Who else is listening?

Other threats include denial-of-service (DoS) attacks, which can “wreck your ability to make a telephone call” or “provide the potential for your calls to be ‘digitally’ intercepted,” says Antal.

MessageLabs also adds that, unlike secure Internet transactions that display a padlock icon in your web browser, VoIP calls are not generally encrypted.
“That makes them susceptible to eavesdropping,” says Antal.

And then there are new and terrifying acronyms such as ‘spit’ (spam over IP telephony), which will send automated messages selling body-part enhancers and cheap medical degrees to millions of VoIP voicemail accounts with the press of a single button.

Even more devastating are trojan-style attacks that can download a payload through your handset to your PC.
D-Day for VoIP is due to arrive when VoIP platforms by the various vendors merge together. When Yahoo and MSN opened up their instant messaging (IM) systems to each other, it led to an increase in IM threats (now up to 40–50 a week, according to MessageLabs).

“I would expect that once the VoIP ecosystems merge (Skype, Cisco etc.) we will start to see an increase in VoIP-related threats,” says Antal.
However, MessageLabs could offer no evidence to back up its predictions, other than the logic that if it happened to IM, it would happen to VoIP.

But what about the trojan-style attacks with their devastating payloads? There are no examples of these in the wild yet either. “Not to my knowledge,” qualifies Antal.

And, although the concept of spit has been around since late 2004 and tools are available on the Internet to create spit servers, there is very little spitting going on.

There are concerns, too, over the preparedness of SMEs and the sanity of IT managers. Handsets come with their own browsers, FTP software and other applications – “basically a VoIP phone is a mini-PC,” says Chris Gatford, senior security consultant with Pure Hacking, a company that carries out penetration testing. Admins struggle to look after security for the 100 or so servers in an average SME, and moving to a VoIP system effectively gives them thousands of mini servers to look after, he says.

Gatford also claims the use of several vendors in a VoIP solution increases the likelihood of vulnerabilities. For example, Cisco’s solution is only secure if you have Cisco end-to-end, he says.

Network vendors and clueless SMEs need not worry, as security vendors are determined to meet any future threats well prepared. For this purpose Symantec has rushed out a VoIP Security Alliance (www.voipsa.org) to present a coordinated front. One of the alliance’s founders, David Endler from Tipping

Point, has co-authored the book Hacking VoIP Exposed, which lists common VoIP hacks as well as standard voicemail responses that can be used to identify whether a system is Avaya, Cisco or Asterisk.

collaboration macpherson tipping networking point security voip sholto