How secure is VoIP compared to legacy systems?Friday, October 06, 2006
Although it can save on costs, you could potentially get burned by hackers, according to this article on the BBC:
You might think that your phone was secure but if you or the institution you are ringing uses Voip (internet telephony) you might have to think again.
Telecoms security specialists like "The Grugq", who kept his school nickname as a cover for his hacking activities, are highly sceptical.
"Basically Voip is going to make telephony as secure as the internet," he says. That's about as damning as a hacker can be.
"What I expect we're going to be seeing in a few months, and what's already technically possible, is for an attacker to gain access to a call centre."
The Grugq outlines a scenario in which "the customer does everything right," rings his bank's legitimate number, is put through to a call centre whether in the US, UK or even India and has their call hijacked.
"An attacker would be able to [hack] into the call centre. He could then set up a server that would monitor all of the traffic and during the hold music it would be possible for an attacker to inject content such as 'In order for us to better serve you please enter your account number and PIN code'."
If that were to happen, you have just handed over your bank details to someone who wants to empty out your accounts. And the Grugq has bad news for companies looking to save money through Voip.
"They need to make sure that everyone who has a Voip system that's connected to the internet is secure otherwise the entire system falls apart. It's basically a house of cards."
And if internet usage and mobile Voip telephony takes off with the next generation of mobile phones (3.5 / 4G), experts say its coding, known as IPv6, will be open to the same sort of "man in the middle attacks" that The Grugq describes.
"The vulnerabilities that we have in our current internet protocol they still have similar vulnerabilities in the upcoming IP version 6," says Van Hauser, a member of The Hacker's Choice, a group of international network and system security experts.
"There are ways to secure it if implemented correctly, set up correctly, administered correctly which will be a big challenge but at least there is a chance and a hope."
There's quite a bit of FUD in that article, since even current systems can be insecure. It's not unheard of for hackers to break into normal IVR systems as a way of gaining access to private networks. The best line of the article is the last sentence of the above quote, and even it is somewhat redundant. The key point is that any system must be implemented with security in mind, especially when dealing with new technologies.
All will be revealed in time.