Why Nobody’s VoIP Is Secure

Paul D. Kretkowski on November 19, 2007

Eric Vyncke made headlines in October 2007 by telling an audience at RSA Conference Europe 2007 that “nearly nobody” is deploying secure VoIP — even while acknowledging, in a separate interview, that there have been deployments of hundreds or thousands of VoIP phones at a time during the past five years.

Vyncke should know; a distinguished engineer at Cisco Systems Inc., he’s written books with titles like "LAN Switch Security: What Hackers Know About Your Switches."

But the headlines didn’t make it clear whether Vyncke thinks that VoIP can't be secured or whether he believes that businesses simply aren’t taking the necessary precautions.

A closer look makes it clear that Vyncke was asking VoIP users to think about their deployments and use available techniques and tools to secure them. His remarks should be greeted as a wake-up call rather than a fire alarm, and in that spirit, here are some security considerations that come up in VoIP deployments, along with ways to make those deployments more secure.

Special Measures

There are two problems with VoIP today, Vyncke told security experts in London. First, many companies have shied away from deploying VoIP at all because of past security concerns. Though these problems have largely been solved, Vyncke’s second point is that you shouldn’t just buy a VoIP product, turn it on and forget about it — and still expect it to be secure.

During an interview at the conference, Vyncke told ZDNet, “When people deploy [VoIP], they don’t deploy it in a secure way. What they’ve done is securing the network itself, which is a pretty good step, by using specific tracing to Layer 2 switches, preventing attacks like app spoofing. But [VoIP] telephony itself can be secured by encryption, authentication — they are not using it.”

For instance, users can change any vLAN switch to nondefault settings. It’s better to increase security at the switch layer, Vyncke argues, because that’s where it will cause the smallest additional delays in a VoIP call. (He added that you can always increase security at the application layer later while creating only a small amount of latency — about 3 milliseconds, which is not detectable by users.)

Secondly, make sure that an application’s encryption plays nicely with your network’s firewall. Regarding encryption, Vyncke recommends using a DNS (Domain Name Server) proxy, which can read a portion of encrypted VoIP traffic, realize that it’s VoIP and let it through.

Vyncke also advocates the use of secure VoIP phones authenticated via certificates, and he said that IT managers should retain the ability to revoke these certificates should a VoIP phone be stolen or returned to the manufacturer.

A combination of secure switches, firewalls and secure devices won’t produce 100 percent security, but it can approach 99.9 percent, Vyncke said.

Fear Factor
Vyncke sees two major consequences for those who don’t secure their VoIP network properly.

“The threat is mainly a threat against confidentiality, meaning that everyone connected to the network — if the network is badly designed ... that anybody can listen to any phone conversation."

Vyncke continued, “So you can listen to the conversation between the COO and CFO without any problem, which of course is not very good, but you can also fake yourself. There is no authentication, so somebody can pretend to be, I don’t know, an IT manager, and ask somebody, ‘Hey, can you give me your password,’ and the guy naively will give out the password, because there is then no check on the number which is displayed on the IP phone.”

Vyncke argues that the importance of security increases directly with size, as a company grows from, say, 10 users to the size of a large bank, health care business or government.

“Please think about it,” he urged.
Source: voip-news.com