• About CSIA
  • Mission Statement
  • Committees
  • CSIA Team
  • CSIA Offices
• Board Members
• Events
  • CSIA Events
  • Industry / Gov't Events
  • Member Events
• Member Directory
• Newsletters
  • Current Issue
  • Archive
  • Sign Up
• Testimonials
• Join CSIA

VoIP Security:  Get the Facts 

What is VoIP?

VoIP stands for Voice over the Internet Protocol and is also referred to as IP telephony. This technology allows users to make phone calls that move in information packets over the Internet rather than traditional public switched telephony circuits also known as ”Plain Old Telephone Service (POTS)” or analog telephones. VoIP is still an emerging technology, but it is swiftly being adopted by organizations and consumers.

What are the benefits of IP telephony?

Experts believe IP telephony will transform the telecommunications industry. Commercial use is rising because IP telephony is typically more efficient than traditional telephone service. Competition is forcing carriers to consider VoIP because cable companies and other providers are luring voice customers with this cheaper Internet-based service. IP telephony usage will soar when consumers adopt WiFi cell phones, and promises to become ubiquitous when wide-area wireless technologies, such as WiMax, are commonplace.

39 percent of organizations are already using VoIP and 28 percent plan to deploy the technology within the next year. By 2010, the VoIP market will be $3.3  billon business. - Yankee Group

Can VoIP phones be impacted by cyber security threats?

Since its operations depend on the Internet, it is subject to the same vulnerabilities and attacks that are typically associated with Internet usage.

An example of one of these shared vulnerabilities is a denial of service attack, which congests a network with illegitimate traffic. This prevents network access for e-mail, Web services and other business processes, including VoIP calls. As with regular usage of the Internet, network congestion can easily slow the quality and performance of VoIP phone calls and one may experience delays, broken, intercepted or even dropped calls.

Another example is phishing.  The same techniques used to steal identity information over e-mail are being used over VoIP. Criminals spoof caller identification information so it looks like the call is coming from a legitimate organization and then ask the call recipient for identity information.

Ensuring cyber security is a challenging process and, if an organization’s cyber security policy is inadequate, attempting to integrate VoIP into an existing network can create additional vulnerabilities.

What are some of the unique security considerations for IP telephony?

There are a number of specific security vulnerabilities unique to IP telephony including:

• Caller ID services, including those used by first-responder organizations such as local fire and police departments, have been shown to be easily bypassed or subverted by IP telephony.
• Automated tools can easily drop SPIT, the IP telephony version of spam, to any and all voice mail boxes in a given range of the provider, address space or area codes.
• Voice mail boxes can be broken into by Internet users. Voice mail messages, essentially each a computer file, can be hijacked, utilized or played back to an unlimited audience.
• Conversations over IP, many in the same file format, can be recorded, duplicated and quickly distributed to anyone beyond the original audience.
• Wireless devices will further complicate the issue of IP telephony security, much in the same way that old, analog cell phones could have been “tapped” by anyone with a radio scanner.

In addition, there are a number of policy implications that need to be considered. For instance, VoIP telephony may produce different types and higher volumes of call detail records than conventional phone systems, so providers must determine whether and for how long this data must be stored under applicable laws and regulations. Also, because voice communications are the key enabler of key government services operated for national security and emergency preparedness purposes, there are several technical and operational issues related to the use of IP telephony that must be thoroughly evaluated.

Does VoIP security impact consumers?

Consumers and businesses have over time come to expect a very high quality of service from traditional telephone services. The challenge with VoIP is to deploy the service so that users can enjoy comparable levels of security without degrading performance both in call set up and voice relay functionality (no latency). Unless this is achieved, there will be little benefit to VoIP over traditional voice services. Other considerations for consumers include the fact that VoIP systems cannot be used in the event of a power outage without special equipment. In addition, there are threats that can hinder the end user such as SPIT (Spam over IP Telephony), eavesdropping and even voicemail being hijacked.

Is IP telephony protected the same way as Internet applications?

Not all cyber security equipment and applications protect IP telephony because VoIP security demands an extra measure of processing capability. Those demands can overwhelm standard security devices and trigger poor quality of Internet-based voice services. For instance, older firewalls can delay or block call set ups and use of encryption at individual end-points, rather than at the router or gateway level, can cause unacceptable latency and jitter.

What are the best practices to ensuring VoIP Security?

Experts recommend a “multi-layer” policy for VoIP cyber security, just as they do for the rest of the IP network. Strong cyber security requires use of a variety of solutions and processes for particular security issues such as:

• Software automatically checks new files entering a PC for infection.
• Asset Management Used to match inventory against scans for known vulnerabilities; helps pinpoint and fix specific security holes.
• Authentication A critical step to ensure appropriate users access reliable data using two factor authentication and digital certificates.
• Education Teaches users why and how to practice security-wise behavior.
• Intrusion Detection / Prevention Technologies that monitor content of network traffic for infections and block traffic carrying infected files or programs.
• Encryption Transforms data into password (key)-protected packets that prevent reading by unauthorized users.
• Firewall Blocks unauthorized traffic from entering PCs and servers from the Internet.
• Patch Fixes vulnerability in software by replacing a portion of faulty code.
• Policy Management Enforces security rules and regulations of IT systems.
• Vulnerability Management Remediate vulnerabilities through scanning devices that identify and patch vulnerabilities, as well mitigate misconfigurations, unnecessary services, unsecured accounts and malware.

Should the use of IP telephony be avoided because of security issues?

Absolutely not. IP telephony is an extremely promising technology and cyber security should not stand in the way of its further adoption. However, as with Internet usage, the right precautions need to be taken to ensure the safety and reliability of IP telephony.

What does CSIA believe the U.S. government should do to address VoIP security?

In general, CSIA recommends the Executive Branch and Congress consider the impending cyber security issues facing next generation communication and information applications such as VoIP. Because VoIP protocols are more complex than basic Internet protocols, research is needed to learn more about how to protect VoIP from attacks that could exploit weaknesses in the protocols themselves.

Given the rapid advancements being made in VoIP and growing dependence on information technology, government regulatory roles and responsibilities need to be defined for agencies such as the Department of Homeland Security, the Federal Communications Commission and Department of Defense.