Cyber Security Tip ST05-018
Understanding Voice over Internet Protocol (VoIP)
With the introduction of VoIP, you can use the internet to make telephone
calls instead of relying on a separate telephone line. However, the
technology does present security risks.
What is voice over internet protocol (VoIP)?
Voice over internet protocol (VoIP), also known as IP telephony, allows you
to use your internet connection to make telephone calls. Instead of relying
on an analog line like traditional telephones, VoIP uses digital technology
and requires a high-speed broadband connection such as DSL or cable. There
are a variety of providers who offer VoIP, and they offer different
services. The most common application of VoIP for personal or home use is
internet-based phone services that rely on a telephone switch. With this
application, you will still have a phone number, will still dial phone
numbers, and will usually have an adapter that allows you to use a regular
telephone. The person you are calling will not likely notice a difference
from a traditional phone call. Some service providers also offer the ability
to use your VoIP adapter any place you have a high-speed internet
connection, allowing you to take it with you when you travel.
What are the security implications of VoIP?
Because VoIP relies on your internet connection, it may be vulnerable to
many of the same problems that face your computer and even some that are
specific to VoIP technology. Attackers may be able to perform activities
such as intercepting your communications, eavesdropping, taking control of
your phone, making fraudulent calls from your account, conducting effective
phishing attacks by manipulating your caller ID, and causing your service to
crash (see Avoiding Social Engineering and Phishing Attacks and
Understanding Denial-of-Service Attacks for more information). Activities
that consume a large amount of network resources, like large file downloads,
online gaming, and streaming multimedia, may affect your VoIP service.
There are also inherent problems to routing your telephone over your
broadband connection. Unlike traditional telephone lines, which operate
despite an electrical outage, if you lose power, your VoIP may be
unavailable. VoIP services may also introduce problems for
location-dependent systems such as home security systems or emergency
numbers such as 911.
How can you protect yourself?
* Keep software up to date – If the vendor releases updates for the
software operating your device, install them as soon as possible.
Installing them will prevent attackers from being able to take advantage
of known problems or vulnerabilities (see Understanding Patches for more
information).
* Use and maintain anti-virus software – Anti-virus software recognizes
and protects your computer against most known viruses. However,
attackers are continually writing new viruses, so it is important to
keep your anti-virus software current (see Understanding Anti-Virus
Software for more information).
* Take advantage of security options – Some service providers may offer
encryption as one of their services. If you are concerned about privacy
and confidentiality, you may want to consider this and other available
options.
* Install or enable a firewall – Firewalls may be able to prevent some
types of infection by blocking malicious traffic before it can enter
your computer (see Understanding Firewalls for more information). Some
operating systems actually include a firewall, but you need to make sure
it is enabled.
* Evaluate your security settings – Both your computer and your VoIP
equipment/software offer a variety of features that you can tailor to
meet your needs and requirements. However, enabling certain features may
leave you more vulnerable to being attacked, so disable any unnecessary
features. Examine your settings, particularly the security settings, and
select options that meet your needs without putting you at increased
risk.
Additional information
* Understanding Voice over Internet Protocol (VoIP) PDF
_________________________________________________________________
Author: Mindi McDowell
_________________________________________________________________
Produced 2005 by US-CERT, a government organization.
Note: This tip was previously published and is being
re-distributed to increase awareness.
Terms of use
http://www.us-cert.gov/legal.html
This document can also be found at
http://www.us-cert.gov/cas/tips/ST05-018.html
For instructions on subscribing to or unsubscribing from this
mailing list, visit
Robert L. Santuci Jr.'s Blog 