VoIP opens your network to danger from all kinds of evil

Listen to this article

00:00
00:00

In a move to outwit spammers, AOL and Yahoo recently announced plans to charge companies that send high volumes of email and wish to avoid filters.

Although the move has sparked controversy, it raises a number of questions, such as how it will work, and if it does will spammers look for cheaper and alternative methods to get their message across?

Deleting spam is a chore for most people with an email account, but imagine having to wade through hundreds of junk voicemail messages every day.

Spit – spam over internet telephony – is currently a subject of wide debate in the IT security industry. While some are warning that spammers will flood Voice over IP (VoIP) networks with marketing messages, others say it is still a myth.

“We haven’t seen as high volumes [of spit] as you’d find spam in email,” says Gunter Ollman, head of research for Internet Security Systems. “As organisations start to use more VoIP though, you’ll see more spit messages in voice boxes. And there are now some programs that can scan all the phone numbers of a company.”

Paul Simmonds, co-founder of security think-tank the Jericho Forum, is concerned vendors are failing to fix weaknesses in VoIP, that could allow spit to land in a voicemail box.

“We haven’t seen anything out there yet,” says Mr Simmonds. “It’s being hyped nicely though. The main issue is why you can send it [spit] in the first place – it’s because VoIP is horribly insecure. At the moment email is inherently insecure, which is why we suffer 70 or 80 per cent of email as spam. We haven’t learned from our mistakes.”

Spit is not the only threat to VoIP networks. Denial-of-service (DOS) attacks, where hackers send masses of data to overload a computer network, can seriously affect the quality of call, causing latency and even the termination of a conversation.

“In voice that’s especially true,” says Harry Archer, a consultant for BT’s security practice. “You can get that against a data network too though. When you have a converged network you get all of the risks of a regular one.

“I think people are unsure of new technology,” he adds. “They just feel wary. Now we move into the converged world it’s really about moving data and cost saving. It’s the way it’s going and you can’t stop it.”

Yankee Group predicts the VoIP industry will be worth $3.3bn by 2010. Internet auction eBay’s $4bn buy-out of the VoIP company Skype was a clear demonstration of how valuable the industry has become.

But as businesses move telephony to VoIP, are they neglecting to protect their information? While these networks may provide cost savings and nifty messaging services, they also bring a risk of data theft, eavesdropping and opportunities for hackers to creep around your network in the middle of the night.

Mr Ollman adds: “Large organisations are already using VoIP where they base decisions on cost. Security hasn’t yet played much of a part in that. Security teams are worried but are still playing catch-up with the business.

“Not all the security issues with VoIP have been well publicised either. Some of the commercial ones have been, but we’ve found no shortage of vulnerabilities with these products.”

According to research from analyst Gartner, the same processes that protect data networks from malicious attacks, such as firewalls, antivirus, encryption and so on, will protect VoIP services.

Mr Archer adds: “These same threats are there for data networks. You look after voice as you would data. You will get attacked, but if you have countermeasures at the perimeter network you can stop [them].”

Yet some firms are using VoIP outside of the perimeter network, for example, when staff use IP telephony from home over the internet to the company network.

“People want return on investment from trying to get other things out of VoIP,” says Mr Simmonds. “For example – decentralised call centres. It’s a nice business model, but would I use VoIP? Not on it’s own.”

The use of encryption and firewalls is necessary to keep the most basic network services secure. But for every layer of security added, a split second of latency is too, so a network has to be fast enough to handle the extra load. Gartner’s report adds that VoIP network traffic must be given priority to avoid latency.

Introducing VoIP means adding new network protocols – the transport that data uses to travel on – which if left unsecured can leave a company open to attack. And that is what Mr Simmonds objects to most of all.

“That’s the biggest no-no,” he says. “Using inherently insecure protocols. You must use inherently secure protocols. They say you can now use VoIP at home but if you do that it’s suicide. It would be opening up to goodness knows what.

“If you look at VoIP as a replacement for a telephone system, it’s fine. If you’re putting it into a new building why wouldn’t you put in VoIP? You’d be brain-dead not to. But the problem is the value-added things it comes with that vendors sell on.”

Copyright The Financial Times Limited 2017. All rights reserved. You may share using our article tools. Please don't copy articles from FT.com and redistribute by email or post to the web.