A series of roadshows has highlighted the growing security
threat to IP telephony systems and the need to protect voice over
IP deployments.
Hundreds of IT directors and telecoms managers attended security
roadshows organised by Siemens Communications across the UK in the
past few weeks. The events listed the new threats to voice over
IPsystems.
These included attack by the widely available freeware known as
Vomit, which can capture packets of voice data from converged voice
and data networks, allowing hackers to listen to private
conversations.
There is also a threat called signal protocol tampering. Hackers
plug a laptop into a network to "sniff" packets of data, selling
them on to criminals to make free phone calls remotely via a
network switch.
Siemens also warned that the greater functionality that comes with
IP telephony opens up many more avenues for attempts to defraud
systems. And, as many new phone systems are run by Windows-based
systems, they are subject to the same threats common on data
networks.
Analyst firm Gartner estimated that 90% of all new corporate phone
systems would be IP-enabled by 2008, so the types of threats
revealed by Siemens could become more prevalent.
Craig Pollard, head of security products and services at Insight
Consulting, Siemens' security division, said, "Voice must be
protected like any other application.
"Along with IT directors and telecoms managers, a number of
financial directors came to our roadshows, which may not be
surprising considering the damaging potential of VoIP threats if a
network is not properly protected."
Earlier this year, networking company Avaya said some banks and
financial services companies were wary about adopting VoIP because
of the security issues. However, payment and clearing body Apacs
said the main obstacle to banks adopting VoIP was the difficulty of
integrating voice and data.
Network suppliers such as Cisco and Alcatel have recognised the
security threats posed by adopting VoIP. In October Cisco launched
Callmanager 4.1 to encrypt voice traffic on its 7940G and 7960G IP
phones as a protection against eavesdropping and connection
spoofing.
Garter analyst Isabel Montero said encryption was already standard
on most IP PBX platforms, but was generally limited to Lan-based IP
phone users. "Making call encryption available on Cisco's VoIP
gateways will allow users on other Cisco platforms to conduct
secure IP phone calls," she said.
"Broadening encryption support to include the Cisco Unity messaging
platform will help to prevent malicious users stealing voicemail
files from a corporate Unity server."
Siemens Communications last month expanded its voice security
services portfolio to guard business users of VoIP and PBXs against
hacking.