Many people feel that VoIP will replace the century-old traditional phone network—but only if users are confident that it is safe.
In an effort to assess its current level of security, SmartBiz invited three experts—Phil Zimmermann, Patrick Hinjosa and Andrew Graydon—to participate in a "cyber" round table on the topic. The participants responded to the same questions separately (Zimmermann in an interview; Graydon and Hinjosa via email)
Zimmermann is the principal of Phil Zimmermann and Associates, a company that is developing a VoIP security system called zFone. He was the developer of Pretty Good Privacy (PGP), a popular email encryption program. Hinjosa is the CTO of Internet security firm Panda Software. He is an expert on a wide variety of Internet security issues. Graydon is the CTO of BorderWare BorderWare.
Is VoIP as secure as traditional phone networks?
PHIL ZIMMERMANN: No it's not anywhere near it.
ANDREW GRAYDON: Since VoIP utilizes the same IP infrastructure as traditional Internet communications, service providers are already implementing various means to secure these systems. For example, we don't worry about our email being "hacked" over the Internet. We do, on the other hand, have concerns about other security issues on the Internet such as viruses and spam. VoIP is not exempt from these threats, whereas traditional phone networks do not face quite the same challenges. This is where one needs to take a deeper look at VoIP security.
PATRICK HINJOSA: Unless your business voice communications contains very sensitive information, the security at this point isn’t really an issue. Intercepting VoIP data is possible but would take a targeted and dedicated effort that wouldn’t make much sense if the target was Joe’s Hardware store.
What are the key differences in security between traditional phone networks and VoIP networks?
ZIMMERMANN: In the public switched telephone network it's not easy for just anyone to tap into a phone call. You'd have to either physically go to the right place and attach alligator clips to the right wires or you have to be at the phone company and do it at the switch, which means the phone company has to be in on it. Typically only the government is allowed to do it. VoIP, on the other hand, could be tapped into by someone on the other side of the world by hacking into one of the PCs in your office and tapping into the phone calls. If just one is compromised by a hacker—who could be anywhere—that PC can be used as a platform to monitor all the phone calls in your company.
GRAYDON: Traditionally, telephone calls between two end points are connected across a basically private system. The telephone companies own the infrastructure and control the usage. VoIP calls travel over the open Internet, which is inherently public in nature. However, the security of that "open" system is not as bad as commonly believed. Eavesdropping on an Internet call is about as easy or difficult to do as tapping into a call on a normal phone system. What is more vulnerable, however, is the actual perimeter security of the network where the VoIP calls come in. In the same way you secure your email systems with a mail firewall, you should consider securing your VoIP systems.