Thumbnail: 

A recent high-profile hacking case involving VoIP operators has once again focused attention on security issues. How widespread the problem becomes, however, could be dictated by service providers' attention to IP security in general

Warnings about inherent vulnerabilities in VoIP services are not new, but until recently they were more theoretical than 'in the wild'. That all changed in June, however, when two alleged high-tech thieves were charged with defrauding unwitting service providers of more than a million dollars.

(For full details of the incident and charges, the court documents are available here)
While the incident has gained attention because it's the first large-scale VoIP fraud to be made public, the more important question is, was it an isolated incident or does it point to a growing trend of attacking VoIP services now that there is a critical mass of users‾ Opinions differ.
VoIP pioneer Jeff Pulver, one of the co-founders of Vonage, believes there is too much hype surrounding the incident. 'I think the theft of minutes from Net2phone was a straight steal and the fact that it was IP minutes is once again getting too much attention,' he told Telecom Asia.
However, there are plenty of experts who believe that there are serious problems that will only grow if security issues related to VoIP are not addressed. David Piscitello, president of network and security consulting firm Core Competence and co-author of the recently published book 'Understanding Voice over IP Security', has noticed a rise in incidents reported through security mailing lists and other forums.

'Increasingly, more VoIP product vulnerabilities are being reported and more inquiries are made about how to penetrate networks through VoIP protocols and SIP/IPBX configurations,' Piscitello said. 'This tells me that VoIP is large enough and there is a financial motivation (eg, toll fraud) to make it a serious target.'

Of course media hype and security do go hand-in-hand, as evidenced by scaremongering about viruses for mobile phones and IM (which is not to say the industry shouldn't pay attention to these platforms). In the case of VoIP, the media focus could also be on the wrong areas, according to David Endler, chairman of the Voice Over IP Security Alliance (VOIPSA) and director of security research for 3Com's TippingPoint security division.

'Lately there seems to be an explosion of press hype around the possibility of hackers exploiting voice over IP networks and services,' Endler said, pointing to areas such as caller ID spoofing, toll fraud, eavesdropping and call hijacking. However, there is less attention given to the threats that can hit any IP data network, including VoIP services, such as denial-of-service attacks, worms, viruses and hacker exploitation.

'Quite honestly [they] are much more serious threats to VoIP networks today,'' Endler said.

Wider threats
Million-dollar security incidents will always become a media incident, but like anything to do with security many hacks will go unreported. And VoIP will be subject to more than just toll fraud. As well as those outlined by Endler, others include spam - going by the more threatening sounding acronym SPIT (spam over Internet telephony) - while hotspots used in conjunction with mobile devices loaded with free voice applications are also particularly vulnerable.

'For instance, a traditional enterprise under a denial of service attack may have experienced slower than average Web browsing for its users. However, in a VoIP network, a denial of service attack could also have the added result of causing the conversations to be unintelligible. By adding VoIP technology to your existing data network, you're also adding new security requirements that need to be addressed: availability, quality of service and privacy.'

Beware of parasites
One person who agrees that the addition of VoIP can exacerbate the inherently insecure nature of IP networks is Keith White, security service director for Lucent's professional services division in Asia Pacific. He suggests that security issues are one of the major inhibitors stopping service providers and organizations from taking up VoIP as widely as they perhaps could.

That's a notion he wants to change, however.

'The biggest challenge we face in the network security business is getting both organizations and service providers to understand the principle differences in a VoIP network over their traditional switched systems,' White said. 'IP networks are inherently insecure, but that doesn't mean we should dump VoIP. We just need to approach VoIP security in the same light we approach regular IP security.'

However, while White believes that service providers can and should offer secure VoIP services, he has less time for some of the free providers like Skype that piggy-back off existing operators - the 'parasitic' providers, as he calls them.

'I think we need to differentiate between true VoIP - provided by major service providers using their own major infrastructure - and parasitic VoIP applications like Skype, Net2Phone, Vonage and others,' said White.

'There is a significant difference between the two. One is installed on an ad-hoc basis by users, with very little quality control and certainly almost no QoS assurance. The other is implemented by professional network integrators and service providers and QoS is monitored and maintained.'
He's no less forgiving of typical wireless hotspots, either. 'Combining potentially insecure VoIP with the insecurity of wireless hotspots - let me just say, I wouldn't be saying anything confidential or anything I wouldn't say on a talkback radio station over such a system.'

