The problem with VoIP Security
I was quoted in a recent Boston Globe article on VoIP security. Someone is always raising the red flag of FUD when they see a quote that screams “beware.” And yes, my company provides VoIP Security services. But I’m not trying to scare anyone into buying my services. If you think I am off the ball on the true danger within VoIP technology consider the following:
I think the greatest threat to VoIP security is bad code! Vulnerability in VoIP products will lead to DoS and remote system compromise.
Vendors think the greatest threat to VoIP security is Voice SPAM and call ease dropping.
My opinions are based on history. Look at vulnerabilities in Apache, IIS and most major mail servers. The greatest business damage came from remote code execution, not spam or web page ease dropping.
My concerns place greater responsibility on the vendor
The vendors concerns places greater responsibility on outside forces. Spammers, network administrators.
The vendors are selling anti voice spam and VoIP encryption products. Keeping those issues in the news means more product sales?
Do we really expect VoIP vendors to say they have security flaws in their code?
Everytime I’ve speak about VoIP security I have always cut the vendors a lot of slack. VoIP code is inherently complex and difficult to make secure. I don’t think vendors are ignoring the problem, its just difficult to get right. The fact remains that not many people are talking about this fundamentel insecurity in VoIP products. Bad code. And in that since its like 1999 all over again.
This entry was posted
on Sunday, September 25th, 2005 at 5:12 pm and is filed under .
You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
September 26th, 2005 at 8:25 am
I agree with your pro-active approach by setting bad code on number one. But don’t forget that code is written by humans and they make mistakes. Always.
Take buffer overflows, we have been knowing them for years and still every day those vulnerabilities pop up.
It will take a generation and education changes to produce coders with a security mindset. At the end of the day, it’s the responsibility of you and me, security pros to provide the confidentiality of VoIP.
Not coders they deliver complex functionality.
For now, the companies spend more time in Return On Investment and functionality requirements…
If a VoIP connection can not match up with normal PSTN, it just won’t be deployed.
September 26th, 2005 at 9:39 am
I agree. Most vendors are, and need to be focusing on “making it work.” That’s why I cut vendors a lot of slack. But we should be atleast talking about this issue now so we don’t go through the whole cycle again of rushing to fix it at the very last minute.