Slashdot Mirror

← Back to Stories (view on slashdot.org)

VoIP Security Threats Defined

Posted by ScuttleMonkey on from the i'll-stick-with-my-dixie-cups-and-string dept.

Zonorph writes "Information week is reporting that the recently formed industry group Voice over IP Security Alliance (VOIPSA) just published their first draft of a VoIP Security Threat Taxonomy for public comment. From the VOIPSA, 'This VoIP Security Threat Taxonomy is meant to define the many potential security threats to VoIP deployments, services, and end users. Part of the challenge of devising effective VoIP security protections requires first identifying these threats in the first place.'"

1 of 60 comments (clear)

  1. And us VoIP/Switch/PBX providers will be blamed by quarkoid · · Score: 5, Informative

    I run a business which supplies telephone systems. All our systems run VoIP and all can be remotely accessed. It doesn't matter how much I jump up and down about social/network/hardware security, the customers just don't get it.

    Luckily, we do.

    Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then copies the voice traffic off elsewhere.

    Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then registers with the switch and proxys external connections out over the customer's PSTN/VoIP trunks, at the customer's expense.

    None of these have happened yet (in fact, one compromised machine we were called in to look after could have given the cracker access to 30 PSTN lines, but was just used for IRC botting), but I'm just waiting for the day when the customer's trunks are attacked. Of course, when this happens, there is a tangible cost element (in terms of the telco charges for the calls made).

    The worrying thing is that there are a number of telecomms wannabees starting up. These are typically IT companies who are seeing their margins disappear and wanting to branch out. These people are mainly selling Asterisk or some form of virtual PBX service. Sadly, these people don't understand telecomms and (much to my surprise), don't appear to understand basic network protocols and terminology (let alone security). These are the companies who'll give VoIP a bad name and who'll cost their customers a fortune.

    Luckily, as with IT, when the sh1t hits the fan, companies like ours will be there to sort it out (and make more money from sorting it out than we would have done in the first place).

    Ho hum.

    Nick.