UC Security

It's become conventional wisdom in the VoIP/IP telephony/UC security space that the major vulnerability for voice-over-IP traffic today remains the simple fact that it runs on IP infrastructures that may be the targets of attacks that have been plaguing data networks for years. In other words, all those exotic types of attacks with names like SPIT (spam over IP telephony); VOMIT (voice over misconfigured IP telephony); or eavesdropping via packet capture -- these have not yet materialized to any

Eric Krapf

June 27, 2008

3 Min Read
NetworkComputing logo in a gray background | NetworkComputing

It's become conventional wisdom in the VoIP/IP telephony/UC security space that the major vulnerability for voice-over-IP traffic today remains the simple fact that it runs on IP infrastructures that may be the targets of attacks that have been plaguing data networks for years. In other words, all those exotic types of attacks with names like SPIT (spam over IP telephony); VOMIT (voice over misconfigured IP telephony); or eavesdropping via packet capture -- these have not yet materialized to any significant degree. But there is plenty of reason to stay vigilant when it comes to VoIP/UC security.I'll break the types of threat down into three categories:

1.) New types of attacks unique to voice, along with voice-oriented versions of traditional attacks -- These include eavesdropping by capturing packets, or SPIT, which would consist of overwhelming an IP telephony line with voice messages, comparable with overwhelming an e-mail box with spam. As I noted above, these aren't really being considered a top threat today.

2.) Voice traffic as collateral damage in an IP network attack -- This is the second type of attack I described above, where an attack on a router brings down the entire IP network, let's say. Since the voice is riding on that network, it suffers the same fate as all the other traffic on the network.

3.) Traditional types of attacks aimed at VoIP/IP telephony systems -- This is yet another threat that hasn't materialized to a great extent in the wild yet, but probably ought to be taken more seriously as a near-term danger than category #1 above. This is, for example, when vulnerabilities to packet flooding and other types of DoS exploits are found within IP telephony gear such as IP-PBXs and related servers. A relatively new security company called VoIPShield has been making news by discovering these types of vulnerabilities in the most popular IP telephony systems, namely those from Avaya, Cisco, and Nortel.

I recently moderated a VoiceCon Webinar (replay here) in which Ted Ritter of Nemertes Research discussed some survey data Nemertes had gathered on the issue of security. Ted reported that:

  • 55% of respondents were concerned about denial-of-service attacks

  • 37% were concerned about eavesdropping

  • 36% were concerned about "vishing" or VoIP phishing, in which a hacker redirects packets from a business that takes credit card information from its customers over the phone, and sends the traffic to a phone he controls, permitting the hacker to steal the credit card information

  • 31% were concerned about toll fraud

    That's in today's environment. Ted Ritter, who's a CISSP, explained in the Webinar that the security threat will become more amorphous as enterprises migrate their IP telephony infrastructure to a Unified Communications implementation. As voice enablement moves into traditional "data" applications, the lines will blur and the notion of a security "perimeter" will further dissolve.

    Ted noted that many of the most important characteristics of UC -- openness, integration -- work against the technologies and principles of security, such as confidentiality. Specifically:

  • Encrypting all [UC] traffic ensures confidentiality, but it may negatively affect availability

  • A fully open [UC] architecture may ensure availability, but it may negatively affect confidentiality and integrity

  • Multifactor authentication with encryption may ensure integrity, but it may negatively affect availability

About the Author

Eric Krapf

Eric Krapf is General Manager and Program Co-Chair forEnterprise Connect, the leading conference/exhibition and online events brand in the enterprise communications industry. He has been Enterprise Connect.s Program Co-Chair for over a decade. He is also publisher ofNo Jitter, the Enterprise Connect community.s daily news and analysis website.
Eric served as editor of No Jitter from its founding in 2007 until taking over as publisher in 2015. From 1996 to 2004, Eric was managing editor of Business Communications Review (BCR) magazine, and from 2004 to 2007, he was the magazine's editor. BCR was a highly respected journal of the business technology and communications industry.
Before coming to BCR, he was managing editor and senior editor of America's Network magazine, covering the public telecommunications industry. Prior to working in high-tech journalism, he was a reporter and editor at newspapers in Connecticut and Texas.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights