Dr. Shashi Phoha, director of the Information Technology Laboratory at the National Institute of Standards and Technology, said she thinks that the growth of VOIP technology brings with it some significant risks that users need to be prepared to address.
“The vulnerabilities are severe,” she said, pointing to a list that included ways to spoof or spy that arent easily available on regular phones.
One of the biggest sources for vulnerabilities is the involvement of personal computers in creating VOIP solutions.
She said that while it may not appear to be that critical, the fact that it can be relatively easy to hack into computers can also expose the phone system to fraud and abuse.
Phohas list went on to address the availability of open source eavesdropping tools, that digital phone calls could be edited by digital voice editors to add, remove or change words without any possibility of detection.
She also said that the government was worried that it would be relatively easy with VOIP phones to bug a room using on-hook audio.
This is a technique in which hackers or spies can turn on the microphone in a VOIP handset while it remains on its cradle.
This way, the phone would appear to be operating properly while actually transmitting every sound within its range to a remote site.
Other things that keep Phoha worried, she says, are the vulnerabilities related to soft phones, which are applications that work like phones, but are entirely software and are run on personal computers.
She said that these phones are vulnerable to worms, viruses and Trojan horses, and could spread these problems throughout the voice network.
A related problem, SPIT (spam over Internet telephony) could make its appearance at any time, she said.
She says that what worries her the most, however, are “attacks we havent thought of yet.”
Phoha made her remarks at a panel discussing VOIP held at the National Press Club on Monday.
Phoha said that its possible to combat some of the threats her organization is finding by careful design and risk analysis.
She said that risk can also be reduced by using encryption of the voice traffic, and by using VOIP-specific intrusion detection systems and firewalls.
She also advocated keeping data traffic and VOIP on logically separate networks. She noted that her group is also working to develop new security architectures for use by the government, but that commercial and private users should also consider following the NIST recommendations, which are available on the agencys Web site.