Networking

Consider the security ramifications of using VoIP technology

Jonathan Yarden points out the security problems with VoIP and some of the legal and technical issues that complicate its use.

Want more advice for locking down your network? Stay on top of the latest security issues and industry trends by automatically signing up for our free Internet Security Focus newsletter, delivered each Monday!

As broadband Internet connections become more common, phone service based on voice over Internet Protocol (VOIP) is rapidly increasing in popularity. In general, most organizations consider VoIP to be a cost-saving way to bypass the telephone companies, particularly for long-distance services.

However, VoIP is certainly no panacea. From the standpoint of Internet security, it's important to keep in mind that VoIP is still an Internet service, so the technology is subject to the same type of problems as any other Internet service. Worms, viruses, and DoS attacks can affect the usability of VoIP services, and the majority of these attacks will be outside the control of the VoIP provider.

In addition, VoIP presents some legal issues, not the least of which is whether we consider VoIP a "pure" Internet service. While the U.S. government doesn't typically regulate Internet services, VoIP could change that.

I'm closely watching VoIP technology for a number of reasons, particularly because I'm interested to see how VoIP and Internet security will intersect. I will say that using VoIP to replace clunky PBX systems has proven to be a great success at many companies. But using VoIP to replace the public-switched telephone network is a different matter entirely.

VoIP has become one of the latest buzzwords for the Internet industry. Because governing agencies can't possibly regulate or control VoIP like traditional land-line phone systems, it's appealing to competitive local exchange carriers (CLECs) as a lower-cost way to compete with the incumbent local exchange carriers (ILECs).

But don't forget that VoIP is an Internet service—and that means no Internet service, no phone service. VoIP differs drastically from land-line telephone systems, despite claims from companies and governments insisting that they're identical services.

For example, in the United States, land-line telephone systems are subject to a variety of governmental regulations regarding wiretapping and emergency service use. Specific laws, such as the Communications Assistance for Law Enforcement Act (CALEA), can't possibly apply to all VoIP services, regardless of recent rulings insisting on placing wiretaps on VoIP services. In my opinion, it's just not possible to regulate VoIP like this.

What government agencies are failing to understand is that security is a personal choice. If people want to communicate securely, they will do so regardless of whether it's legal.

And they will use freely available strong encryption. With the source code for programs such as PGPfone available on the Internet, all the VoIP regulations in the world won't make a difference.

But just how reliable and usable is VoIP anyway? In a time when cell phones can be unusable at times, I don't place much faith in VoIP ever becoming as good or reliable as a land-line telephone.

Remember that VoIP services use software, and all software has flaws. VoIP technology works, but its long-term security is still undetermined, and complex legal and technical issues exist that will likely take a long time to resolve.

Editor's Picks

Free Newsletters, In your Inbox