In 1875, Alexander Graham Bell set up the first telephone
connection. He stretched a wire to the adjoining room and uttered
the famous sentence, “Mr Watson, come here. I want to see
you." Telecommunications has come a long way, since then.
Telephone circuits have expanded to circumnavigate the earth many
times over. Everyone is just a call away. With the advent of the
Internet, even the exorbitant charges thus far levied by telephone
companies cease to be a problem. Calls can now be made at a nominal
cost, if not for free.
Just like telephone companies, the Internet can digitize and
compress voice and send it as data anywhere in the world. This
theory was further transformed into many techniques like ATAs
(analog telephone adapters), or IP phones or simple
computer-to-computer communication. The basic idea is the same:
convert normal analog voice to digital signal, put it in the data
portion of an IP packet—Voice over Internet Protocol
(VoIP)—and send it across through the Internet at a fraction
of the cost of a telephone call.
Since the cost aspect seemed too good to be true, we started
worrying about security. From our years of experience, we knew that
the Internet is an insecure medium to send data over. So, is it
safe for voice?
What can go wrong with VoIP?
The most serious fear is a Denial of Service (DoS) attack. What if
the network is flooded with spurious traffic and all VoIP phones go
dead? Fortunately, we have not yet faced such an attack. One reason
could be the relative low density of VoIP phones. In addition,
despite the lure of merging data and voice networks, we are not yet
ready to bid adieu to PSTN (public switched telephone
network)—tried, tested and proven for more than 100
years.
In recent times, several new acronyms have cropped up to describe
security threats for VoIP. We now dread SPIT (spam over internet
telephony). Similar to the ubiquitous phishing e-mails (spam) that
threaten to suspend our credit cards if we do not give our
password, PIN and social security number, there are vishing attacks
through voice calls. These calls can intimidate unsuspecting users
to call a given number and confirm their account credentials.
Also, there is the ever-present threat of viruses, worms and
Trojans that can infect our IP phones and other telecommunication
devices too. VoIP calls can also be spoofed, eavesdropped, hijacked
or intercepted by MITM (man-in-the-middle) attackers. Then, there
is the worry about toll frauds.
All these are very tangible risks. We have faced these on our data
networks and on voice networks. There is no doubt that we might
face all these on our VoIP communications. So, it seems that the
attack surface has just increased manifold for voice communication
using IP.
Is there a way to negate risks?
VoIP is bound to overtake traditional telephone communication. The
cost savings are enormous. We will just have to learn to cope with
all the threats. Enough security technologies are being developed
for data traffic on the Internet. In order to counter the treat,
VoIP will see heavy usage of cryptography. It is likely that new
VoIP-aware firewalls, IDS, and IPS will be deployed in the near
future. Already, Turing tests are being employed to check if the
VoIP caller is human or machine.
The ideal solution would be to educate ourselves, so that we do not
to fall prey to any vishing attack. We should also learn to scan
our IP phones for viruses before we make a call. At the end of the
day, the price we pay for securing ourselves will still be much
smaller compared to the savings we will make.