Ejovi Nuwere

The problem with VoIP Security

Posted by ejovi nuwere
September 25, 2005

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

I was quoted in a recent Boston Globe article on VoIP security. Someone is always raising the red flag of FUD when they see a quote that screams “beware.” And yes, my company provides VoIP Security services. But I’m not trying to scare anyone into buying my services. If you think I am off the ball on the true danger within VoIP technology consider the following:

I think the greatest threat to VoIP security is bad code! Vulnerability in VoIP products will lead to DoS and remote system compromise.

Vendors think the greatest threat to VoIP security is Voice SPAM and call ease dropping.

My opinions are based on history. Look at vulnerabilities in Apache, IIS and most major mail servers. The greatest business damage came from remote code execution, not spam or web page ease dropping.

My concerns place greater responsibility on the vendor

The vendors concerns places greater responsibility on outside forces. Spammers, network administrators.

The vendors are selling anti voice spam and VoIP encryption products. Keeping those issues in the news means more product sales?

Do we really expect VoIP vendors to say they have security flaws in their code?

Everytime I’ve speak about VoIP security I have always cut the vendors a lot of slack. VoIP code is inherently complex and difficult to make secure. I don’t think vendors are ignoring the problem, its just difficult to get right. The fact remains that not many people are talking about this fundamentel insecurity in VoIP products. Bad code. And in that since its like 1999 all over again.

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.

Information: September 25th, 2005; 2 Responses

Feeds and Links: Comment Feed; From This Author; Del.icio.us; Digg; Technorati

Categories

Other Posts: Talking about Phishing; SecurityLab Secret Research

Reader Comments

Comment Number:: 1
Written by:: stijn
Posted on:: September 26, 2005 at 8:25 am

I agree with your pro-active approach by setting bad code on number one. But don’t forget that code is written by humans and they make mistakes. Always.

Take buffer overflows, we have been knowing them for years and still every day those vulnerabilities pop up.

It will take a generation and education changes to produce coders with a security mindset. At the end of the day, it’s the responsibility of you and me, security pros to provide the confidentiality of VoIP.
Not coders they deliver complex functionality.

For now, the companies spend more time in Return On Investment and functionality requirements…

If a VoIP connection can not match up with normal PSTN, it just won’t be deployed.

Comment Number:: 2
Written by:: ejovi nuwere
Posted on:: September 26, 2005 at 9:39 am

I agree. Most vendors are, and need to be focusing on “making it work.” That’s why I cut vendors a lot of slack. But we should be atleast talking about this issue now so we don’t go through the whole cycle again of rushing to fix it at the very last minute.

The problem with VoIP Security

Information and Links