VoIP threats are seriously overrated

For over a hundred years, the public switched telephone network (PSTN) has gained reputation of stable and secure service. Even though it’s neither: it is indeed very hard to bring down a whole telco network, but local outages are not unseen; and wiretapping is somewhat trivial attack – but financial institutions bravely offer phone banking without any additional logon protection. Cordless and mobile phones took PSTN security paradigm to radio spectrum.


Enter Voice over IP. All of a sudden, VoIP Is Scary. We have VoIP vulnerability scanners and SIP firewalls. Consultants and press endlessly warn us about VoIP threats and risks. Some bits are just lovely:



We will also start to see more and more VoIP specific attacks, particularly aimed at the enterprise. There is more and more scrutiny of VoIP systems and attackers will find more issues that are unique to VoIP and the systems that enable it. 



This is one of VoIP security trends for this year, according to Mark Collier, a VoIP security blogger and speaker. I can’t help noticing that VoIP can be really replaced with any relatively new but popular technology (XML Web services, AJAX, peer-to-peer networks), and it still going to be a trend for this year. Hackers, you know.  Reminds me of the Cisco’s security CTO moronic escapade about Vista.


Someone needs a reality check: VoIP still offers a telephone service. And you shouldn’t expect more than PSTN security levels
– unless you intend to create closed, strictly controlled network. One
may argue – telephone switches are now using commodity hardware and
operating systems, so risk of attack is higher. I’d say – by replacing security through obscurity with commodity system security, we have good chances of increasing overall security. Anyone who thinks that proprietary systems are safer can be disillusioned by reading Phrack and 2600. So don’t worry too much – VoIP isn’t scary after all.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>