VoIP Security and the Laptop

Despite VoIP technology having taken off, VoIP security is seldom regarded as a critical issue. That's surprising because VoIP is inherently insecure. It's a lot less secure than the plain old telephone system (POTS).

It's a relatively new technology and many people are still asking "what is VoIP?" They may know it's a way of making cheap phone calls, but little else. They want to know about the pros and cons.

VoIP is a digital technology that operates over IP networks, which may include public networks such as the Internet. It's a computer application and as such it's susceptible to all the same exposures as computer systems and data networks. Those threats that we have become familiar with in the IT world also apply to VoIP.

The security threats include all the usual suspects: viruses, worms, Trojan horses, DoS (denial of service) assaults and hijacking, but in addition VoIP is also vulnerable to: toll fraud, phishing, SPIT (Spam over Internet Telephony) and eavesdropping. Tool sets have even been developed that will add, delete and change words in a VoIP conversation.

The use of VoIP has laptop security implications and visa versa. Just like email, VoIP is a potential malware distribution channel. Going the other way, a PC can be infected via vectors unrelated to VoIP that then impair VoIP security or result in denial of service.

VoIP security can be addressed by many of the same tools and disciplines that have been used for years in the IT world:

• Anti-virus products
• Firewalls
• Encryption
• VPNs
• Trusted devices

Probably the biggest challenge is that VoIP users see VoIP as simply a telephone system and most of us aren't too concerned about the security of our phone calls. That attitude has carried over into how we treat VoIP technology, but it's a totally different from the traditional PSTN (public switched telephone network). VoIP security cannot be taken for granted.

Types of VoIP User

1. Corporate VoIP - running off internal or hosted switches and servers, usually over private IP networks and VPNs.


2. Consumer / small business VoIP - using peer-to-peer technology over the Internet.

VoIP Vulnerabilities

1. Is the desktop or laptop operating system secure and patched to the latest level?


2. Is the firewall enabled and configured with appropriate settings?


3. Is antivirus software installed and up to date with the latest definitions?


4. Is the desktop or laptop regularly scanned for malware?


5. Does the VoIP client encrypt communication?


6. Is sensitive data on the desktop or laptop encrypted?


7. Does VoIP traffic share networks with public traffic when traversing the internet or is contained within a virtual tunnel?


8. Is the VPN client the latest patched release?


9. Are account IDs and passwords strong and secure?


10. Has all file sharing software been deleted?

VoIP Security Threats

• Virus infection: Until now the most common route used by hackers attacking Skype accounts has been via its IM facility. Examples include Ramex which delivers a link to a graphic. The graphic carries a payload.


• SPIT: Spam over Internet Telephony. The ability to make free international VoIP calls is great, but it also means that unsolicited phone calls can be made from anywhere and they will probably be untraceable.


• Eavesdropping, call alteration and call re-routing: in a digital world it's not necessary to break and enter to achieve these outcomes.


• Data: the big exposure for laptop users is that by making or receiving a VoIP call they are opening a communication port to their confidential data as well.


• Fraud: usually resulting from poor authentication procedures, lax password security and key logging.

Hopefully after reading this laptop users with Skype or other peer-to-peer options will be a little more concerned about security. That is not a bad thing; however we note that Skype VoIP runs over a proprietary encrypted VPN that has been judged by cryptologists to be highly secure. Corporate IT administrators don't like the fact that it's a closed proprietary protocol. We would argue that makes Skype more secure and along with millions of others we will continue to make free VoIP calls.