Slashdot Mirror

← Back to Stories (view on slashdot.org)

VoIP Security Threats Defined

Posted by ScuttleMonkey on from the i'll-stick-with-my-dixie-cups-and-string dept.

Zonorph writes "Information week is reporting that the recently formed industry group Voice over IP Security Alliance (VOIPSA) just published their first draft of a VoIP Security Threat Taxonomy for public comment. From the VOIPSA, 'This VoIP Security Threat Taxonomy is meant to define the many potential security threats to VoIP deployments, services, and end users. Part of the challenge of devising effective VoIP security protections requires first identifying these threats in the first place.'"

6 of 60 comments (clear)

  1. "Security" "Threat" is largely expectations by team99parody · · Score: 4, Insightful

    If everyone somehow thinks VOIP on the internet is some magicly secure channel, they'll use it carelessly and lots of security problems will occur.

    If they think it's a public chatroom (like an IRC channel) they'll be careful what they say, and fewer problems will result.

    Same for email - if it were only widely known that email can be forged by anyone and read by anyone, the nigerian spammers wouldn't have any luck finding a mark. But the damn "email security" industry and ISPs set peoples expectations incorrectly and a lot of people get hurt.

  2. Re:"Security" "Threat" is largely expectations by Anonymous Coward · · Score: 4, Insightful
    Another good example is the comparing VOIP security with the lack of security of the analog phone line coming in your house. Gee, people with alligator clips can tap into the phone lines easily accessible outside your house and listen to your calls.

    Somehow noone get's all excited about those security holes; but somehow computers have some mystical aura that makes people expect them to be locked down to a far greater extent than their physical phone or mailbox. This seems pretty odd, since my physical mailbox gets lots of stuff in it that's far more valuable than my email.

  3. Encryption by WindBourne · · Score: 4, Insightful

    The encryption apporach should allow for easier quicker change of algos. We are now playing a game where we are fighting both crackers and govs.

    --
    I prefer the "u" in honour as it seems to be missing these days.
  4. VOIP is hackable, just like the PSTN by SecureTheNet · · Score: 4, Insightful

    You think the public switched telephone network is any more secure than VOIP? Hackers have been playing around in the phone system since it's inception, via switchboard pranks, then devices like blueboxes, and finally hacking the DMS-100 switch used to route your telephone calls. Free service, free features, unbillable numbers, untracable calls, phone taps, and even controlling dial-in lines to win radio call-in prizes. This is all old hat, and VOIP is simply the new playground.

    --
    SecureThe.Net - Practical Resources for Securing Systems
  5. And us VoIP/Switch/PBX providers will be blamed by quarkoid · · Score: 5, Informative

    I run a business which supplies telephone systems. All our systems run VoIP and all can be remotely accessed. It doesn't matter how much I jump up and down about social/network/hardware security, the customers just don't get it.

    Luckily, we do.

    Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then copies the voice traffic off elsewhere.

    Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then registers with the switch and proxys external connections out over the customer's PSTN/VoIP trunks, at the customer's expense.

    None of these have happened yet (in fact, one compromised machine we were called in to look after could have given the cracker access to 30 PSTN lines, but was just used for IRC botting), but I'm just waiting for the day when the customer's trunks are attacked. Of course, when this happens, there is a tangible cost element (in terms of the telco charges for the calls made).

    The worrying thing is that there are a number of telecomms wannabees starting up. These are typically IT companies who are seeing their margins disappear and wanting to branch out. These people are mainly selling Asterisk or some form of virtual PBX service. Sadly, these people don't understand telecomms and (much to my surprise), don't appear to understand basic network protocols and terminology (let alone security). These are the companies who'll give VoIP a bad name and who'll cost their customers a fortune.

    Luckily, as with IT, when the sh1t hits the fan, companies like ours will be there to sort it out (and make more money from sorting it out than we would have done in the first place).

    Ho hum.

    Nick.

  6. Re:This roughly translates to: by quarkoid · · Score: 4, Insightful

    The issue is that anything that is transmitted over a public channel is open for analysis, and hence private information need to be secure.

    No, that's not the issue. The good old PSTN is public and insecure. The post (snail mail) is public and insecure. If people want to send their information securely, they scramble their phone calls and encrypt (code/cipher/whatever) their post. The same applies to VoIP (VPN, encryption etc.).

    The issue here is cost.

    When a VoIP system is cracked, it costs somebody money.

    The problem here is a lack of understanding on how to secure (*NOT* encrypt) VoIP connections.

    Nick.