Who else is listening?

Threats below the radar
Of course, the biggest problem with some VoIP attacks like eavesdropping and call recording is that, unlike DoS, the victim never knows it is happening. Some security companies believe these attacks occur frequently but integrators and carriers are unaware.

“The likelihood of [carriers and integrators] knowing of a threat succeeding is extremely unlikely,” says Gatford. This explains why there is so little data on VoIP attacks, he says. Few records of security breaches make it to the press, but this is not unusual as companies never want to let their customers, business partners and shareholders know they have failed to protect important information.

However, two widely reported events did make the news in the past six months.
The first was a widely reported hack into the VoIP system of Buckingham Palace by a reporter, who was able to listen into conversations between members of the royal family.

The second, more devious attack was carried out in Miami, Florida, where a hacker broke into the VoIP system of a large company. He then began reselling air time to customers of a bogus company he set up, running up an enormous phone bill with the host company.

Tipping Point’s security marketing director, Asia Pacific, Ken Low, admits that, “VoIP is not the priority target for hackers at the moment”, and that there are few attacks in this region. Nevertheless, “the fact that they have happened in the UK and the US means it can happen
in Australia”.

Lined up against the doomsayers are integrators and carriers who claim not to have witnessed any security breaches. Also there are some security experts who admit that the present level of defences is adequate.

“I believe the industry has the security set at the right levels,” says Greg Bunt, regional engineer, Asia Pacific, Juniper Networks. “If you implement a voice network properly you shouldn’t have a problem at all.” In fact, Bunt believes the easiest way to record a VoIP conversation is to buy a small microphone and bug the office. Hacking into a system leaves a lot more fingerprints, he says.

Integrators acknowledge there are risks and list measures to minimise their success.

The first is control access lists, which limit access to the VoIP network to a list of MAC addresses matched to each device. The second is the segmentation of the data and voice network by using VLANs; voice is sometimes run over multiple VLANs. Host intrusion detection systems with anti-virus on servers running unified messaging are also sensible.

Adding a firewall in front of the call control software takes the security detail a step higher. A VPN must be used over the WAN. Encryption from handset to handset will give the internal hacker an earful of white noise. And then there is the physical security, such as a lock on the comms room door.

There are several things that one should never do, such as connecting a handset directly to the Internet without the protection of a firewall. But most integrators stopped doing this a long time ago.

“The reality is in the old analogue TDM network you could walk into the basement of a building and tap into a phone call,” says NSC’s managing director,
Craig Neil. “I think the IP world is more secure.”

Neither NSC nor Cerulean, with over 850 VoIP sites between them, has had a single notification about a VoIP-related security breach, according to their representatives. And many don’t even use end-to-end encryption. “The mechanisms are there today – we could easily have every voice packet encrypted – but a lot of organisations haven’t seen the need,” says Cerulean’s practice manager for IP communications, Craig Campbell.

Only one of Cerulean’s 150 customers has high-level encryption.
ISPhone’s CTO James Spenceley says he has never heard of an attack on a handset, even though he first started working on VoIP in 1999 with Comindico/Soul. “This is why the whole VoIP security is amusing – I’ve never heard of a problem,” says Spenceley.

collaboration macpherson tipping networking point security voip sholto