|
|
Mitigating VoIP Security and Privacy Risks
2007-06-13
The conventional wisdom of IP phone privacy and security is that IP phones are just one more computer device on a network. If you already have a secure network, IP phones will be fine, if not, your IP phones will be at risk as well. But is this really true?
One of the convenient features of IP phones is that you can typically dial calls right from the electronic address book on your computer. This saves punching in numbers and potentially dialing the wrong number, or the wrong matter number in a firm that bills phone calls to clients.
For attorneys who make a lot of phone calls, the speed alone can save you a day or two of time in a year of making calls. This feature typically only works in your own office, but we were interested in extending it to work in conference rooms as well.
In the process of installing the conference room system, our programmers found that not only could they place conference room calls, they could also arrange to place the call silently, by muting the speaker on the calling phone. This could effectively turn any speakerphone in the firm into a clandestine monitoring device. In other words, running this program would cause any selected speakerphone in the firm to call the conference room, monitoring what was being said in the other room.
Upon investigation, we found out that our old traditional Nortel phone system had a similar capability. But the critical difference was that the Nortel phone switch could only be enabled for such monitoring from the telephone switch control console -- and only inside the firm. With an IP phone system, anyone with the right level of network access to the IP phone management PC, potentially from anywhere in the world, could place a monitoring call to any phone in the world. In one sense, the adage about IP phone security being no different than computer security proved true -- because keeping the IP phone system management computer secure from inappropriate access is the critical issue.
However, it is also true that IP phones increase possible damage from a computer security breach: now you not only have to worry about hackers rummaging through the electronic contents of your computer, you also have to worry about them listening to private conversations in your office!
While the risks may be new, the actual process of securing IP phones is not. As with any network connected computer, it is important to change default passwords, apply security updates in a timely way and install security firewalls, intrusion detection and prevention.
Many IP phones, such as the popular Cisco Systems Inc. phones, come with a built-in Web server, so it is easy to find an Internet-exposed IP phone by typing the right text into your favorite search engine, i.e., "Google Hacking."
One brand of IP phones even has a convenient packet monitor, so a quick search in Google to find such a phone, followed by use of an unchanged default password, could give you the ability to locally monitor all data traffic on the network where the phone is attached.
There are some standards, such as the National Institute of Standards Special Publication 800-50, that specify security guidelines for the installation of IP phones. One aspect of Special Publication 800-58 specification is that data and voice networks for IP phones should be separate. Of course, one of the attractions for IP phones is the cost savings associated with eliminating dedicated phone wiring, so this is not a welcome recommendation.
What most do is to logically separate the voice and data so that both signals flow on the same wires, but rules in the network switches and routers keep them separate. This improves the security as long as the network switches and routers are successfully protected from hackers who could disable those rules. Special Publication 800-50, which is the basis for many government IP phone procurements, also advises against IP softphones, which use a PC as the telephone endpoint.
What about home IP phones, where phone infrastructure is offsite with a vendor and consumers use a wireless handset or computer-based softphone? Running a security and privacy analysis on consumer IP phones has been a popular project for computer science graduate students in my advanced networking class at the University of Chicago.
Some consumer IP phone products have proven easy to block, spoof and monitor while others, such as Skype, maintained privacy in spite of student efforts. While this can hardly be considered a scientific analysis of home IP phones, it does suggest there is wide variation in the security and privacy of home IP phone products.
As usual with rapidly evolving technology, we are seeing a great deal of variation in the privacy and security of IP phone products, but while the risks have ratcheted up, attention to security procedures and techniques provides reasonable mitigation of risk. But it is clear that there should be no expectation of security and privacy without effort.
By Todd Nugent
|
|
|
|
VoIP Providers List Information |
|
|
|
If you have any constructive thoughts, creative ideas, or reasonable offers, please, contact us.
|
|
Send Email to Helen O'Neill if you have any questions either about this website, or about VoIP providers, or VoIP in general.
|
|
Send Email to our technical support if you have any technical queries.
|
About VoIP Providers List
VoIP Providers List services save time for companies searching both for information and interconnection partners, interested in voice minutes exchange, i.e. VoIP minutes termination and origination, as well as hardware and software trade. We provide information on interconnection services, VoIP hardware solutions and VoIP software , as well as overall situation in the VoIP industry.
VoIP Providers List is constantly moderated, and thus we can guarantee that any VoIP provider published in the web-based company catalogue has provided accurate details on its services and operations.
We are constantly working on improvement and development of our services. Your comments and proposals regarding the services are highly welcome. Please, do not hesitate to contact us providing with your ideas, opinion, and feed-back. We will be grateful for any information and useful links on Voice over IP, VoIP hardware, VoIP software, and VoIP Providers. |
|
|
|
|
VoIP Providers Statistics |
|
|
Providers in database: 3315
Users Online: 230
|
|
|
