When It Comes to VoIP, Beware Of The Weak Spots

Back in February, when little-known VoIPshield Systems sent a report to Cisco Systems, Avaya and Nortel detailing vulnerabilities in their VoIP technologies, the three largest IP-PBX vendors on the market shrugged off the report and never responded.

The vendors began cooperating and acknowledging on their Web sites of the risks to their VoIP systems—only after VoIPshield continued reporting the vulnerabilities publicly. Nortel attributed a vulnerability to VoIPshield on April 10, for example.

Because of legislation in the data world, vendors have to announce vulnerabilities to the public. There's no firm legislation, however, in the voice world, so it's up to vendors to disclose vulnerabilities. And so far, they've failed to be up front with customers. For example, FDIC examiners are not asking about VoIP yet, according to VoIPshield.

This is the state of VoIP security today. Most of the 300,000 privately owned IP-PBX systems deployed throughout the U.S. are wide open to anyone that wants to hack them. And that's only the tip of the iceberg.

Originally used as a call saver, VoIP systems are now being integrated with data LANs to form unified communication platforms. The goals of VoIP vendors like Cisco and Microsoft run quite deeply into the data stack. By combining instant messaging, presence awareness and other communication routes into a single platform, users will be able to stay in touch with everyone at all times. Microsoft touts this highly integrated VoIP architecture with its Office Communications Server 2007.

Those that believe in the new architecture and convert must know that their integrated VoIP platforms are in close contact with data LANs. And here's where things can go awry quickly.

Next: An Eye-Opener