Is Your VoIP Phone Vulnerable?

Security experts warn that attacks on Internet-based calling systemsthough rare nowmay be just around the corner. Businesses, be ready

It's become a familiar pattern in online security. A groundbreaking way to communicate emerges, spreads like wildfire, and then hackers find a way to use it to their advantage. Security companies react—but not before the problem has succeeded in wreaking havoc. It happened with e-mail and is happening now with instant messaging and mobile devices.

The next area that could be targeted: Voice over Internet Protocol, or VoIP, which lets people make low-priced phone calls using the same technology that delivers e-mail. And the results could be just as damaging, if not worse, than with other technologies, some security experts warn.

Unlike calls sent over traditional networks, VoIP calls are often routed over the public Internet, and details of those transactions can be spied on by outsiders. Law-enforcement officials allege that's how Edwin Andres Pena and Robert Moore were able to steal so-called bandwidth, or the network space needed to carry Internet phone calls, and then resell it to unsuspecting patrons. The two Miami men have been charged with racking up some $1 million in ill-gotten gains. The calls were routed through a Newark (N.J.) front company called N.T.P.

Long before VoIP was developed, copper-wire networks were similarly vulnerable. But in the 1970s, service providers separated the voice networks from the data that controls and routes the calls, making it impossible to perform such hacks, says Dan Ingevaldson, director of technology strategy for ISS, a security company that has been watching the VoIP threat for some time. "There's no regulator, no control, no one person to validate what's on your network, so there's the opportunity for abuse," he says.


  Ingevaldson is one of a handful of people calling for these network gatekeepers to learn from what happened with e-mail, and take steps to secure VoIP networks before they hit mass adoption. The number of VoIP subscribers is expected to almost double to 47.3 million people this year, according to Infonetics Research. "By the time this becomes Grandma's problem, it's too late," he says.

Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers. Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says. Comparable economics apply to VoIP calls, he says.

Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites. Those and other attempts at identity theft could spring up via VoIP accounts too, experts say. Imagine the messages from relatives of deposed Nigerian dictators—only this time they're on voice mail, too.


  And as VoIP calling becomes increasingly mobile, consumers may be forced to field calls from telemarketers and fraudsters everywhere, not just on a landline over dinner. While the U.S. Do-Not-Call list protects consumers from calls inside the U.S., it can't shield recipients from calls placed overseas—the cost barriers to which are eliminated by IP calling. Fears are great enough that security providers have given it a new moniker: SPIT, or spam over Internet telephony.

For businesses deploying VoIP, the implications could be worse still. Companies' phone systems are tied in with their networks. So an insecure phone system could give hackers entrée to the whole network. Conversely, if their network security isn't secure, it could tank not only their IT but their phone systems as well. And just like hackers can take over unprotected computers to do their bidding, they could take over companies' VoIP systems to make unwanted calls. "The amount of bandwidth that could use up is enormous," Ingevaldson says.

Added security vulnerabilities could erode the cost savings associated with VoIP systems. Exchange Bank, a Sonoma (Calif.) community bank, plans to introduce VoIP across its 19 branches in the coming months. The company needed to update its aging phone networks and overstressed routers anyway, and relying on VoIP was a way to do both, says Bob Glingorea, Exchange Bank's information security officer. The cost savings from VoIP will repay the bill in three years, he says. "It was a no-brainer," Glingorea says.


  As an ISS customer, Glingorea gets VoIP protection along with his standard network protection and is confident that will be enough. Still, other IT managers who have dealt with the headache of ever-changing IT threats likely can't help but wonder if rolling out VoIP will become just another big headache. Concerns about VoIP safety are the last thing Vonage (VG) needs as it tries to reach profitability in the wake of a dismal initial share sale (see, 5/31/06, "Trouble on the Line for Vonage?").

Companies whose employees use eBay's (EBAY) Skype also could be in for a jolt, according to a May research note by Gartner. The software is free to download, and most companies don't even realize how prevalent it may be inside their four walls.

Of course, there is a difference between potential threats and ones VoIP consumers are actually facing today. So far, much of this is theoretical—much like fears of mass viruses on mobile phones and disastrous phishing attacks over instant-message systems (see, 1/5/06, "IM Security Is One Tough Sell"). VoIP attacks remain rare, although Gartner says Skype has made four big patches to vulnerabilities in the last 18 months.


  And security companies such as ISS have a financial stake in companies bracing against possible threats. ISS's basic network security now includes VoIP protection. Security software mainstays Symantec (SYMC) and McAfee (MFE) are also said to be working on VoIP security products. Both companies declined to comment for this article.

Several startups have popped up to respond to the threat. These include Sipera Systems, of Richardson, Tex., and Covergence of Maynard, Mass. Zeus Kerravala, vice-president of enterprise infrastructure at the Yankee Group, says his surveys show security concerns are far down on the worry list for businesses installing VoIP. Just getting the system to work, while achieving the promised cost savings, is the main worry, he says.

Still, Ingevaldson recommends companies not wait till the threat becomes more tangible. Businesses would do well to consider the threats on the front end, given how fast VoIP adoption is growing. Although only 5% deploy VoIP companywide, 87% of companies are using VoIP in some capacity. Numbers like that may be too alluring for hackers to pass up.

Before it's here, it's on the Bloomberg Terminal.