An industry group is working toward a best-practices document that will spell out for businesses how to build secure VoIP networks using specific makes and models of equipment.
While the report won't be available until next year, it will be a practical implementation guide to securely set up VoIP, according to a director of the VOIP Security Alliance (VOIPSA), the group writing the papers, Andrew Graydon.
The document would present sample deployments that had been tested by VOIPSA and found to be interoperable and secure, he said.
It wouldn't be ready until after another VOIPSA report that would be released by year-end, Graydon said. The project was third on a list of tasks the group was addressing, and VOIPSA was still soliciting members of a committee to work on it.
Vulnerability is a major concern for businesses implementing VoIP and for governments that want to guarantee reliable phone service to sustain their economies. A German government agency this week released its own list of VoIP threats. The German report finds the risk of IP-voice service interruption so great that it recommends keeping voice and data networks separate - undermining convergence.
Earlier this year in the US, the National Institute of Standards and Technology (NIST) issued its own report on the subject, including recommendations for avoiding security pitfalls. Unlike VOIPSA's work, which is being done mainly by vendors with an eye toward the nuts and bolts of implementing networks, NIST's document was made by government researchers setting principles to follow when doing so.
VOIPSA this week catalogued 36 pages of potential VoIP vulnerabilities and plans to issue a separate document by year-end that describes how technologies, without mentioning vendors, can protect networks.
The list of potential vulnerabilities, called VoIP Security and Privacy Threat Taxonomy, defined potential threats, Graydon said. In addition, the taxonomy could inform businesses considering VoIP about known threats so they can deal with them.
"It describes a set of risks you need to be mindful of, specific issues you might want to be concerned about," head of the project, Jonathan Zar, said.
The study lists potential problems including theft of service, spamming, intentional disruption of services, number harvesting, man-in-the-middle attacks, call rerouting and altering conversations. Solutions for some of these problems exist today.
VoIP, as a software application running on IP networks, was open to many threats, an Internet security analyst for the Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh, Art Manion, said.
While the potential existed, he said he was unaware of any exploit being carried out to exclusively target VoIP.
"Every piece of software has vulnerabilities, and that includes VoIP software," Manion said. "A VoIP phone is a small computer, so the same problems that affect Web servers and browsers can affect VoIP."
VoIP is also susceptible to general network threats, such as denial-of-service attacks, worms and viruses. These don't have to take down the network entirely to affect a voice call; they just have to cause enough delay and jitter to break up the stream of voice packets to cause audible disruption, he said.
