VOIP security industry: Guilty as charged

Plus, 10 nasty questions to ask your VoIP supplier

We in the IT security industry are collectively guilty for allowing a fundamentally insecure system such as VOIP to be launched into the market.

We've known for years that only "secure out of the box" should be the default. Yet VOIP is not only insecure by default, it's almost impossible to make natively secure. What's worse, VOIP end-devices (the phones) are a full computer -- usually with their own Web browser, and (insecure) File Transfer Protocols to manage the firmware updates. So just as organizations are coming to grips with managing the vulnerabilities on their PCs, we have just doubled the management nightmare.

The return-on-investment claims made for moving to VOIP rarely stand up to proper scrutiny. The phones cost more than a standard "business" phone, and have a reduced replacement cycle. Gartner says in its November 2006 report "IP telephony technology, in many cases, can be more expensive than equivalent TDM-based PBX Systems."

The ability to benefit from toll-bypass (routing your voice traffic over your private WAN to take advantage of spare WAN capacity) is frustrated by the fact that peak time for voice traffic is also the peak time for data traffic on the WAN. Most network managers that I know are looking for ways to offload peak traffic from congested, expensive corporate WAN links -- not add huge volumes.

The ability to integrate your computer and your phone is another "benefit" that is on the salesperson's list, with features such as Click to Call, Find Me/Follow Me and Unified Messaging, but in reality companies rarely take any advantage of such CTI (computer-telephony integration) options.

Then toss in all the extra Band-Aid solutions you need to add, from VOIP firewalls to specialist VOIP security assessments (just run a Google search for "VOIP security solutions"), to make it even partially secure, and the extra management for firmware upgrades, vulnerability assessment and mitigation, and of course the WAN upgrades and all of a sudden those incredible savings the sales-person promised magically disappear.

VOIP is, in essence, a time bomb, poised for a massive exploit. With VOIP gaining traction in the corporate world, from boardrooms to the world's financial trading floor, VOIP is a public security exploit waiting to happen -- with the large potential consequences. But unfortunately, this may be what is needed before the industry agrees to take VOIP security seriously.

The historical problems with being able to listen in to conversations that people assumed were secure (or where people assumed security through complexity) are well known: In the 1980s, the world became aware of problems with analog cell phone security when tabloid journalists printed details of an intimate cell-phone conversation between Prince Charles (than married to Princess Diana) and Camilla Parker Bowles. We're at the stage now with VOIP that something like that is likely to happen, but with consequences far more serious than embarrassment on the part of the British royal family.

At the 2006 Black Hat conference, David Endler and Mark Collier spent a very entertaining hour abusing a mix of VOIP phones, from being able to set up a call and listen in without the called phone ringing to a full corporate denial-of-service attack by making all phones repeatedly ring every 10 seconds (with no one there when answered).

"If it's not broken, don't fix it," doesn't apply here

At the 2007 Black Hat Conference, there were no less than five presentations on the insecurity and general problems with VOIP.

VOIP does have advantages in certain business situations, such as running an international follow-the-sun help desk or an overseas call center operation, but those business cases are limited and the security risks of VOIP should far outweigh most ROI cases.

Getting the security right, and according to Jericho Forum principles, will finally give a true business case with real ROI: The ability to securely integrate disparate sources of VOIP phones (from VOIP clients on cellular devices, to BlackBerry, Wi-Fi VOIP phones and PC soft phones, as well as the traditional desk phone) connected on LAN connections that probably will not be on a LAN managed by your organization.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Simmonds

Network World
Show Comments

Cool Tech

Toys for Boys

Family Friendly

Stocking Stuffer

SmartLens - Clip on Phone Camera Lens Set of 3

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill


I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?