David Endler, elected last month to head the first industry-wide organization devoted to promoting VoIP security, the Voice Over IP Security Alliance (VOIPSA), assumes the chairmanship of at a critical juncture. Voice over IP (VoIP) is taking off like a rocket. Once a distant promise, the consensus among industry watchers is that, in the plain words of In-Stat's Sam Lucero, VoIP "is the future of voice communications."
That future is now, according to VOIPSA, and along with it has come the inevitable and omnipresent security threats. "As VoIP increases in popularity and number of deployments, so will its attractiveness to potential attackers who now have a more accessible playground to poke at this new technology," Endler observes.
And he should know. Endler is the director of TippingPoint Technologies' Digital Vaccine security research division. Prior to that, he led the research division of iDEFENSE. In terms of security, Endler has seen it all -- and he sees trouble coming for VoIP users who don't take network security issues to heart.
"VoIP networks inherit most of the same security threats that traditional data networks are plagued with today," he notes. "However, by adding new VoIP components to an existing data infrastructure, new security requirements are also added: quality of service, reliability, and privacy. We can expect to see over the next year or two VoIP specific attack emerge that go beyond today's more prevalent data network vulnerabilities, but try to exploit the VoIP applications themselves."
In addition to the expected data network threats, Endler points out that security vulnerabilities have also been discovered in the H.323 and session initiation protocols themselves.
The worst-case scenario is dire, indeed. As if denial of service attacks, viruses, Trojans and worms aren't enough, the privacy implications of digital eavesdropping on voice calls, identity and voice-theft are immense. But beyond that, Endler says, our reliance on voice communications for basic needs raises the stakes even higher. The bottom line, he says is that "the worst case scenarios involve life and death implications when you look at emergency services call centers" like 911, police and fire departments.
A big part of the problem is that VoIP users just aren't fully aware of the number and magnitude of security threats to IP voice networks. However, that's not entirely their fault. "The threats have not been well identified and laid out yet in a coherent manner," Endler says. "That's one of the things VOIPSA is trying to change with one of our first short-term projects, the VoIP Security Threat Taxonomy."
In the longer term, the alliance aims to put VoIP security at the top of the telecommunications and corporate IT agenda. One of VOIPSA's major goals is to get VoIP users, providers and vendors talking about what they can do to defend IP voice networks against threats.
"Until now, no single organization or group had strongly emerged to help organizations understand and mitigate VoIP security risks through discussion lists, white papers, sponsorship of VoIP security research projects, and the development of free tools and methodologies for public use" Endler says. "We aim to rally vendors, telecom providers, and researchers to join and participate in these goals."
VOIPSA has set up a Community Outreach committee to refine and transmit its message through a web portal and the VOIPSEC mailing list. According to Endler, the alliance will be making its presence felt in the near future at industry conferences and at VOIPSA-sponsored events.