Convergence brings business challenges

The migration from analogue telephone systems to converged voice and data networks supporting voice over IP (VoIP) communications is well under way. But the change brings a new set of problems.

Andrew Yeomans, global IT security director at investment bank Dresdner Kleinwort Wasserstein, acknowledges that criminals have always been able to disrupt or listen in on telephone calls. But because VoIP calls are often transmitted across the public internet, they are exposed to a much wider audience of potential hackers who have little chance of being caught.

‘To tap into the public switched telephone network you need to physically tap into the wire or the telephone exchange; with VoIP you can drop a Trojan into the connection from the other side of the world and it is invisible and anonymous. So instead of one or two criminals, there are potentially tens of thousands,’ he says.

But it is not the fear of having their executives’ business calls intercepted that causes most concern for IT professionals.

The main source of worry is that VoIP punches new security holes into networks that are already struggling to plug gaps used by hackers to gain access to sensitive information or spread mayhem within corporate systems.

‘I don’t think there is a major problem with VoIP security yet, but there is potential for a problem,’ says Dave Endler, chairman of vendor-neutral VoIP security alliance (VoIPSA) and author of the soon-to-be-published book Hacking Exposed: VoIP.

IP telephone handsets are different from analogue phones because, like computers, they run operating systems. This means they are susceptible to the same threat from worms, Trojans, viruses and denial-of-service attacks that plague any internet-connected device.

The scariest part, says Endler, is that IP handsets can reveal file transfer protocol (FTP) addresses to hackers, allowing files to be downloaded onto them.

‘Hackers can also use Google to find [IP telephony] devices and direct attacks at them,’ he says.

Once the address is known, all manner of potentially damaging or annoying attacks can be launched at the handset or telephony client. One emerging problem is fuzzing, a type of attack that finds security flaws automatically then sends thousands of test packets to devices, which often crash as a result.

Another is spam over IT, which is not specific to VoIP, but is much cheaper to perform using the technology, and involves pre-recorded voice messages, potentially exhausting available network capacity with nuisance calls. VoIP phishing uses a similar ruse to persuade people to part with personal details.

With more and more security risks likely to emerge, John Meakin, group head of information security at Standard Chartered Bank, says further instruction is key. ‘We need education so we can tell vendors that we need better security mechanisms that do not stomp all over our systems,’ he says.

Yeomans is certain that many more threats will surface. ‘There are insecure protocols in vendor equipment that can be used to manage the system, and significant holes that allow someone to connect to a phone and destroy it,’ he says.

Endler expects fuzzing to become more of a threat. Protection against it must include anomaly detection, but vendors tackling this in different ways could cause problems, he warns.

‘Everybody has to look at extra security, but what emerges could be an unintended denial-of-service problem through interoperability – one person’s packet may crash somebody else’s device,’ he says.

Tips for securing VoIP

www.computing.co.uk/2172250

Corporates wary of VoIP

www.computing.co.uk/2169051