New VOIP Exploits Coming Soon

Experts say VOIP systems' many layers provide more entry points for attackers, even though vendors downplay the risks to avoid "scaring the consumer" away from a growing market. The message for enterprises: Consider security above cost when we

Before long, VOIP systems will be filled with spam, open to hackers and taken down by worms. But security, infrastructure and VOIP vendors say its important to get ahead of the curve, and they encouraged enterprises to consider security first when implementing VOIP systems in a panel Wednesday at Ziff Davis Medias online Virtual Tradeshow on security.

"Weve already seen instances where good-size enterprises had their VOIP infrastructures taken down by a worm," said Chris Thatcher, national practice leader at Dimension Data Holdings, a global IT services firm based in Reston, Va.

"Theres been a lack of security in the design and development of VOIP [voice over IP] systems, and buyers arent taking security concerns into consideration," Thatcher said.

Enterprises instead have focused almost exclusively on price, features and performance, often leaving new VOIP systems open to threats.

According to panelist Andrew Graydon, vice president of technology at security firm BorderWare Technologies Inc., those risks include the common security breaches that enterprises deal with today, including DDoS (distributed denial-of-service) attacks, malicious code, spoofing and phishing.

But enterprises also need to look out for unique-to-VOIP threats such as eavesdropping and "VBombing," where hundreds or thousands of voice mails can be quickly left on a single VOIP console.

Graydon said vendors are loath to admit that these weaknesses exist, let alone that theyve already been exploited.

"Its such a new market, no one wants to scare the consumer," he said. "But I can already go onto hacking Web sites and find script for attacks [on VOIP systems]."

/zimages/2/28571.gifClick here for a Q&A about VOIP and SIP security.

Graydon said a bulk of those attacks can be accomplished at the application layer, which for most major vendors is based on SIP (Session Initiation Protocol). Firewalls and VPNs can adequately handle transport-layer security for VOIP, but he compared SIP with SMTP and HTTP for Web and e-mail applications, which were largely ignored until security issues arose.

"All of the vulnerabilities that exist for e-mail also exist for VOIP," Graydon told prior to the panel. "Lets not make the same mistakes." He said Ontario-based BorderWare is working with major VOIP vendors and telcos to install the companys SIPAssure firewall appliance.

Dimensions Thatcher also spoke about the increased number of holes and layers that must be protected in a VOIP infrastructure.

"By mixing voice and data, and sharing a common infrastructure, there are more ways for attackers to get in," he said. "You cant rely on any one security control as a silver bullet."

And when can enterprises expect attacks?

"Itll be sooner rather than later," Thatcher said. "As the VOIP market grows, hackers and spammers will focus on it more and more."

The panel discussion is archived at and can be accessed for free.

Editors Note: The Ziff Davis Media Security Virtual Tradeshow is run by eSeminars, a division of Ziff Davis Media, parent company of

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.