A Free Educational Resource Created by Carnegie Mellon University to Empower You to Secure Your Part of Cyberspace

Voice over IP and its Security Issues

VoIP transmits your voice over the Internet.

Voice over Internet protocol, known as Voice over IP (VoIP), is the technology used to "make phone calls" with a broadband connection instead of a telephone line. VoIP works by converting your voice into electric signals for transmitting over the Internet.

Through various compression techniques, voice is treated as just another form of data, traveling over the Internet in "data packets" that contain the voice information. VoIP can send more voice calls than traditional telephone lines, and VoIP is regarded as a threat by the telephone industry. Although voice sent as data does not have as high sound quality as standard telephony, it is much cheaper, and research indicates there is potential to improve sound quality.

VoIP transmits voice from a computer to a phone, from a VoIP phone to a computer, and from a VoIP phone to another phone. If you are calling a traditional telephone, then the signals are converted to a voice signal before it reaches the destination, without need for any other special equipment.

Some VoIP providers, such as Skype , offer their service for free. Depending upon your service, you might be limited to contacting other subscribers to the service only. Or you may not have any limitations and be able to call anyone who has a telephone number, including local long distance, mobile, and international numbers. You might also be permitted to select an area code different from where you live to avoid long distance charges when you call a particular location.

Why Use It?

The advantages of VoIP are convenience and low cost. Using VoIP, you can combine your Internet and phone needs into one service and one bill, and VoIP is inexpensive. In addition to voice, you can also send data, such as photos and documents, all while talking on the phone.

VoIP also offers an aspect of portability. Your VoIP service provider will provide you with an Internet phone number that follows you wherever you go. Even if your phone service is based in the U.S. and you travel overseas, you simply plug your IP phone into any broadband connection and make your call from your old area code, just as if you never moved out your city.

There are some disadvantages. In general, the sound quality and reliability of VoIP are below traditional phones. Some VoIP services do not work during power outages and the service provider may not offer back-up power. VoIP providers might not offer directory assistance or white page listings.

It is not possible to determine where a VoIP call is originating from, which could affect a 911 call in an emergency because the operator would not be able to trace you back to your location. To solve this problem, there is an emerging standard known as e911  that should one day resolve this issue.

Today, leading companies are incorporating VoIP into their communication tools. It is an emerging technology that many are adopting.

What are the Security Issues?

The most common security threats to VoIP include the following problems:

Distributed Denial of Service Attack (DDoS): The widespread use of VoIP causes a huge volume of real-time traffic passing over the internet. DoS against VoIP is an effective way to degrade or take down an organization’s communication system. It is very difficult to prevent a DoS attack, butt organizations can take measures to reduce its possibility. Use a powerful firewall that allows only a fixed number of simultaneous connections at a time from a given user, and keep anti-spam and anti-virus tools updated.

SPIT (SPam over Internet Technology): VoIP spam comes from automatically generated calls, and it can happen on cell phones, as well. VoIP spam occurs over voice channels and therefore cannot be addressed by the anti-spam software and filters that are effective against email spam. Instead, specialized anti-spam software like Seal  software by NEC must be used.

Fraud: In fraud cases, an attacker cracks into the system and then makes calls to a toll number. To avoid this, businesses can provide a facility for accounting and logging information. Although a customer must subscribe to and pay for such a facility, it avoids the threat.

Eavesdropping: As voice traffic travels over the Internet, it is relatively easy for someone to eavesdrop on the media stream and obtain data. Voice eavesdropping has always been a risk, and the IP network is engineered in a way that increases this risk relative to traditional phone lines. The risk of interception can be reduced by actually encrypting the signal and making it difficult to be deciphered. Presently, the VoIP services used by consumers do not use encryption for security, which makes it relatively easy for someone to eavesdrop on VoIP calls, and even change the content. In order to prevent this eavesdropping, a set of security protocols, called Ipsec , can be used to apply encryption to the digitized voice stream for VoIP.

Hijacking the session by registering: An attacker posing as a valid VoIP user can register and can then hack into the system. Hijacking is possible because the signaling messages are sent as plain text with no guarantee that the data that is received at the receivers end is indeed the voice data sent by the user. As a countermeasure, users can send encrypted messages for registration so as to achieve confidentiality and integrity.

VoIP users can take an active interest in protecting their systems. In addition to the countermeasures discussed above, users can further investigate the following best practices used by network administrators:

  • Separate VoIP traffic from normal data traffic. This ensures a separate monitoring system for VoIP. Using this method, VoIP gets separate dedicated bandwidth, so that other applications, such as gaming, do not interfere with VoIP.
  • Use traffic analysis to identify an abnormal increase in the number of hosts trying to connect and the number of sessions per host.
  • To avoid fraud, monitor the geographic region from which the traffic is originating.
  • Organizations can put policies in place that outline appropriate use of VoIP.


My home page