04:35 PM
Paul McDougall
Paul McDougall
Connect Directly

Does Your VoIP System Play A Greeting Message For Hackers?

Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.

Most big companies have yet to install Internet-based phone systems, but many are considering it. Here's a warning for them: VoIP presents big security risks, a pair of Interop speakers said Thursday.Fuzzing, Footprinting, SIP Enumeration…familiar with these terms?

Better be, if you're moving to VoIP, according to David Endler, director of security research at TippingPoint, a developer of intrusion prevention systems. That's because the technology is becoming a sexy target for hackers. "It's what happens when an app comes to be considered a killer app," said Endler.

Fuzzing is a kind of denial of service attack in which a hacker sends malformed data packets to a VoIP system, causing it to crash. Footprinting is a technique that the black hatters employ to gather information about a VoIP network using search engines like Google.

Among other things, phone extensions for a corporate VoIP network can often be found on Google, Endler cautioned--great for a little social engineering. (BTW, I hate the term "social engineering." Let's call it what it is: Lying to people to get them to divulge information they otherwise wouldn't.)

Endler likened SIP enumeration--where hackers look for vulnerable ports on a network--to a burglar checking for unlocked doors on a house. Once inside, they can glean all sorts of valuable data from a VoIP system. Certain tools can even recreate conversations that took place on a VoIP network.

That's pretty handy if you want advance notice on, say, a big corporate merger.

At the same session, Mark Collier, CTO at VoIP management vendor SecureLogix, said the two biggest sellers of VoIP systems--Cisco and Avaya--could improve their security methods.

"Avaya could do a better job of not putting juicy things in TFTP files…like passwords," said Collier. VoIP users usually need to download those Trivial File Transfer Protocol files to set up their systems out of the box.

Collier also noted that the default settings on Avaya and Cisco systems leave many access services turned on. "That leaves it up to the user or integrator to make sure things are set up properly," said Collier.

VoIP systems can be vastly more flexible and economical than traditional corporate PBX phones. But here's the bottom line: if they're exposed to the Web, they require the same attention to security that other critical network systems receive.

VoIP security, said Collier, "is a real issue."

Collier and Endler operate a Web site devoted to VoIP security topics.

Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 23, 2014
Intrigued by the concept of a converged infrastructure but worry you lack the expertise to DIY? Dell, HP, IBM, VMware, and other vendors want to help.
Flash Poll
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.