VOIP ? Is It Secure?
Not according to Robb Kimmer
This new and emerging technology is a useful and sensible way to utilise traditional networking protocols to transmit and receive voice messages. Already we see the adverts aimed at beguiling us into ordering our first VOIP service. But beware, I perceive a pattern of misconception and misunderstanding being peddled by those who see this as a new Wi-Fi Yukon.
Like Wi-Fi, VOIP is becoming very fashionable and is sold to a, generally, un-skilled (IT) and ignorant public (no offence meant), as easy-peasy technologies that will make life easier, more exciting and modern. That may be true, but what is not being explained to the public is the grave and dangerous problem of lack of security. Yes, I know that we talk about it, but we are IT folk and no-one else listens to us anyway. They all glaze over when we start to prattle on about ?techy? stuff.
As soon as you utilise IP network protocols to transfer data or voice you are immediately vulnerable to being attacked/hacked and infiltrated by the low-life and organised crime that slithers around in the network ooze.
The war to keep our networks safe is an ongoing daily battle and creates many casualties. I believe that the introduction of Wi-Fi was incredibly crass (and naive) in terms of the security provisions. There was just not enough time between the idea and the launch of the services/technologies. It was, in my opinion, rushed out to make a quick buck and relied on the public’s ignorance. Wi-Fi was sold on the simplistic advantage of “Look, no wires!”. Very little thought went into securing the systems. The security that is offered is minimal and relies on standard authentication and encryption protocols. Now that SHA has been breached Wi-Fi has, in essence, NO SECURITY! What security it had is now gone in the face of any kind of professional attack. If you look at the endless adverts for Wi-Fi you would never know that it had any problems at all! To introduce VOIP using the same, or similar, marketing hype and relying on that same public ignorance is nothing short of criminal.
VOIP is NOT SECURE at this time. In my opinion it will not be secured until the world moves over to IPv6 and develops more robust authentication and encryption protocols and services that can be easily managed. That will introduce the possibility of security processes that cannot exist at this time while we have the limited IPv4 and compromised encryption.
Security of VOIP is relying on the same gossamer defences that Wi-Fi enjoys. It is simply a packet header addition and some nifty, but old fashioned, authentication. That is about all the thought that is going into this ‘new’ technology. The danger lies in the fact that VOIP is a mobile telephone marketing manager’s wet dream. It will be implemented far too quickly by companies determined to mine that golden seam before anyone else attaches their brand to it. In this rush, the public will be treated with the same contempt as they were when Wi-Fi was rocketed onto the covers of the monthly hardware magazines.
It’s not that I want to prevent the public from enjoying these gizmos and gadgets, neither do I want to prevent the marketing managers from getting excited. What I want to see is a more mature approach to the actual infrastructures that support these new services. Instead of the “Let’s get it out there now we have got it working well last night” syndrome, we should be making sure that the systems really are secure and robust and that people can use them without opening up vast vulnerabilities that organised crime and script-kiddies will exploit.
Once you implement VOIP you will be fair game for being attacked. The real danger lies in the networks that will provide the service. Because its IP based traffic, an attacker will have a direct route into your network and into all adjoining networks. Current cracking tools and techniques will be used and will be effective. For instance, right now I can’t NMap for open ports on a telephone network. Once VOIP is implemented, I will be able to scan ports and place all the same kind of spyware, mal-ware and Trojans on those attached networks as I can on current data networks. Besides this I will be able to spam callers and their networks. All this will be ignored in the marketing hype that will start to appear. In a short time, network administrators will be downloading the endless patches and potions to Band-Aid their systems. We will be involved in another war on another front. Most companies do not have the support teams to fight this war. Better to spend more time getting it right and making sure that the systems are secure before letting it loose to the marketeers. Sales folk only have one response to any question that is put to them, and that is a resounding YES. For us back-end people that YES is the most dangerous word in the English language. It puts pressure on testing budgets, releases untried products, it forces designers to cut corners and it speeds up a manufacturing and testing process to the point where a product is launched before it is completely tested and passed as perfect. The Windows operating system is a good example of the ‘YES’ problem. It has created a whole new industry involved in testing, patching and defending it, and added millions to the cost of the products in the long term.
Let’s make sure that we get it right first time with VOIP and reject the marketing pressure to launch this new, raw and untested system.
VOIP, like Wi-Fi is a ‘good idea’. Currently, that’s all it is.
Robb Kimmer
Network Systems Engineer. MCSE Instructor. Security Consultant
Robb owns MilMates Training Company www.milmates.com.