VoIP security barely a blip on SMBs' radar

Neither vendors nor customers of VoIP services are paying much attention to security, experts say. But just wait until the first major security breach.

Security is a low priority among most small and midsized businesses (SMBs), as well as vendors, when it comes to Voice over Internet Protocol (VoIP), experts say. That will quickly change once hackers take aim, however.

Richard Ridolfo, CIO of Simat, Helliesen & Eichner Inc., a New York-based aviation consulting firm, said security concerns affected how he rolled out VoIP.

We prohibit the use of free commercial service because I don't believe the technology is mature yet.
Richard Ridolfo
CIOSimat, Helliesen & Eichner Inc.
"We're using company-owned VoIP infrastructure, and we are using it on encrypted, controlled data paths," Ridolfo said. "And we prohibit the use of free commercial service because I don't believe the technology is mature yet."

But when Ridolfo was looking at VoIP offerings, he saw no mention of security in vendors' marketing messages.

"As with anything, the risk [of a security breach] is theoretical risk right now," Ridolfo said. He said today it's much easier to write a virus or steal data off a file-sharing system than it is to build an exploit for VoIP.

"Does that mean someone isn't working on it right now? No," Ridolfo said. "A high-profile attack, such as a single, crucially important phone call, that will be intercepted, whether it is commercial or government. Then you'll see a bunch of those in short succession. Then there will be a big push to introduce security."

In a recent survey by the Computing Technology Industry Association Inc. (CompTIA), an Oakbrook Terrace, Ill.-based provider of vendor-neutral certifications, 50% of 350 SMBs said they trust the security offered by IP telephony vendors. This number was up slightly from 48% last year.

Steven Ostrowski, director of corporate communications at CompTIA, said concerns about security should provide an opportunity for vendors and resellers who can show they have the expertise to protect customers.

Smaller businesses are relying on solution providers or value-added resellers and system integrators to provide guidance. "They're looking to them to make sure their total security solution is in place -- that not just email, but all voice and data communications are secure," he said. "On the one hand it's a challenge for solution providers to address the issue. On the other hand, it might be an opportunity for them to increase their business if they can show they have the expertise and can protect networks."

Voice is just as vulnerable to exploits as data communication, Ostrowski said, "because at the end of the day it's running over an IP network and it's 'packetized' data."

One analyst was surprised by how many SMBs said they felt VoIP was secure.

"I would say that number is extraordinarily high to me," said Gary Chen, an analyst at The Yankee Group, a Boston-based research firm. "Right now there is no VoIP security, because people haven't thought about it."

Chen said the population of VoIP users is still too small to attract the attention of hackers. But it's only a matter of time.

"It's going to come," he said. "When the population is there, hackers will go for it."

More on VoIP
VoIP: The migration dilemma

Secure VoIP in simple steps
Chen said some VoIP vendors and some third-party security vendors are helping secure VoIP installations, but it's still a new area for most of them. There is little incentive to sell it, since customers aren't demanding it.

"It's going to be a big attack that gets a lot of attention that drives the market forward," he said.

Chen said there are a variety of ways hackers could attack a VoIP phone system. A simple, but effective exploit would be an old-fashioned denial-of-service attack. A hacker could paralyze a company's IP phone system and demand a ransom.

"You could also take over people's accounts and make calls and charge it to someone else," he said. "You can also take over a number and use that in some sort of phishing scam, where people think they're calling and talking to a bank, but they're talking to someone else."

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Read more on Voice networking and VoIP