When federal law enforcement officials arrested two individuals June 7 for running a scam in which they allegedly sold discount voice-over-IP services delivered secretly over other companies networks, experts who have been sounding the alarm over growing VOIP security issues finally got the proof theyve been waiting for.
According to charges filed in the United States District Court of New Jersey, the two men, Edwin Andres Pena of Miami and Robert Moore of Spokane, Wash., are accused of hacking into the networks of several unnamed companies and effectively hijacking their VOIP bandwidth for resale.
While industry watchers and security vendors have been encouraging companies to make sure that their VOIP networks are protected, a lack of such high-profile instances in which the next-generation communications platforms have been attacked has caused some companies to take a wait-and-see approach.
Experts said that along with viruses and phishing schemes that take advantage of the rapid adoption of VOIP, its likely that other criminal activities will proliferate rapidly.
“I dont see hows theres much doubt on anyones part that hackers will deliver viruses over VOIP and that those attacks are being created as we speak,” said Andrew Lochart, director of product marketing for security applications vendor Postini, in San Carlos, Calif. “If theres an IP-based communications protocol out there that businesses use, like VOIP, people will look for ways to latch onto it, just as they have with e-mail and instant messaging.”
Postini, which markets messaging security applications, is still working on its own technology for helping companies lock down their VOIP systems. However, Lochart said he expects news of such new viruses designed to attack VOIP systems to arrive any day.
Customers requests to the company for help managing this emerging security issue are what have driven Postini to develop such tools, and to believe there is already a healthy market for the products, he said. Once such an attack occurs, he said, federal compliance regulators concerned over the privacy of calls placed over VOIP systems will also come knocking, expecting businesses to have adequate protections in place.
IT consultants are also calling for an increased enterprise focus on VOIP security, saying that some companies are as concerned with battling with their own employees over the technology as they are worried about fending off outsiders.
Just as with the rise of instant messaging software, users are becoming so enamored of consumer VOIP services that they are ignoring corporate policies banning the tools and attempting to log on from their employers networks.
“Beyond all the concerns that businesses have with launching their own VOIP infrastructures, you have these disruptive consumer technologies that can be very hard to keep off the network in the hands of experienced end users,” said Darwin Herdman, senior vice president of managed services at massive consultant Getronics, based in Billerica, Mass. “On the flip side, companies that have the resources are adopting VOIP at a very fast pace because it can drive huge cost savings, and theyre asking our customers, mainly carriers, to help them address a lot of different threats.”
Getronics has specifically identified several VOIP phishing schemes wherein users are encouraged to click-to-call toll free numbers sent to them via e-mail that route traffic to criminals posing as legitimate call center representatives for actual companies. The people answering the phones have trained to sound exactly like the employees working for the companies they are trying to rip off, and stand a good chance of getting private information from unsuspecting consumers they attract, Herdman said.
As a result of such activity, Getronics carrier customers are being asked by their own clients to focus on providing secure IP communications capabilities, not just connectivity. The consultant said this is driving a spike in demand for his companys expertise in the area.
Some experts maintain that the threat of VOIP attacks is already looming and say that they believe that companies are waking up to the problem. Seshu Madhavapeddy, chief executive of Sipera Systems, which markets security applications for use with VOIP, mobile and multimedia communications systems, said attacks are already showing up in the wild and that his company, headquartered in Richardson, Texas, is hearing from a lot of companies it hasnt done business with before.
Just because there have not been widely publicized VOIP security problems doesnt mean that attacks arent already materializing, he said.
“There are already thousands of ways that a network can be exploited, and VOIP networks are no different than others,” Madhavapeddy said. “Theres a lack of awareness and need for education on two fronts; first people need to know that security has to be a consideration from day one when launching VOIP services because the threats are real, and second, they need to know that older data-oriented security systems will not adequately protect their VOIP infrastructure.”