Home / Blogs

VoIP Security FUD

Irwin Lazar

I'm continually amazed by the amount of FUD being spread with regard to VoIP security threats. People...the sky is not falling. VoIP isn't e-mail. It isn't implemented like e-mail, it won't be implemented like e-mail (maybe "it shouldn't be implemented like e-mail" is a more appropriate statement). Following best security practices will ensure at least a level of security equivalent to current TDM systems.

Best FUD I've heard this week: VoIP is insecure because you can simply put a bridge on an ethernet line and capture a stream. Hey, has anyone ever heard of alligator clips?

Heck, we could use a Thunderbird protocol analyzer ten years ago to listen to calls on our channelized T1s at a previous job site. And, we could do this in a central location because all calls out of our HQ site went through a single set of cables. VoIP is much more difficult to tap, calls, or even individual packets within a single call, can take multiple routes through a network. Tapping a user's Ethernet port requires the ability to log in to their local switch and span their port, something that requires an account on the switch, and something that ought to be logged (there is that 'best practice' thing again).

While the "place the hub" in-line attack could work, it won't work in environments where the switch is providing line power to the phone (unless you have a line-powered hub), and it won't work in implementations that use 802.1x to authenticate devices placed on the network. Finally, if you are really concerned about wire-tapping, turn on the encryption capabilities that many VoIP vendors currently support. (In this case, VoIP offers superior security to TDM, how many TDM systems support end-to-end encryption?)

Yes, there are security threats to VoIP, just as there are to any application, or even legacy TDM systems (toll fraud anyone?). But let's not scare people into thinking that implementing VoIP means that they will fall victim to a non-stop flood of SPAM, SPIT, DoS, Phishing, and a litany of other attacks.

Also read "Is VoIP Ripe for Attack?", a related NewsFactor Network article on VoIP security where Irwin Lazar, author of this post, is quoted.

By Irwin Lazar, Analyst
Follow CircleID on
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Whois

Sponsored byWhoisXML API

Cybercrime

Sponsored byThreat Intelligence Platform

DNS Security

Sponsored byAfilias

Domain Names

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

Cybersecurity

Sponsored byVerisign

New TLDs

Sponsored byAfilias