Events Training Consulting Newsletters Webcasts Blogs
Subscriptions
Current Issue
Past Issues
Join Our Mailing List
Contact Us
Home
 
 
 
Magazine
New Customer Management Insight Digital Publication
Call Center Magazine Archives
FREE Webcasts
Podcasts
Vendor Guide
Multimedia Content
Online Advice
eNewsletter Alerts
ICMI Forum
ICMI Jobs
Training
Consulting
Newsletters
Publications/Tools
Industry Research
QUEUETIPS
Conferences
ICMI Global Report
Call Center Knowledge Online
Join ICMI
Members Only
Vendor Guide
Industry Information
About ICMI
Download the ICMI Catalog
 
 
TechEncyclopedia

IP TELEPHONY: IS YOUR VOIP SECURE?

Voice-over-IP is rapidly becoming a mature technology. Audio quality, bandwidth usage, and convenience are all reaching acceptable levels. But are your VoIP calls secure?

By James Gifford

print this article print this article
email this article e-mail this article
.

Talisma Announces CIM 8.0
Aspect Deploys Asterisk and Aspect Unified IP
Cultivate An On-Demand Workforce Through On-Demand Technology
Speech Makes Inroads As A Service
Q&A: Authentication Technology for Call Center Security
NICE Introduces NiceVision Net and Control Center
Q and A: The Importance of Testing Your Technology
CTI Group Launches New VoIP Tools
Avaya, Extreme Networks Collaborate
Customer Contact Technologies in 2015
.

09/01/1999, 12:00 AM ET

Voice-over-IP is rapidly becoming a mature technology. Audio quality, bandwidth usage, and convenience are all reaching acceptable levels. But are your VoIP calls secure?

I put that question to a number of companies and individuals in the IP telephony industry. Most were reluctant to talk about it. But some folks came through. The answer is a qualified no — or a qualified yes, depending on how you look at it.

The “no” comes from the fact that none of the current VoIP gateway vendors implement packet encryption. The “yes” comes from the fact that, like all other data, VoIP conversations are only as secure as the network they’re on. But even witha secure network, insiders can tap VoIP calls. As one respondent put it, “Imagine the ‘fun’ a network engineer could have listening in on the boss’s conversations.”

There are three main issues of VoIP security. One is authentication: Is the party who answered the call the intended destination? Another is nonrepudiation: Once a destination accepts a call, is there anything in place that prohibits it from denying receipt of the connection? Finally, there’s privacy: Is the call content secure? Authentication and nonrepudiation are important, but for now let us concentrate on privacy.

Technology & Technique

Without gateway-to-gateway encryption, VoIP packets are vulnerable to snooping. All it takes to intrude is one IP packet monitor sniffing somewhere on the network, watching for VoIP packets and storing them on a hard drive for playback later on.

IP packet monitors are not terribly common, but neither are they exotic. In addition to commercial devices for monitoring and troubleshooting IP traffic streams, sniffers are available as free software from most any techie software repository. Many come with source code (or as source code) that can be easily modified for tapping.

It’s kind of like the early days of cordless phones. It took a while for users of those to realize they were being tapped. FCC regulations prohibiting the sale of the scanners that pick up certain bands allocated to wireless telephony didn’t provide much of a barrier. And the information necessary to modify common scanner models was widely available. Later, the same became true with regard to analog cell phones.

IP packet monitors are much like those scanners. Few of the commercially available devices snoop VoIP streams right out of the box. Neither can most of the free software tools available enable VoIP snooping without modification. But in the hands of a skilled user, either can become a fully automated, programmable VoIP tap.

Encryption Takes Time

Why aren’t VoIP calls encrypted? Because on-the-fly encryption and decryption takes time, and time is at an utter premium in a VoIP connection. The overall latency of a VoIP call must be less than 250 mSec to approximate toll quality. Add milliseconds, and the perceived quality of the call drops. For an industry still working for broad acceptance, call quality is paramount. Hence, a number of gateways have some form of encryption available or coming soon, but it’s rarely used. Even though encryption is a component of the H.323v2 standard, it’s likely to be one of the last features implemented.

Should You Worry?

Worry no more about VoIP call tapping than you do about regular phone tapping. Although each involves different skills and technologies, the same blackguards who’ll tap your PSTN lines are the ones who’ll sniff VoIP links. Any data that can be stolen from analog conversations is at risk in a digital link too. The difference, generally, is that analog lines can be tapped only one at a time, VoIP lines can be tapped by a whole T-span or more at once. There’s also no real way to detect a VoIP tap, except by locating an unauthorized system on the network.

Internal snooping is easier and more likely than an outside tap, unless your network can be compromised at some outside point. (in which case you have bigger problems). But the most important thing to remember is that VoIP calls can be tapped. Until you have gateways that encrypt the call end to end, treat VoIP calls as “unsecure” — especially if they leave your private network. And any calls passing through the ’Net should be regarded as no more secure than a CB radio conversation.

Thanks go out to Chris Bajorek of CT Labs and Scott Conrad of Kahala Systems for their technological insight, as well as to all the manufacturer representatives who frankly answered some tough questions.


.

Free CallCenter Insider Newsletter

Your Email Address


Optional Areas of Interest
International News
Advice/Tips
Technology
Agent Development
IVR