Wednesday, June 28, 2006

VoIP Security and Technology Maturity

Traditional telephony services, using Private Branch Exchange (PBX) systems and dedicated wiring are being supplanted by provision of telephony services over existing IP-based networks. Referred to as Voice over IP (VoIP), these services provide cost savings by using the same cable plant for both voice traffic and data traffic, and by permitting calls to be routed over lower cost IP networks.

Supporting voice traffic over existing IP-based networks means telephony services are subject to the same attacks that have traditionally plagued data networks. Virus outbreaks, denial of service attacks, and eavesdropping are threats found on IP based networks that are not typically found on traditional telephony systems. Compounding the security issues is voice traffic’s lack of tolerance for performance degradation. End user expectations of voice systems performance and reliability are much higher than for information systems. A lack of dial tone is much more disruptive of work processes than is a delay in receiving email messages.
VoIP provides a tempting target for attackers. Common data network attacks may be used to perform toll fraud, voice wiretapping, and to shut down VoIP systems with denial of service attacks. Impersonation of users supports fraud as well as general mischief. In common with older PBX-based phone systems, theft of service is an issue.

VoIP protocols have often been designed with only secondary attention to security. Low tolerance for network latency hampers use of encryption and network proxies as security countermeasures. This emphasis on performance and reliability is common with many emerging technologies.

VoIP security, in my opinion, is at the same stage as Web-based ecommerce security in 1995. The service is new and growing rapidly, standards are being tested, and technical innovators are putting out something new almost every day. Security specialists are concerned about possible threats but can only speculate what these threats might look like, and which threats will turn out to have the most impact.

With VoIP security, we have seen several recently published books attempting to cover the subject:

  • Voice over Internet Protocol (VoIP) Security, by PhD, CISM, CISSP, James F. Ransome, PhD, CISM, John Rittinghouse (Elsevier)
  • Practical VoIP Security, by Thomas Porter, Jan Kanclirz Jr. (Syngress)
  • Understanding Voice over IP Security, by Alan B. Johnston, David M. Piscitello (Artech)

(Note that a “Hacking Exposed” book covering VoIP is promised for future publication.)

Of these, I have read the first two. Both appear hastily written, to capitalize on an emerging high-interest field. Both spend a large portion of their text covering background material on IP networking and traditional telephony systems (even though the latter topic is only marginally relevant to VoIP security). Lastly, their coverage of threats, vulnerabilities, and countermeasures is an amalgam of existing IP-based data network attacks (hacker, worms, etc.) and traditional telephony concerns (mainly toll fraud).

I don’t fault these books too much for their failings. As an author, I understand the pressures and constraints of technical book publishing. The problems in writing about VoIP security reflect the immaturity of the field as much as the constraints of the media.

With little history of actual attacks, security specialists can only speculate on how VoIP systems will be compromised. This speculation naturally borrows from the two networking disciplines most related to VoIP – IP-based data communications and traditional PBX-based telephony. Think about trying to assess the threats to online ecommerce in 1995. You’d probably look at the prior ten years of public network security intrusion and combine this with some knowledge of fraud in the catalog retail business.

I recall reviewing an audit done by a “Big 6” firm of a Public Key Infrastructure system in 2000. The audit program was a mix of a standard IT general controls review and the IETF RFC defining PKI best practices. That audit program was the best that could be done absent a track record of PKI installations to provide real insight into PKI control issues. A similar exercise for a contemporary VoIP audit would likely yield similar observations.