Security Holes Make VOIP a Risky Business

Thinking of moving your phones to VOIP to save money? Better think again. Today's SIP and VOIP protocols are as vulnerable as an unpatched version of Windows XP.

Its the latest technology craze. Turn your phones digital, and use the Internet to bypass pricey long-distance providers. Individuals and businesses can slash phone costs by 50 percent or more, with little or no loss of quality.

But theres a very dark lining inside this silver cloud. VOIP (voice over IP) is just as vulnerable to hackers as other digital networking technologies. But its just far less protected—which can put your entire company at risk.

According to a prominent networking and security pal of mine—who wished to remain nameless—"SIP is a very weak protocol." It uses edge-style servers, similar to FTP, e-mail and HTTP, to initiate connections between users. According to my buddy, just as hackers have attacked those servers, theyre coming after VOIP too.

What sorts of vulnerabilities exist? Lets start with the basics. Because most VOIP traffic over the Internet is unencrypted, anyone with network access can listen in on conversations. That means Willy in the mailroom can overhear your CEO and HR director discuss the latest round of layoffs.

But thats just a start. Hackers can spoof SIP and IP addresses and hijack whole conversations. Imagine a phishing-style attack where your customer ends up talking to an organized crime syndicate in Russia masquerading as your telesales group. Your customers credit cards, personal information, maybe even Social Security number, gone in a flash.

Or what about denial of service? A hacker could easily flood your SIP server with bogus requests, making it impossible to send or receive calls. Or what about spamming a 4MB file to 4,000 phones? Or transmitting 500 bogus voice mail messages instantly? It can be done. Or imagine having your phone ring forever. You pick up, no answer, hang up, and it rings again. The only way to stop it is to remove the battery. Instant doorstop.


Want to find out if IP telephony is right for your company? Take this Baseline quiz.

Next page: Cost of mounting an attack.