Business Week: Is Your VoIP Phone Vulnerable?

This morning Business Week weighed into the ongoing Pena/Moore story with their article “Is Your VoIP Phone Vulnerable?” Given that the article covers mostly familiar ground (and, like most articles in the mainstream press, brings up the fear of SPIT), the significance to me is not so much the content as it is the fact that it is in Business Week, which is well read and highly regarded within at least North American corporate leadership. I do agree with the conclusion:

Businesses would do well to consider the threats on the front end, given how fast VoIP adoption is growing. Although only 5% deploy VoIP companywide, 87% of companies are using VoIP in some capacity. Numbers like that may be too alluring for hackers to pass up.

Security should definitely be considered as part of a VoIP rollout plan – and you definitely need to be asking your vendor / reseller about the security of the VoIP system you are looking to implement.

The challenging part about this article – and most others I have seen on the subject in recent days – is that it lumps everything into a broad “VoIP” category while the reality is that there are definite differences between enterprise VoIP systems and the consumer / wholesale VoIP market. Now I don’t personally work in the consumer/carrier/service provider space, so I can’t really speak to that space, but I do see more and more “VoIP providers” popping up offering wholesale termination services. From an outsider’s point-of-view, it looks a bit Wild West-ish and in that cauldron of competition, I could easily see some newer entities overlooking security in the rush for the gold. However, through communication among VOIPSA members, I know that there are certainly service providers who do have a clue and are offering secure services. Unfortunately all get tarred with the same brush.

That same brush in articles like this unfortunately tars all of us on the corporate enterprise side as well. And I suppose the same “Wild West” image could be applied to a certain limited degree given the number of small startups launching various IP-PBXs. But that’s not the overall reality. While many of those new entrants are thriving, still most corporate enterprises are buying their phone systems from a limited range of vendors: 3Com, Alcatel, Avaya, Cisco, Mitel, NEC, Nortel, Polycom, Siemens… and probably a few others who I am forgetting right now. The point is, though, that within the enterprise market most all of us are offering VoIP systems that do provide security against many if not most or all of the threats outlined in the VOIP Security Threat Taxonomy (some of those vulnerabilities lie in the corporate network and so there is only so much we as vendors can do). Now each one of us will of course have our own reasons why our security is better than our competitors – and some are offering more security than others – but the point is that we do provide secure VoIP.

The challenge is that to those of us on the inside, the “VoIP industry” is this large space with lots of different segments and players. We can see the differences I outline (and many more). But to the larger business world, Voice over IP in general is so new that everything gets labelled as “VoIP”. That will change over time… and really it falls to organizations like VOIPSA and others to help in that education.

In the meantime, articles like this one in Business Week will hopefully at least cause business to ask questions about the security of their VoIP products – and VoIP services. To me, that’s a good thing.

[Full disclosure: I work at Mitel.]