Is it Safe to Voice, VoIP That is?
By Avinash Kadam / MIEL E-SECURITY
 In 1875, Alexander Graham Bell set up the first telephone connection. He stretched a wire to the adjoining room and uttered the famous sentence, “Mr Watson, come here. I want to see you." Telecommunications has come a long way, since then.
Telephone circuits have expanded to circumnavigate the earth many times over. Everyone is just a call away. With the advent of the Internet, even the exorbitant charges thus far levied by telephone companies cease to be a problem. Calls can now be made at a nominal cost, if not for free.
Just like telephone companies, the Internet can digitize and compress voice and send it as data anywhere in the world. This theory was further transformed into many techniques like ATAs (analog telephone adapters), or IP phones or simple computer-to-computer communication. The basic idea is the same: convert normal analog voice to digital signal, put it in the data portion of an IP packet—Voice over Internet Protocol (VoIP)—and send it across through the Internet at a fraction of the cost of a telephone call.
Since the cost aspect seemed too good to be true, we started worrying about security. From our years of experience, we knew that the Internet is an insecure medium to send data over. So, is it safe for voice?
What can go wrong with VoIP?
The most serious fear is a Denial of Service (DoS) attack. What if the network is flooded with spurious traffic and all VoIP phones go dead? Fortunately, we have not yet faced such an attack. One reason could be the relative low density of VoIP phones. In addition, despite the lure of merging data and voice networks, we are not yet ready to bid adieu to PSTN (public switched telephone network)—tried, tested and proven for more than 100 years.
In recent times, several new acronyms have cropped up to describe security threats for VoIP. We now dread SPIT (spam over internet telephony). Similar to the ubiquitous phishing e-mails (spam) that threaten to suspend our credit cards if we do not give our password, PIN and social security number, there are vishing attacks through voice calls. These calls can intimidate unsuspecting users to call a given number and confirm their account credentials.
Also, there is the ever-present threat of viruses, worms and Trojans that can infect our IP phones and other telecommunication devices too. VoIP calls can also be spoofed, eavesdropped, hijacked or intercepted by MITM (man-in-the-middle) attackers. Then, there is the worry about toll frauds.
All these are very tangible risks. We have faced these on our data networks and on voice networks. There is no doubt that we might face all these on our VoIP communications. So, it seems that the attack surface has just increased manifold for voice communication using IP.
Is there a way to negate risks?
VoIP is bound to overtake traditional telephone communication. The cost savings are enormous. We will just have to learn to cope with all the threats. Enough security technologies are being developed for data traffic on the Internet. In order to counter the treat, VoIP will see heavy usage of cryptography. It is likely that new VoIP-aware firewalls, IDS, and IPS will be deployed in the near future. Already, Turing tests are being employed to check if the VoIP caller is human or machine.
The ideal solution would be to educate ourselves, so that we do not to fall prey to any vishing attack. We should also learn to scan our IP phones for viruses before we make a call. At the end of the day, the price we pay for securing ourselves will still be much smaller compared to the savings we will make.
|