White believes that users will turn to some of the encryption technologies on the market today and start to provide their own levels of protection at the end-point. 'These will progressively be built into the applications, but many people will want to control this themselves for the personal assurance that their communications are secure,' he said.

What's to be done‾
While the threats and potential holes are real, most observers believe that VoIP can be adequately secured. In fact, everything that's needed has been in use to secure IP networks for a while, but service providers and organizations are more in need of good policy and procedures.
'Security should be a process and not a product,' says Manish Sablok, director of marketing for voice and applications at Alcatel Singapore, who advocates a layered approach to security. 'The goal of this approach is to introduce multiple security layers to further reinforce the protection of mission critical IP telephony servers. Going through all those layers without being detected by system administrators will be an extremely complex task for hackers,' he suggests.

Darren Day, Asia Pacific director of marketing for global carrier Verizon Business, says the primary challenge is designing a VoIP network with security considerations taken into account from the beginning of the process.

'Many businesses deploy a VoIP network and security becomes an after-thought,' Day says.

'Taking the time to understand organizational requirements and the corresponding security priorities is a crucial first step in any successful VoIP implementation.

He adds that best practices, such as using VPNs for connectivity, robust patch management processes and denying access to IP-PBXs from outside sources, should be applied to VoIP deployments.

Other specific measures are offered by Juniper's Ma, who says that many service providers and businesses are using network virtualization technologies like MPLS or VLAN to separate VoIP traffic from other IP traffic so that unauthorized terminals cannot easily reach VoIP devices. He also recommends using session border controllers to do topology and IP address hiding, and putting call admission control mechanisms in the network to protect excessive call volume in the case of VoIP denial of service attacks.

For Lucent's White, VoIP is just another data stream on an inherently insecure IP network - so special consideration needs to be given to protecting that data stream and the underlying network. He believes that too many network administrators are running VoIP over insecure IP networks without proper security reviews or audits. 'Ensuring that a network is VoIP-ready is critical to successful deployment,' he says. 'This includes a review of all network elements and end-points to ensure that the network is robust enough to run VoIP.'

And as a final suggestion, this one more industry-specific, White calls for better control over those working or offering services in the network security field so that some of the inefficient 'cowboys' can be kicked out. And if you don't think they exist, just refer back to the hacking incident that kicked off this story. As well as running VoIP wholesaler Fortes Telecom, one of the accused had another company called Miami Tech & Consulting that, according to its Web site that was still up at the time of writing, offered VoIP security auditing. Now there's a scary thought.

Security showdown

The bad news

• Experts agree that VoIP security threats are on the rise
• Multitude of threats include everything from toll fraud and eavesdropping to spam and phishing
• Service providers and businesses alike need to prepare their networks to avoid the pain

The good news

• All of the security technology and processes are available today
• Most of the attacks are the same as IP security experts have been dealing with for some time
• VoIP assessment services are rolling out

Assessing the risk
Whether it's a side-effect of increased VoIP security incidents or not, it seems carriers and vendors alike are either rolling out or re-emphasizing their VoIP security assessment offerings. One of the most recent comes from global provider Verizon Business, which claims its service is backed by nearly 300 security professionals.

One of these is the 72-point network security architecture model developed by Bell Labs, which was adopted by the ITU as the x.805 standard. More recently this was adopted by the ISO as ISO-18028 - a methodology for auditing and securing IP networks.
- Geoff Long

Security alliance
One of the most recent security-related organizations to form is the Voice over IP Security Alliance (VOIPSA), which was started last year by some of the leading VoIP vendors, providers and security researchers. According to the alliance, it aims to help organizations understand and avoid VoIP security risks through discussion lists, white papers, sponsorship of VoIP security research projects, and the development of tools and methodologies for public use.

One of its first tasks was the VoIP Security Threat Taxonomy, a framework to help define the many potential security threats to VoIP deployments, services, and end-users. 'Part of the challenge of devising effective VoIP security protections requires identifying the threats in the first place,' said David Endler, VOIPSA chairman and director of security research for 3Com's TippingPoint security division.

Endler told Telecom Asia that the alliance's next projects involve developing best practices for mitigating many of the threats defined in the Threat Taxonomy.
- Geoff Long