By Wayne Rash April 5, 2005
Dr. Shashi Phoha, director of the Information Technology Laboratory at the National Institute of Standards and Technology, said she thinks that the growth of VOIP technology brings with it some significant risks that users need to be prepared to address.
"The vulnerabilities are severe," she said, pointing to a list that included ways to spoof or spy that aren't easily available on regular phones.
One of the biggest sources for vulnerabilities is the involvement of personal computers in creating VOIP solutions.
She said that while it may not appear to be that critical, the fact that it can be relatively easy to hack into computers can also expose the phone system to fraud and abuse.
Phoha's list went on to address the availability of open source eavesdropping tools, that digital phone calls could be edited by digital voice editors to add, remove or change words without any possibility of detection.
She also said that the government was worried that it would be relatively easy with VOIP phones to bug a room using on-hook audio.
This is a technique in which hackers or spies can turn on the microphone in a VOIP handset while it remains on its cradle.
This way, the phone would appear to be operating properly while actually transmitting every sound within its range to a remote site.
Other things that keep Phoha worried, she says, are the vulnerabilities related to soft phones, which are applications that work like phones, but are entirely software and are run on personal computers.
She said that these phones are vulnerable to worms, viruses and Trojan horses, and could spread these problems throughout the voice network.
[Lisa notes: And you know, she has good points. Consider how many computers are 'Zombies' which spend their time attacking other computers. Would it be that much of a hassle to continue the 'zombification' to include the VOIP terminals on computers? Read my third article today in this series about SPIT (spam over Internet telephony) which has begun to make its appearance.]She says that what worries her the most, however, are "attacks we haven't thought of yet."
Phoha made her remarks at a panel discussing VOIP held at the National Press Club a few weeks ago.
Phoha said that it's possible to combat some of the threats her organization is finding by careful design and risk analysis.
She said that risk can also be reduced by using encryption of the voice traffic, and by using VOIP-specific intrusion detection systems and firewalls.
She also advocated keeping data traffic and VOIP on logically separate networks. She noted that her group is also working to develop new security architectures for use by the government, but that commercial and private users should also consider following the NIST recommendations, which are available on the agency's Web site.
Check out eWEEK.com's VOIP & Telephony Center for the latest news, views and analysis on voice over IP and telephony.
Copyright 1996-2005 Ziff Davis Publishing Holdings Inc.