VoIP poses attractive target for hackers


8 Feb 2005

The emergence of voice-over internet protocol (VoIP) application-level attacks will likely occur as black hats become more familiar with the technology through exposure and easy access, say communications industry giants that are key stakeholders in VoIP’s future.

The early concerns of players such as Avaya, 3Com and Alcatel has caused major communications industry giants to join forces to combat hacker threats. The VoIP Security Alliance (VoIPSA) aims to help organisations understand and avoid VoIP security risks through discussion lists, white papers, sponsorship of VoIP security research projects, and the development of tools and methodologies for public use.

“VoIP has finally arrived, and vulnerabilities in devices and services which enable this technology need to be discovered and mitigated,” said Ron Gula, CTO of Tenable Network Security.

VoIPSA is being led by 3Com subsidiary TippingPoint and includes 3Com, Alcatel, Avaya, Codenomicon, Columbia University, Ernst and Young’s Guiliani Advanced Security Center, Insightix, NetCentrex, Qualys, SecureLogix, Siemens, Sourcefire, Southern Methodist University, Spirent, Symantec, the SANS Institute and Tenable Network Security.

“VoIP has the potential of becoming widely deployed in critical infrastructure, and without an active community in VoIP security, the quality and reliability of VoIP can easily regress into the patch-and-penetrate race we have had to witness with other widely deployed communication software,” said Ari Takanen, CEO and co-founder of Codenomicon.

The companies believe that the growing convergence of voice and data networks only serves to exacerbate and magnify the security risks of today’s traditional prevalent cyber attacks. Successful attacks against a combined voice and data network can cripple an enterprise, halt communications required for productivity, and result in irate customers and lost revenue.

Joseph Curcio, vice president of security technology development at Avaya, said: “Once the decision is made to put VoIP at the heart of their business, companies need to address security holistically – at the applications, systems and services layers.”

“Enterprises are rolling out VoIP solutions to reduce costs and increase operating efficiencies, but this also introduces new security risks that could negate those savings and demand increased resources if not managed properly,” said Martin Roesch, creator of Snort and founder and CTO of Sourcefire. “We are optimistic that this group will result in stronger solutions that help end users better protect their assets.”

As VoIP deployments become more widespread, the technology becomes a more attractive target for hackers, increasing the potential for harm from cyber attacks. The emergence of VoIP application-level attacks will likely occur as attackers become more familiar with the technology through exposure and easy access.

“VoIP is starting to gain momentum in the market, but proactively addressing security concerns will help drive widespread adoption,” said Gerhard Eschelbeck, VP of Engineering and CTO of Qualys.

By John Kennedy