VOIP Security

Eavesdropping and toll fraud have long been of concern for businesses as they select and manage their phone systems. But preventing those threats evolves when a company adopts voice over the Internet protocol (VOIP).

VOIP reduces costs and adds efficiencies—such as simplified programming interfaces—to office phone systems. It works by converting analog voice signals into data streams. As such, it can be vulnerable to many of the same security concerns as data networks, including hackers. VOIP also brings with it several unique security concerns, including spam over Internet telephony, also known as SPIT.

About 20 to 30 percent of companies have VOIP-based PBX systems today, according to Joe Hines, CEO of Voice & Data Networks, Inc., a telecom consultancy in Edina. Despite the potential dangers, Hines and other telecom industry sources say breaches of security involving VOIP are relatively rare. But as VOIP proliferates, the likelihood of security breaches could increase—and, sources say, companies should be doing more to protect themselves.

“Some businesses haven’t taken it seriously enough” says Eric LeBow, vice president of business transformation for Spanlink Communications, Inc., a Minneapolis-based telecom equipment provider.

Companies may not be aware of all the risks, and more immediate concerns often take priority. “As long as they have dial tone and no complaints, they may not be spending as much time on it as they would like to,” says Brad Wampole, senior technical consultant for N’Compass Solutions, a telecom services provider based in Minneapolis.

The Risks

Security risks involving VOIP fall into four categories, says Robert Leick, director of engineering for Enventis, a telecom service provider based in Mankato. These include:

• System availability

• Confidentiality of the content of the call

• The integrity of the call, or ensuring that the user is talking to the right person

• Response capabilities

Of these, he says, availability tends to be the biggest problem. Because VOIP networks are essentially data networks, they can be vulnerable to denial of service (DOS) attacks, in which a company is bombarded by data messages that cause the network to slow down or cease to operate. Attackers “try to do thousands of simultaneous connections to one system,” explains Bob Gaines, technology marketing manager for All Covered, a California-based telecom consultancy with an office in Minnetonka. “The router crashes because it can’t respond properly or fast enough, or the normal flow is thin and choppy.”