VoIP in ‘08 - Good News, Bad News

With a new year, comes new worries about vulnerabilities, attacks and the like, and 2008 is no different. Whether it’s pertaining to VoIP, IT or just your e-mail account, the stuff is out there swirling around and although it’s anybody’s guess where it can land, it can be an educated guess. The folks at Network World have a good piece on what we can expect in terms of VoIP vulnerabilities in the new year and while the bad news is that threats and attacks will still continue, the good news is that from their vantage point, the situation is not as critical. Phew! You can read the entire piece right here, but in the meantime, a short excerpt:

The potential danger is very real. VoIP is susceptible to the many exploits that networks generally are heir to — denial of service, buffer overflows and more. VoIP PBXs are servers on corporate networks and are only as secure as the networks themselves.In addition, there are many voice-specific attacks and threats. These have been chronicled by researchers and vendors intending to alert users and suggest ways to guard against them.

For instance, two protocols widely used in VoIP — H.323 and Inter Asterisk eXchange — have been shown to be vulnerable to sniffing during authentication, which can reveal passwords that later can be used to compromise the voice network. Implementations of Session Initiation Protocol (SIP), an alternative VoIP protocol, can leave VoIP networks open to unauthorized transport of data.

In addition, tools that can help find vulnerable deployments have been published online by a VoIPSA, an industry group dedicated to securing VoIP. The VoIPSA tools are intended to help businesses test and secure their networks, but these and other online tools can be used to probe for weaknesses as well.

Still, there have been few exploits so far and none that have been widespread or crippling to businesses. “We are not hearing about attacks. We don’t think they are happening,” says Lawrence Orans, an analyst with Gartner.

Part of the reason may be that the largest VoIP vendors use proprietary protocols, such as Cisco’s Skinny, Nortel’s Unistim and Avaya’s variant of H.323, Orans says. That makes them difficult to obtain and study for potential security cracks. “These systems are not readily available to the bad guys,” he says.