Experimental feature

Listen to this article

Experimental feature

The number of internet phone lines in the US recently reached 2.9m. But this number is dwarfed by the success of Skype, the voice-over internet protocol (VoIP) telephone service, which claims 59m registered users with around 3m online at any one time.

There is still a long way to go before internet calling challenges the position of the fixed-line phone companies. But the rate of growth of VoIP among both consumers and businesses has been rapid.

Lowercost VoIP hardware, faster and cheaper broadband connections and competition between service providers all suggest that VoIP will continue to gain ground.

Small and mid-sized businesses stand to gain from the low cost and high functionality of VoIP. Large companies are interested in the technology because it offers seamless links between offices on an almost global basis, and because of the way voice-over IP can be integrated tightly with other applications, from video calling and instant messaging to CRM and sales systems.

One cloud on the horizon, however, could be security. As yet, voice telephony has not been a victim to some of the large-scale denial of service attacks that have affected other services, such as e-mail systems and web servers. At the same time, few virus or malware writers have exploited VoIP in order to infect corporate computer systems or to enter their networks.

But the potential exists. One reason VoIP has so far escaped the full attention of the cyber criminals is its diversity. VoIP is an umbrella term that embraces a range of computer-to-computer services including the instant messaging services from Microsoftand Yahoo respectively, computer-based VoIP services such as eBay-owned Skype, and services based on hardware spanning £50 home phone adapters to high-end, corporate phone systems.

The move towards greater standardisation in VoIP, through SIP (session initiation protocol) and the support for the SIP standard by the mobile phone industry, will no doubt make VoIP easier to use and also bring down the cost of hardware. It could also attract more interest from those who want to use the technology for dubious ends.

According to research conducted last year by Viatel, a European Internet and VoIP service provider, 43 per cent of IT directors feel VoIP services are inherently insecure. But the operator found that cost savings and features were enough to convince companies to switch, despite the apparent risks.

VoIP services face vulnerabilities at two quite separate levels. The first is that public or corporate VoIP networks could be vulnerable to denial of service attacks or viruses that could hamper their operation. This, according to Viatel, was the greatest fear among the IT directors it surveyed.

If a company depended on VoIP for its communications and its VoIP service provider fell victim to a denial of service attack, then clearly this would disrupt day-to-day business.

But companies might well be more susceptible to attacks on their own systems or data that use VoIP as a back door, especially if security systems are not configured for VoIP traffic.

Company VoIP systems could be vulnerable to attack in a number of ways. VoIP software, especially on laptops, could be vulnerable to worms and viruses in the same way as any other computer application. Potentially, virus writers could set up software so that it automatically dials other users, which could be a nuisance.

VoIP software that included instant messaging is vulnerable to the same exploits and hacks as the IM software, and should be protected in the same way: by installing monitoring and security software that can handle real-time traffic; or by turning off functions such as file sharing.

Companies also need to look at how voice hardware and software is configured on their networks. VoIP systems needs to cross the company firewall in order to connect to other users or to a service provider. The risk is that if software can open a connection in order to send out data, hackers could use that same connection to gain access to the LAN.

Over two year ago, Symantec’s semi-annual internet security threat report identified VoIP as a potential and growing vulnerability . And some equipment vendors have responded by updating their equipment so it can block exploits of VoIP traffic: Cisco’s PIX firewalls, for example, have this feature.

Other companies are taking an entirely different approach, and either separating their voice traffic entirely from their data networks, at least to the point of their connection to the internet, or opting for private ADSL circuits rather than internet connections for VoIP. This provides a high measure of security for remote workers, without the performance penalties that can hit voice calls if they run over a virtual private network (VPN).

“VPNs with deep encryption need powerful processing, otherwise there will be problems using VoIP because of delays,” says Rob MacKinnon, director of voice at networking equipment maker ZyXEL. “Private DSL is a completely controlled environment within the business realm.”

Copyright The Financial Times Limited 2019. All rights reserved.

Comments have not been enabled for this article.

Follow the topics in this article