Lets Put VOIP on Hold

Opinion: Until better defenses are available against phone hackers and voice spam, hang up.

So you think your buying a VOIP telephone system for your company was really smart? You certainly have reason to: Your users love the tight integration between the phone system, their e-mail, and other PC features. And the chief financial officer loves the "deal" you got on long-distance rates. Everyone agrees: Youre a hero.

Not so fast—and, probably, not for long.

How do you think people are going to feel about your VOIP (voice over IP) system when they arrive one morning to find their voice mail boxes completely filled with voice spam? When they read about hackers listening in on whats being said in peoples offices, even though the phone is still on the hook?

VOIP has been around for a few years and, so far, seems to have been pretty secure. But thats only because the bad guys have yet to turn it into a major target. When they do, life promises to be very different. And not in a good way.

Last week, I moderated another of our eSeminars, this one an eye-opening discussion of VOIP security issues. I say "issues" because there werent too many solutions to discuss.

The panel included Wayne Rash, who writes much of our VOIP security coverage; Andrew Graydon, of the VOIP Security Alliance, a trade group; and Tom Leh, of VOIP Inc. a vendor.

/zimages/5/28571.gifClick here to read more about VOIP security threats.

If youve got an hour, you can watch and listen to a replay of the presentations. I walked away from the event convinced there shouldnt be any more VOIP installations until we have a better idea of how to protect them.

VOIP takes all the security problems associated with PCs and all the security problems associated with the Internet, and throws in a bunch of new telephony hardware, new protocols, and different user behavior and expectations. The possibilities for voice spamming, called SPIT, for SPam over Internet Telephony, ought to give every network administrator pause.

/zimages/5/28571.gifRead more here about the potential for SPIT, or voice spamming.

Then comes eavesdropping, both of phone calls and room conversations, and a whole new set of opportunities for what used to be called phone phreaking.

We really dont know whats possible for the VOIP hacker, but we do know that the hobby hacker has been replaced by the criminal hacker. On things certain: This time phone phreaking wont be a fairly harmless bunch of kids blowing Capn Crunch whistles to get free long-distance calls.

Most people dont realize how secure our telephone network has been. Sure, you get spam phone calls, despite the "no-call" list.

But, on the whole, your hardwired telephone is quite secure, especially the one in your home. Getting at your conversations generally requires a physical tap on your line. Modern cordless telephones can be hacked, but you still have to be close enough to pick up the radio signals.

With IP telephony, an intrusion can be launched from almost anywhere. And even if the VOIP system is well-protected, each PC with a "soft phone" application installed provides a potential door for a hacker to exploit.

On basic principles, I am not wild about running our nations critical telecom infrastructure entirely over the Internet. Or even mostly. There is too much at stake and the network is too insecure and perhaps too brittle for the job.

Despite my grave misgivings, however, VOIP is here to stay. But until we have seen what the hackers can do, Ill keep VOIP away from my network and I recommend you do the same.

/zimages/5/28571.gif Check out eWEEK.coms for the latest news, views and analysis on voice over IP and telephony.