Trustworthy VoIP Needs Strong Security

Remember back in the mid-1990s when you could connect to Microsoft's FTP server using NetBIOS? You could actually map the FTP server as a drive on your network and copy files at will. Microsoft stopped all that activity pretty quickly after serious security questions arose.

I think Voice over IP (VoIP) is in a similar position today. People everywhere are implementing VoIP willy-nilly without thinking much, if at all, about the security implications. Meanwhile, intruders are undoubtedly banging away at their keyboards seeking cracks in popular VoIP technology that will afford them inroads. Spammers too are probably looking for ways in which they can begin flooding your VoIP client with calls, and of course scammers are wondering how they can use VoIP for their phishing scams.

Added to that potential security mess is the fact that some popular VoIP providers don't even offer data transport encryption in their products! Thus, people could be listening in to the phone conversations of those providers' customers.

Programs already exist that can capture VoIP conversations. Some even convert those conversations to portable audio files. The Voice Over Misconfigured Internet Telephones application (VOMIT--don't you just love catchy acronyms?) is designed to do exactly that. It captures G.711-based VoIP calls and converts them to Wave (.wav) files, and it's available free on the Web.

The need for decent VoIP security is clear, and multiple areas need attention to preempt the usual attacks, including spoofing, hijacking, buffer overflow, spamming, and phishing attacks. At least one organization, the Voice over IP Security Alliance (VoIPSA), is already going strong in driving protections in some of those areas, and you can become involved. Visit the VoIPSA Web site and click the "Participate in a project" link to learn how.

Encrypted data transport is another focus. Remember Phil Zimmermann? He invented pretty good privacy (PGP) encryption and released it free to the world back in 1991. Since then, PGP has changed hands a couple of times, and now it's available as a commercial product from PGP Corporation. A few years after releasing PGP, Zimmermann and a team of six other engineers developed and released PGPfone, which was one of the earlier VoIP applications. Naturally, it came complete with PGP encryption. It's still available but hasn't been updated in years.

Zimmermann is now working on new encryption technology for VoIP. Although the new technology doesn't have a name, some information is available as to how it might work and what it will do. Zimmermann's VoIP encryption technology uses the Diffie-Hellman public key infrastructure (PKI). The technology will tentatively exchange encryption keys on a per-call basis and will forego the need for the public key server that PKI-based designs typically use.

The initial code was developed for use in conjunction with Shtoom, an open-source cross-platform VoIP phone client based on the Session Initiation Protocol (SIP) commonly used with mainstream VoIP technology (for more information, go to the Shtoom Web site at the first URL below). Although Zimmermann's technology isn't yet available to the public in any form, Zimmermann does intend to release it for public beta testing and make it available as open-source software to the industry in hopes that it will become widely adopted. If you're interested, keep an eye on his Web site (second URL below) for possible announcements.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.