Wiretapping Just The Start of VoIP's Security Woes

DoS, DoQ, trojan devices inserted in-line all factor into security concerns for IP phone systems


Security experts are once more urging businesses and consumers be wary of wiretapped Voice over IP (VoIP) calls -- as well as the vast number of potentially worse IP telephony vulnerabilities to which they may be exposed.

Last week, U.K. security researcher Peter Cox introduced a proof-of-concept that showed how easily Voice over IP phone calls could be intercepted. Cox, the former chief technology officer and co-founder of security vendor Borderware, successfully captured phone calls over a period of several months with a prototype Session Initiation Protocol (SIP) call monitoring tool.

The demonstration came as only the latest reminder that VoIP is vulnerable to monitoring. But experts warn that wiretapping is only the tip of the iceberg.

"In the grand scheme of things, it's rather small," said Forrester Research Analyst Paul Stamp. "This is something people implementing VoIP systems have known for a long time. But it's certainly not the biggest vulnerability in the system."

With VoIP on the rise, there's plenty of reason to be concerned about all of those vulnerabilities. According to a survey of telephony carriers conducted by IBM's Internet Security Systems (ISS), almost 85 percent of phone service providers will roll out an IP-based architecture for their services within the next five years.

And while 87 percent of the participants in ISS's survey believed that these "next-generation networks" would fail without strong security measures, only 46 percent said their companies had a plan in place for dealing with the security issues involved with the shift.

That might come as something of a surprise, since it's not as if the threat of call interception is anything new.

"There have been tools available for a very long time that allow someone to listen into VoIP calls," said Tom Cross, X-Force Researcher at IBM ISS. "A lot of people in IT have this perception that you can't snoop on a switched network. But you can, using a technique called [Address Resolution Protocol] cache poisoning."

Address Resolution Protocol (ARP) cache poisoning, also known as ARP spoofing, is a way of inserting a device on a switched Ethernet network between two other devices, masquerading as the intended device while passing traffic along.

"There's a tool called Cain and Able, which has been out for some time that will do ARP cache poisoning," Cross said. "If those devices happen to be VoIP phones, it's trivial to record the conversation and play it back."

The risk of monitoring needs to be considered by anyone implementing VoIP, Cross said, especially since VoIP encryption isn't necessarily an option yet for many users.

"Out of the box, a lot of this stuff doesn't have encryption built in, or it's not turned on," he said. "The standards for how to encrypt VoIP are still being worked out --a lot of vendors have different solutions for that, and they're not necessarily interoperable."

But as vulnerable as VoIP may be to monitoring, it's much more exposed to other potential threats, experts warned.

"I think people realize that there's a possibility to do [wiretapping], and in many cases, have accepted that risk, given that you've got a lot bigger fish to fry," said Stamp. "Most of the vulnerabilities out there have to do with availability and what you can do to make sure that there won't be dial-tone for the person on the other end."

This content continues onto the next page...