Who else is listening?

Picture an evil-minded hacker – no doubt wearing a balaclava and Marilyn Manson T-shirt – using his computer to hack into the VoIP phone systems of your clients, eavesdropping on corporate secrets and blackmailing the CEO.

It’s easy to imagine, and plenty of people do. “VoIP security” is the buzzphrase of the hour and security companies are predicting a wave of attacks that could send SMEs’ VoIP networks sprawling.

The problem is that there is very little evidence out there to support the scenario, and the IT community appears divided on the question: how great is the threat to VoIP security?

As early as June 2005 a Gartner report was arguing that organisations should not delay in introducing VoIP systems because of security fears, the key reason many cited for staying with the limited and sclerotic PSTN service.

According to many integrators and network vendors, the report’s conclusion remains valid today:
“The same security processes that protect data networks from worms and denial-of-service attacks will protect IP telephony applications. For networks that have an acceptable level of business security, the value of IP telephony will outweigh the risks. Organisations that cannot yet protect their data networks should not deploy IP telephony until they can.”

But the picture has changed, say security companies. Now there is vishing or voishing, the VoIP version of phishing emails that trick people into divulging critical personal or financial information, which is then used to assume their identity.

Security vendor MessageLabs gives an example where a victim receives an automated telephone call reporting that the victim’s credit card has been used illegally, and gives a fake 1800 number to dial and confirm details. The spammer uses VoIP to spoof the phone number of the credit card company and add credibility to the scam.

“As with more traditional forms of social engineering deceptions it is very difficult to safeguard against [these calls] as they often take place offline,” says MessageLabs’ marketing director, Asia Pacific, Andrew Antal. “

With so many VoIP providers vying for market domination, call costs are relatively low, making such scams an attractive proposition.”