VoIP Security Threats Defined

Zonorph writes "Information week is reporting that the recently formed industry group Voice over IP Security Alliance (VOIPSA) just published their first draft of a VoIP Security Threat Taxonomy for public comment. From the VOIPSA, 'This VoIP Security Threat Taxonomy is meant to define the many potential security threats to VoIP deployments, services, and end users. Part of the challenge of devising effective VoIP security protections requires first identifying these threats in the first place.'"

Communication security

[VincenzoRomano]

Public VoIP security issues are more or less the same as in the plain old public telephone service.
If someone really cares about security (and "privacy") issues, she will provide for her own private VoIP service.
Very few people knows whether the communication will travel safely through the net and related servers.
Yes, my link to my favourite VoIP carrier is encrypted with a zillion bits encryption key. And what happens after?
The solution is to avoid using public services for security and privacy concerned communications.
There is very little to do if you dictate your credit card numbers by phone, whatever technology you use!

And us VoIP/Switch/PBX providers will be blamed

[quarkoid]

I run a business which supplies telephone systems. All our systems run VoIP and all can be remotely accessed. It doesn't matter how much I jump up and down about social/network/hardware security, the customers just don't get it.

Luckily, we do.

Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then copies the voice traffic off elsewhere.

Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then registers with the switch and proxys external connections out over the customer's PSTN/VoIP trunks, at the customer's expense.

None of these have happened yet (in fact, one compromised machine we were called in to look after could have given the cracker access to 30 PSTN lines, but was just used for IRC botting), but I'm just waiting for the day when the customer's trunks are attacked. Of course, when this happens, there is a tangible cost element (in terms of the telco charges for the calls made).

The worrying thing is that there are a number of telecomms wannabees starting up. These are typically IT companies who are seeing their margins disappear and wanting to branch out. These people are mainly selling Asterisk or some form of virtual PBX service. Sadly, these people don't understand telecomms and (much to my surprise), don't appear to understand basic network protocols and terminology (let alone security). These are the companies who'll give VoIP a bad name and who'll cost their customers a fortune.

Luckily, as with IT, when the sh1t hits the fan, companies like ours will be there to sort it out (and make more money from sorting it out than we would have done in the first place).

Ho hum.

Nick.

Security?

[el_womble]

We're all IT pros or enthusiasts right? Are any of us really under the impression that anything is really secure? Given enough time and resources anything can be cracked - and if its not the computer system its the users that are the weakest link.

If you need to believe that what you are saying is secure, or need to advise people that need to believe that you can secure things, surely thats what you tell them.

VoIP is has a few killer advantages: reduced costs, CD quality sound, potential to expand to video and REDUCED COSTS.

The security surrounding it may stop pesky neighbourhood kids splicing into your phone line and listening in, but there is NO technology that will prevent a dedicated and skilled cracker from listening into anything you broadcast or keep on your computer. But they are few and far between and I like those odds (its not as if I have any real secrets). What really bothers me about this is the idea of government mandated backdoors.

How can a country that gives its citizens the right to bear arms and form militia not see that in the information age encryption is the next Smith and Western? In that respect its not designed to stop the police from arresting you, or to help you rob banks. Sure you can use it for such, but thats not what it was designed for, it is designed to help you protect yourself, your family and your possesions and act as a deterent. Just don't expect your six-shooter to defend you from a trained assasin.

I live in the UK, so I don't carry a gun (not that I would in the US either), but I do lock my house and my car - and I don't give the police a master key unless they ask me and provide a warrant. Thats fair. Builders don't look the other way whilst the police come on site and install a special secret door that only they can use and the reason that doesn't happen, is because there would be two sets of people that have the key, the police and the criminals. Its the same with encryption.

Re:Security?

[Detritus]

The security surrounding it may stop pesky neighbourhood kids splicing into your phone line and listening in, but there is NO technology that will prevent a dedicated and skilled cracker from listening into anything you broadcast or keep on your computer.

With a secure telephone, like a STU-III, your hypothetical "dedicated and skilled cracker" is hopelessly outclassed.