Executives from Alcatel, Hewlett-Packard Co., Cisco Systems Inc. and security firm Codenomicon Ltd. agreed that voice running on a companys IP network is just like any other application, with the same kinds of vulnerabilities and similar processes for ensuring security. The problem, they said, is that many companies are not up to scratch on security best practices—a situation that may be acceptable for e-mail and Web systems, but that can only lead to trouble when voice comes into the picture.
"Switching to VOIP broadens the scope of what you have to worry about," said Cisco Technical Marketing Engineer Greg Moore. "It opens up all the problems that affect the Internet, including worms and denial-of-service attacks."
Enterprise IP telephony is distinct from "voice over the Internet" in that it almost always takes place over companies own managed data networks, and thus is insulated from the vagaries of the public network. For that reason enterprise VOIP systems are among the easiest to secure, after long-distance bypass systems, according to Alcatel Director of Security Research Francois Cosquer. More complex are residential systems and especially voice over the Internet, he said.
That said, many companies havent taken basic steps to secure their data networks, said Moore. "When they go to put voice on their network, the telecoms manager is like, No way are you putting my voice on your insecure network," he said.
The advent of VOIP means well-known exploits such as man-in-the-middle attacks can intercept not just e-mails, but voice conversations with customers or between executives, Moore said. Besides the run-of-the-mill e-mail worms, there will inevitably be viruses aimed specifically at VOIP systems—and even VOIP spam, warned Alcatels Cosquer.
Then there are software vulnerabilities, an issue that cant be addressed by security protocols or standards, said Ari Takanen, chief executive of Codenomicon. "The problem of software quality is hard to solve. All software will have mistakes, and on the Internet everybody will be kicking it and punching it to find out what those mistakes are," he said. "If you know a vulnerability, you can disable that software from anywhere, at any time, repeatedly." The answer is third-party testing, Takanen said.