How secure is your VoIP

Dave Gladwin, VP Product Marketing, Newport Networks

Predictions about the ever increasing number of security threats are nothing new in the technology world. According to a recent McAfee report, VoIP security is set to join the list of targets in 2008.

According to Dave Gladwin, VP Product Marketing, Newport Networks, the question over VoIP security raises many interesting questions for the channel and should not necessarily be dismissed out of hand as pure scare mongering.

The introduction of VoIP services has provided a new set of targets for potential fraudsters – a process that is only set to increase as such services become more widespread. As a result there will be a real need for improved security measures to be built in as standard with any VoIP implementation. Many of you will no doubt remember the 23- year-old opportunistic Miami resident, Edwin Andres Pena. While it caught the headlines at the time, his 2006 arrest and subsequent prosecution by the US federal government had little to do with ‘cracking VoIP’ and a lot more to do with Pena’s exploitation of the service providers’ failure to provide basic IT security. Pena was caught in the act of selling discounted phone services by hacking into internet phone service providers and piggybacking connections through their networks. A clear cut case of weak or default passwords allowing hacking, rather than a result of inherent faults in the VoIP network.

Why should potential fraudsters go to all the trouble of launching sophisticated VoIP exploits when even the most basic security has not been implemented? Security is the responsibility of each and every one of us, whether we are users, manufacturers, service providers or resellers.

The real question is how much has the industry moved on in the past two years, what measures have been taken and have the lessons been learned from this case by service providers and resellers alike?

The McAfee Virtual Criminology report references two specific VoIP threats, namely ‘vishing’ and ‘phreaking’. According to McAfee, fraudsters intend to exploit VoIP services to send voice messages to subscribers in a form of attack known as VoIP phishing or ‘vishing’. Although it is early days for this type of attack, there have already been at least two reported cases of vishing documented to date and both of these stemmed from criminals using social engineering methods over an IP network to steal personal information.

The term Phreaking, first came into use during the 70s in reference to telephone hacking, using the variety of tones to manipulate the exchange to make free calls. Modern day phreakers are using personal computers to hack the Softswitch directly with the same objective. However, the fact remains that it is still much simpler to use well known computer vulnerabilities to access the identity information needed to make free calls.

We should all be learning lessons from the past to avoid the ‘hack and patch’ cycle with network vulnerabilities being addressed on an ‘as needed’ basis. Service providers do appear to be more proactive these days with security questions ranking high on their agendas, but individuals lag behind in terms of awareness and proactivity. This leaves a huge opportunity for the channel to educate the market in order to avoid fraudsters circumventing the network and taking aim at subscribers and their poorly protected devices.

In order to improve security we need to address two major concerns – disruption and identity theft. While there is no single, allencompassing solution to these issues, increased security awareness and education is fundamental. Strong authentication and encryption will be key to protecting user confidentiality while increased complexity of passwords will further support any security measures. Encompassing all of these measures the network itself must be architected with multiple layers of defences built in, including the specialised protection offered by session border controllers.

There aren’t many of us out there today who would still leave the house with the front door unlocked when popping out for a few hours. More unlikely still is the idea of leaving the door wide open. Let’s get those doors closed and locked now. You’ve heard the saying an Englishman’s home is his castle, well, it’s about time his PC and his phone are too.