Security Vendors Stoke VoIP Fears at BlackHat

Tomorrow and Friday in Las Vegas, TippingPoint’s David Endler and SecureLogix’s Mark Collier will make a presentation at the BlackHat conference demonstrating how VoIP systems, such as IP PBXes from Cisco and others, can be breached and hacked.

Based on what I can discern from a BusinessWeek article on the basic theme of their argument — VoIP systems are as susceptible to attacks as any other Internet-based application — Endler and Collier are not saying anything that isn’t true. The exploits mentioned in the article, and which will be covered in their presentation at BlackHat, are widely acknowledged by the cognoscenti in the VoIP-security community.

So, if these threats exist, you might ask, why haven’t we seen and heard a greater number of news reports about them? Well, it’s primarily because not many of these exploits have occurred outside the confines of meeting rooms at security conferences. True, a small number of incidents have occurred, and one is mentioned in the BusinessWeek article, but, at this juncture, VoIP attacks and hacking aren’t widespread and won’t be for some time.

While email, instant messaging, and Web traffic ride across an all-IP Internet, that isn’t true for the vast majority of traffic traveling to and from an enterprise IP PBX.

Typically, because the vast majority of the world doesn’t own an IP phone or an IP PBX, most calls that originate from an enterprise PBX today don’t traverse an all-IP network. Most of the time, a voice session initiated from within an IP PBX-equipped enterprise will travel through a gateway that converts it into a call that can travel across the PSTN and be received as a regular POTS call on a landline telephone. Conversely, calls from outside the enterprise typically are converted from the PSTN into IP packets that can be handled by the enterprise IP PBX.

Notwithstanding vulnerabilities inherent in the Session Initiation Protocol (SIP) or in proprietary protocols that have been used by Cisco, Avaya, and others, VoIP hacking can only occur on and across IP networks. Once the calls enter the PSTN, they’re no longer composed of IP packets, they’re no longer running on an IP network, and they are impervious to nefarious parties and tools that reside on IP networks.

Until carriers and their enterprise customers move their voice networks overwhelmingly to IP, we aren’t going to see a shockingly high number of the exploits Endler and Collier will be presenting and demonstrating at the BlackHat gathering in Las Vegas. Most voice communication today isn’t on the Internet, so it isn’t vulnerable to the same range or intensity of exploits that have been so deleterious to email and other types of IP-based communication.

Telephony will make the switch to IP networks eventually, of course, and we’ll all have to do a far better job securing and protecting VoIP traffic than we’ve done with email. One would hope that many of the mistakes made with other IP-based applications won’t be made again as VoIP adoption grows. Experience is a good teacher, and you’d think we’ve learned a few things from our struggles with spam, viruses, worms, trojans, and other Internet-borne threats.

In that regard, security companies need to be responsible about the content and tone of what they present, whether at BlackHat or in any other forum.

By representing a theoretical, though looming, threat as something that is a ubiquitous real-world danger, security vendors do the industry and the user community a disservice. Prospective VoIP adopters come away more frightened than enlightened, more fearful of the future than hopeful of it, and perhaps more conservative about how quickly they roll out services that not only could be secured effectively, but that have the potential to bring new types of real-time communication and greater productivity to their employees.

Security vendors need to put these VoIP exploits and vulnerabilities into the proper context while offering a fuller, more honest perspective. Scare tactics are irresponsible and unbecoming, even for security companies.