VoIP threats are seriously overrated

For over a hundred years, the public switched telephone network
(PSTN) has gained reputation of stable and secure service. Even though
it’s neither: it is indeed very hard to bring down a whole telco
network, but local outages are not unseen; and wiretapping is somewhat
trivial attack – but financial institutions bravely offer phone banking
without any additional logon protection. Cordless and mobile phones
took PSTN security paradigm to radio spectrum.

Enter Voice over IP. All of a sudden, VoIP Is Scary.
We have VoIP vulnerability scanners and SIP firewalls. Consultants and
press endlessly warn us about VoIP threats and risks. Some bits are
just lovely:

We will also start to see more and more VoIP specific attacks,
particularly aimed at the enterprise. There is more and more scrutiny
of VoIP systems and attackers will find more issues that are unique to
VoIP and the systems that enable it.
 

This is one of VoIP security trends for this year,
according to Mark Collier, a VoIP security blogger and speaker. I can’t
help noticing that VoIP can be really replaced with any relatively new
but popular technology (XML Web services, AJAX, peer-to-peer networks),
and it still going to be a trend for this year. Hackers, you
know.  Reminds me of the Cisco’s security CTO moronic escapade
about Vista
.

Someone needs a reality check: VoIP still offers a telephone service. And you shouldn’t expect more than PSTN security levels
– unless you intend to create closed, strictly controlled network. One
may argue – telephone switches are now using commodity hardware and
operating systems, so risk of attack is higher. I’d say – by replacing security through obscurity with commodity system security, we have good chances of increasing overall security. Anyone who thinks that proprietary systems are safer can be disillusioned by reading Phrack and 2600. So don’t worry too much – VoIP isn’t scary after all.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>