The benefits of VoIP, unified communications and other Internet-based voice or video communications methods can be significant. There are not only cost savings, but also many improvements in usability and functionality that are compelling for enterprise collaboration and communication.
With the rapid advancement of VoIP, however, as with most any protocol, service or application, the security aspects have not been integrated into organizations' security planning. In this tip, we will examine the particular threats that VoIP poses to communication in the workplace and the related technologies, as well as practical strategies and VoIP security best practices that companies can put in place to lock down VoIP .
Security vulnerabilities in VoIP
Generally, VoIP vulnerabilities can be broken down into three high-level categories (which are similar to many other technologies): protocol, application and implementation vulnerabilities.
An example of a VoIP protocol vulnerability would be devices letting a user turn on the message waiting indicator light on a VoIP phone without the proper authentication to cause a denial-of-service attack of everyone checking their voicemail at once and reduce the trust users have in the system. An example of an application vulnerability would be the recent cross-site scripting flaw in Skype for Mac that allowed for remote control access to the computer, since Skype wasn’t validating the input into the chat client.
Implementation-level vulnerabilities have been more severe and resulted in some attackers being able to listen in on conversations. For example, an attacker could exploit an insecurely implemented VoIP infrastructure by hopping onto a VoIP VLAN, using a man-in-the-middle attack on the connection, and listening to calls where network security best practices were not in place. There are other attacks on VoIP systems related to availability, but the most likely source of a VoIP data breach involves an attacker gaining access to voice or video call data. Since many users expect VoIP to be as secure as the PSTN, they might be surprised that their calls could be intercepted.
Enterprise strategies to secure VoIP communications
As well as outlining VoIP vulnerabilities, the Security and Privacy Threat Taxonomy from the VoIP Security Alliance offers advice on how to secure the protocol. NIST also has a document on Security Considerations for Voice Over IP Systems. In security planning for VoIP systems, organizations may want to keep in mind that some of their VoIP endpoints may not be on the networks they expect and are used in insecure locations. For example, if your enterprise allows software phones on laptops, unencrypted VoIP communications could be intercepted when those laptops roam beyond the enterprise network.
It may be difficult to stop VLAN hopping and ARP poisoning attacks, so, to prevent them, you may want to run remote VoIP systems over a VPN tunnel rather than directly over the Internet. You will also need to ensure proper network security is in place to stop VLAN hopping, ARP spoofing and other network-level attacks. This security could include limiting access via firewalls or using separate networks for VoIP traffic among other methods.
One additional issue you might want to keep in mind when determining if VoIP is secure enough for your enterprise is the level of security of the current PSTN or cellular networks and how VoIP compares. Both PSTN and VoIP offer similar security functionality and both rely on physical cabling to some extent, so they can be sniffed if an attacker has access to the local network. VoIP has the option, though, of potentially encrypting and authenticating the connections much cheaper and easier than on the PSTN.
VoIP security best practices: Conclusions
Given the importance of VoIP communications in enterprises today, the information security team should make sure it is working with VoIP users and management to ensure there is a clear understanding about the risks involved with using VoIP. While the PSTN and cellular networks don’t have perfect security, neither do VoIP systems, though VoIP systems allow for significant improvements in communications technology. Also, VoIP does include security improvements, such as potentially better authentication and encryption of communication traffic, that may help minimize the risks of the protocol. So, while VoIP security risks will remain, enterprises that implement proper VoIP security measures can arguably achieve a greater level of voice communication security than would otherwise be possible.
About the author:
Nick Lewis (CISSP) is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
This was first published in August 2011