Roadshows warn of IT security risks in deploying VoIP

A series of roadshows has highlighted the growing security threat to IP telephony systems and the need to protect voice over IP...

A series of roadshows has highlighted the growing security threat to IP telephony systems and the need to protect voice over IP deployments.

Hundreds of IT directors and telecoms managers attended security roadshows organised by Siemens Communications across the UK in the past few weeks. The events listed the new threats to voice over IPsystems.

These included attack by the widely available freeware known as Vomit, which can capture packets of voice data from converged voice and data networks, allowing hackers to listen to private conversations.

There is also a threat called signal protocol tampering. Hackers plug a laptop into a network to "sniff" packets of data, selling them on to criminals to make free phone calls remotely via a network switch.

Siemens also warned that the greater functionality that comes with IP telephony opens up many more avenues for attempts to defraud systems. And, as many new phone systems are run by Windows-based systems, they are subject to the same threats common on data networks.

Analyst firm Gartner estimated that 90% of all new corporate phone systems would be IP-enabled by 2008, so the types of threats revealed by Siemens could become more prevalent.

Craig Pollard, head of security products and services at Insight Consulting, Siemens' security division, said, "Voice must be protected like any other application.

"Along with IT directors and telecoms managers, a number of financial directors came to our roadshows, which may not be surprising considering the damaging potential of VoIP threats if a network is not properly protected."

Earlier this year, networking company Avaya said some banks and financial services companies were wary about adopting VoIP because of the security issues. However, payment and clearing body Apacs said the main obstacle to banks adopting VoIP was the difficulty of integrating voice and data.

Network suppliers such as Cisco and Alcatel have recognised the security threats posed by adopting VoIP. In October Cisco launched Callmanager 4.1 to encrypt voice traffic on its 7940G and 7960G IP phones as a protection against eavesdropping and connection spoofing.

Garter analyst Isabel Montero said encryption was already standard on most IP PBX platforms, but was generally limited to Lan-based IP phone users. "Making call encryption available on Cisco's VoIP gateways will allow users on other Cisco platforms to conduct secure IP phone calls," she said.

"Broadening encryption support to include the Cisco Unity messaging platform will help to prevent malicious users stealing voicemail files from a corporate Unity server."

Siemens Communications last month expanded its voice security services portfolio to guard business users of VoIP and PBXs against hacking.

Read more on Voice networking and VoIP