

Jennings says PSTN reliability -- the availability of dial tone nearly all the time -- is one highly touted measure of the quality of service. But that does not mean the PSTN is invulnerable or even better than VOIP. "I'm not claiming the PSTN does not meet its [reliability] goals," he says, but that has no bearing on whether, for example, caller ID can be spoofed. "If the core network went down doesn't matter if the threat was to caller ID," he says.

Big threats

The top threats to VOIP listed by the VON panel were:

  • Zero day problems for which vendors have not yet issued a fix.
  • Security not being turned on because it is too complex.
  • Vendor-specific vulnerabilities that are not addressed by best practices.

Ultimately businesses will not turn their backs on VOIP because they are worried about security, says Akif Arsoy, a VOIP product manager for Verisign. They will adopt it for integrated voice and data in a converged network. "End users make decisions on what am I getting with VOIP that I'm not getting today with traditional voice?" Arsoy says.

Even so, expect more VOIP exploits to emerge over the near-term, says Thermos, who says he has already identified more signaling protocol weaknesses and implementation vulnerabilities. "We're just touching on the beginnings of many exploits that will be coming down the road," he says.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about AsteriskCiscoGatewayNext Generation Security SoftwareVeriSign AustraliaVIA

Show Comments