Unencrypted VoIP poses security threat

Businesses are switching to Internet telephony without thinking about security, a leading voice over IP (VoIP) manufacturer has warned.

Snom, the German-based provider of IP phones, argues that too few IT managers realise that the data packets that make up voice over IP calls are not encrypted.

"If you are simply making calls using IP over your LAN then there might not be a security issue," said Ahmar Ghaftar, senior software engineer at Snom. But calls over the public internet, including calls between an office VoIP connection and a VoIP service provider, remain vulnerable.

At CeBIT, Snom unveiled a range of VoIP handsets based around the SIP (Session Initiation Protocol) standard and using the SRTP system for encryption. SRTP is based around the AES encryption model so, Ghaftar says, it imposes relatively little in the way of a processing overhead on the phone itself.

Other VoIP vendors, including Cisco and Avaya, as well as a growing number of voice over IP services providers, support SRTP. However, the protocol has yet to receive official approval from the Internet Engineering Task Force (IETF). Some manufacturers are backing alternative standards, such as Mikey.

"We expect SRTP to be a standard, and most service providers, as well as a growing number of firewall manufacturers, support it," Ghaftar explained. As yet, however, few companies selling wireless VoIP handsets or VoIP-ready mobiles have implemented SRTP.

In the meantime, however, security experts strongly recommend that companies look at the security measures they have in place for their VoIP systems.

"The thing that surprises me is that the primary focus of VoIP has been around quality of service, with security playing second fiddle," cautioned Greg Day, security analyst for EMEA at McAfee. "People are not taking security as seriously as they could. They are mostly worried about making the quality of VoIP as good as it is on their analogue phones. If you mention security, their first reaction is to worry about reduced performance."

According to Day, consumer-focused Internet telephony technologies such as Skype actually have a greater level of security, including encryption and port randomisation, than some professional solutions.

McAfee recommends that companies implementing VoIP need to consider three issues: the possible impact of an attack on the company's network on both voice and data traffic; potential vulnerabilities in VoIP software, or equipment such as switches and routers, and finally the possibility of electronic eavesdropping on the calls themselves.

"The fact that we have converging services - where telephony is overlaid on data services and they are sharing bandwidth - means that if there is a data attack it could damage the IP infrastructure enough to stop both voice and data services running," Day warned.