Saturday, February 6, 2010

VOIP Risks

Voice Over IP (VOIP) is becoming more and more popular. Clients with broadband connections can use VOIP as a phone. You want to talk to your sister but you live in Virginia Beach and she lives in San Francisco. If you both have VOIP, you can do so without any long distance charges.

VOIP can also be used for video teleconferencing. You can lead a presentation to multiple users located in several cities around the world. Again, without the cost of long distance.

All of this sounds good, but VOIP does have some risks. The primary risks related to VOIP are:

  • Eavesdropping. When a VOIP connection is created, attackers can listen in on the phone calls. It’s relatively easy for an attacker on the source network, the destination network, or any connection points in between to eavesdrop on the conversation. It is possible to encrypt VOIP but that isn’t done very often.

  • Vishing. Vishing is similar in concept to phishing but VOIP connections are often used. The victim is tricked into calling a phone number attached to a VOIP account, or a robo-caller dials VOIP numbers until it receives an answer. The victim is informed of fraudulent activity on a credit card, PayPal account or some other banking institution and encouraged to call another phone number to resolve the problem. The other number is an automated system that requests the user’s credentials.
Good luck with your Security+ studies.
Darril Gibson

-- Edited February 11 2010

While working on another project I came across NIST's SP 800-58 which is titled: Security Considerations for Voice Over IP Systems

It lists two  specific disadvantages of VOIP
  • Security.  There are many more ways for intruders to attack a VOIP system than a conventional voice telephone system or PBX.  VOIP is flexible.  However it is much more complex to secure the voice and data sent over VOIP.
  • Startup cost. The initial installation can be complex and expensive for a business.
The SP 800 series of publications from the National Institute of Standards Security and Technology (NIST) is widely respected and considered authoritative.  In other words, this is an excellent source to identify disadvantages of VOIP in addition to the specific security risks mentioned earlier.

- Darril