Security an issue in dual-mode VOIP phones
- By William Jackson
- Aug 02, 2007
LAS VEGAS ' Everyone probably knows that VOIP is not particularly secure, but it's vulnerabilities traditionally have received little attention in the enterprise.
'Most didn't prioritize VOIP security because it was an island,' said Eric Winsborrow, chief marketing officer at Sipera Systems. But voice is moving from being an isolated local-area network to being another application in a larger environment, bringing with it all of the risks associated with traditional networks.
Sipera is highlighting its research in dual-mode Wi-Fi and cellular phone vulnerabilities at the Black Hat Briefings information technology security conference. It is demonstrating a buffer overflow attack on a device, dropping in a shell code to take control of it. This allows access to all of the data and applications on the end device.
'As vulnerabilities translate into exploits, it is very easy' to access data resources through a voice network, said Krishna Kurapati, Sipera founder and chief technology officer. Tools exist in the wild to carry out the exploits, but have shown up so far primarily in Asia, where adoption of mobile broadband and multifunction devices has been higher than in this country.
That could change as new functionality becomes increasingly popular here. VOIP exploits in this country have primarily focused on toll fraud and denial-of-service attacks. They have been irritating, but because they have been largely confined to voice networks the financial consequences have been limited. But Kurapati expects that to change as integration of voice and data networks grows.
Securing VOIP is more complex than just looking at another protocol on the network. The always-on, time-sensitive nature of this application requires a higher level of availability and less latency than can often be tolerated in a data network. Because of false positives security evaluations and delays in traffic are unacceptable in voice traffic, traditional technology for monitoring and filtering traffic may not work with voice and a new generation of security tools may be required for the next generation of voice and data networks.
William Jackson is a Maryland-based freelance writer.