Cisco's got a new book out on securing VoIP. IT World interviewed author Patrick Park on assessing threats, vulnerabilities, and how to make VoIP reasonably secure.
Park says intercepting VoIP is not easy in a real service environment. A malicious party has to have a sniffing tool located in the same broadcasting domain as the IP phone or has to be on the same media path in order to eavesdrop. And if the media packets are encrypted, they are "useless," even if intercepted.
However, Park goes on to note that VoIP has "too many sources of vulnerability" to make it completely secure, and it is hard to control every component involved to provide 100 percent security. Vulnerabilities are introduced by the existing infrastructure, including network, operating system, and/or the web server VoIP applications are running on, plus the applications own vulnerabilities coming from VoIP protocols and devices.
SPIT - basically spam on VoIP - also is discussed in the book. SPIT is becoming more popular because it is more cost-effective for spammers and more effective relative to email spam. Most spam filters do a reasonable job of blocking email, but since SPIT delivers real-time (i.e. voice) media, users typically have to listen to the call before they can recognize if it is spam.
For more:
- Read the interview at IT World. Post [1].
Related articles
VoIP Security and the Circle of Trust - FierceVoIP [2]
Thinking about Vishing VoIP security - FierceVoIP [3]
Links:
[1] http://www.itworld.com/security/62562/securing-voip?page=0%2C0
[2] http://www.fiercevoip.com/story/voip-security-and-circle-trust/2008-05-06
[3] http://www.fiercevoip.com/story/thinking-about-vishing-voip-security/2008-11-19