Why Computerworld.au is dead wrong about “Enterprises must avoid IP telephony for teleworkers or face attack”

Enterprises must avoid IP telephony for teleworkers or face attack?” Huh? The headline on this ComputerWorld.au article was just too much to believe. Why not simply say:

Enterprises must avoid using the Internet or face attack

Which is about as valid of a headline. (And, on one level, it’s true – disconnected from the Internet you won’t be attacked from the Net!) The problem I have is that this headline lumps all together both “smart” (secure) and “stupid” (insecure) IP telephony implementations.

Perhaps the headline most annoys me because I spend every day talking on a secure VoIP teleworker set and that the ability to securely deploy an IP phone anywhere you can get an IP address is to me the “killer app” for VoIP. In fact, I have three such teleworker phones here on my desk (I have become a phone geek… they are all different models). What is so dreadfully wrong about the article headline is this one basic fact:

Almost all enterprise IP telephony vendors already have a solution today to allow secure teleworker deployment!

Okay, so full disclosure time – I was the product manager for Mitel when we rolled out our secure teleworker solution back in January 2003, so I’m just a wee bit biased here. But the reality is that all of us playing seriously in the enterprise IP telephony market have solutions, today, that solve this problem and let teleworkers work securely from wherever they are. Outside of Mitel, Cisco does. Avaya does. Nortel does. I’m sure the others do, too. You have to in order to be taken seriously.

Sadly, the headline and first paragraph are so wrong that it is tempting to dismiss the entire article, but the article actually contains some valid points. Let’s try it again with a new headline. Here’s how I might have written it:

Enterprises must avoid INSECURE IP telephony solutions for teleworkers or face attack

While that’s not as sexy and probably won’t attract as much “link love” as their strong statement, it’s much closer to the truth. For instance, if you were (or are) clueless enough to deploy a system on your network that is directly connected to the Internet that still uses the default passwords, then, I’m sorry, but you get the attacks your cluelessness deserves. Consider this quote:

“If users fail to change default settings, hackers can access a hole into the network by locating the VoIP Web server [on Google] and could find usernames and passwords in installation documentation from the vendor’s Web site,”

Yes, indeed. There’s any number of sites that can tell you how to use Google to find IP phones and default passwords are available in numerous sites around the net. The article does go on and talk about how IP phones could potentially, if compromised, be used to then attack other systems. It provides a bit of a scare there in that it says you could log keystrokes for online banking… perhaps a bit of a stretch, but in truth there is at least one IP phone vendor out there that at one point included the ability to initiate a packet capture from the phone, so in that particular case it could indeed capture all packets and thereby keystrokes (from whatever PC was plugged into the phone’s second port, presumably). So yes, that kind of thing is possible. And the article concludes with valid advice:

…the solution is to disable VoIP Web servers, change default usernames, passwords and voicemail greetings.

All excellent advice that should be part of a standard “defense in depth” plan that looks at how you secure the overall system.

Yes, if you cobble together some IP telephony solution for teleworkers without thinking about security, you could and probably will face attacks. I could see someone putting a SIP proxy server on the edge of a network and giving teleworking employees a free SIP softphone or cheap hard phone that doesn’t support secure SIP and SRTP, not realizing that all their voice and call signaling will be transmitted across the Internet in the clear. I could see someone sending the phones out to remote employees and not changing the password or using a simple password so that remote administration could be “simpler” and “more convenient”.

Do something that stupid and yes, you will be attacked.

But just because people can deploy clueless and insecure IP telephony teleworker solutions doesn’t mean that they will nor does it mean that those insecure solutions are the only ones out there. Just Google “teleworker solution” and you’ll see loads of options, most all of which offer security as a critical component.

Anyone deploying IP telephony in the enterprise today does have solutions for secure teleworker deployments… so don’t avoid IP telephony for teleworkers…. embrace it. Putting an IP phone securely anywhere you can get an IP address (and sufficient connectivity) is just about the coolest thing you can do with VoIP – and it opens up so many possibilities once you fully start to understand the full ramifications of disconnecting a corporate extension from any lock to geography.

So, ComputerWorld Australia, your article was more-or-less okay, but your headline was dead wrong. (Unless, of course, you were consciously trying to annoy people like me and get us to point to your article… in which case it succeeded.)

1 thought on “Why Computerworld.au is dead wrong about “Enterprises must avoid IP telephony for teleworkers or face attack”

  1. David Endler

    Yikes, I’m just now catching up from email after VoiceCon and finally had a chance to read the ComputerWorld article. I didn’t realize until now that I had been quoted in it.

    Mark Collier and I presented a 3 hour tutorial on VoIP security this Monday at VoiceCon where I think the reporter grabbed all of those quotes from. It’s unfortunate that the reporter took about 15 minutes worth of our presentation and used it to further his faulty premise. Our presentation outlined certain threats to general VoIP installations, and then detailed the specific countermeasures that could be applied to mitigate each threat. Mark and I stated several times throughout our presentation that even though there are security concerns associated with deploying VoIP (as with any application), all of the enterprise class VoIP solutions that we had tested are securable with the right amount of effort and research. It’s a shame that point didn’t get included in the article.

    Dan, you are spot on with your rebuttal. Having been in the security industry for a while, I’m not as surprised anymore at fear based reporting. It’s just a little more upsetting when it’s your own words being taken out of context to sex up a headline.

    My hope is that as VOIPSA grows as a voice piece in this industry, we can continue to combat this type of FUD with our projects, guidelines, and outreach messaging.

Comments are closed.