I recently had the opportunity to sit down with David Cargill, member of the council at the ITSPA trade association (www.itspa.org.uk). David is chairing the VoIP Security committee at ITSPA, and I wanted to ask him about that.
MD: Firstly, tell me something about ITSPA, and its goals?
DC: The Internet Telephony Service Providers’ Association was formed in 2004 to represent UK based network operators, service providers and other businesses involved in VoIP services. ITSPA members supply to business and residential consumers within the UK and across the European Union. ITSPA aims to promote competition and self-regulation in order to encourage the development of a flourishing and innovative VoIP industry.
MD: You’ve recently formed a VoIP Security committee; what was the spark that drove you to do that?
DC: Industrial-grade scanners are now operating around the clock to find and exploit IP-PBX’s and VoIP handsets that are not secured. The majority of these are operated by low level fraudsters which can be stopped by taking fairly simple security measures.
The Security Committee was setup with two primary aims: firstly to collate and share information on relevant security issues to ITSPA members, and secondly to produce and distribute Best Practice Papers on key security issues to ITSPA Members as well as to existing and potential VoIP customers.
MD: What are the main threats that you are focusing on?
DC: We’re currently focusing on hacking of IP-PBX’s and VoIP telephones.
MD: Are these the main problems perceived by customers, and is this driven by them?
DC: When you mention VoIP security, most people think about Eavesdropping. While hackers can eavesdrop on media streams and intercept VoIP packets, eavesdropping is not simple, whereas hacking into unsecured IP-PBX’s is not only simple, it can be done using free tools downloaded from the internet.
Many VoIP users don’t seem to be concerned with security until they have been hacked, the driver for this is that while ITSPA members have systems for protection from exploits for their core systems, often their downstream customers do not. For example a reseller of an ITSPA member, sells SIP trunks to an end user who then downloads free PBX software, like Asterisk, and gets the system online. The system is then hacked resulting in a large phone bill for the end user and customer service problems for the reseller and service provider.
MD: And what actions are you taking? Is it mainly an exercise in education for partners and customers?
DC: Yes it is. The strength of ITSPA is that we’re getting input from across the VoIP industry, enabling Service Providers to pool their knowledge and experience for the common good. So internally within ITSPA service providers are sharing information on new exploits as well as the external drive to raise awareness of the threats and solutions to partners and customers.
MD: Will the committee go on to tackle further VoIP Security issues?
DC: The barbarians are at the gates, 24/7 and we need to be vigilant. The ITSPA Security Committee is planning a pro-active program to keep its members and the wider VoIP community up to date with key security issues as they develop.
MD: Overall would you say that security is more of a problem for VoIP than for conventional voice services?
DC: No, PBX’s have been targeted by hackers for years, starting with people who could whistle the right tones into a handset in the 1960’s. The difference now is that IP-PBX’s can be downloaded for free, so it’s a problem of scale and understanding, as the number of the hackers has increased exponentially and many IP-PBX’s are setup by people with little understanding of VoIP let alone network security.
It’s also worth mentioning that many ITSPA members provide Hosted VoIP services, where in effect they operate the PBX in the cloud on behalf of their customers and ensure that the service is run securely. Customers of reputable Hosted VoIP services are not at risk of being hacked by fraudsters looking to make free calls.
MD: Is your initiative open for other service providers that want to get involved?
DC: At this stage it’s an ITSPA initiative with news and updates to be posted on the ITSPA Directory (http://directory.itspa.org.uk) but if anyone would like to get involved or would like further information they should contact us at firstname.lastname@example.org