ISF Warns Of Spit And Other New Security Threats From VOIP

12 December 2006: A new report from the Information Security Forum (ISF) warns that along with existing security problems associated with IP networks, VoIP will present new and more sophisticated threats – such as caller ID spoofing, voice modifiers, SPIT (voicemail SPAM) and packet injections.

With VoIP now poised to hit the business market in a big way, the ISF believes that failure to address these serious risks may bring voice communications to a grinding halt and result in identify theft and loss of sensitive information.

With a combination of caller ID spoofing and freely available voice modification software, it is relatively easy to pose convincingly as someone else – similar to web site spoofing and phishing. But the ISF believes that one of the most virulent problems posed by VoIP will come about as a direct result of the low cost of sending voice messages over the Internet. SPIT – spam over internet telephony – could become a huge problem for companies. This could range from staff wasting time clearing unwanted voicemail messages to a total loss of service.

Other VoIP security issues highlighted in the ISF report range from redirection of calls and packet injections where words are inserted into the data stream mid -conversation, to the interception of sensitive voice traffic in transit and theft of VoIP bandwidth.

In surveying ISF members to research the report, concerns were also expressed that as VoIP becomes more popular, organised criminals will turn their attention to sabotaging businesses by disabling phone systems through DoS attacks or spreading malicious viruses or worms. The problems of poor quality transmission and loss of service are gradually being overcome, which is expected to lead to more widespread adoption and reliance on VoIP in the future. This trend is also being driven by cost savings, improved functionality, ease of access and low cost of entry.

“Although VoIP is being increasingly used in the home environment, most businesses are still reliant on the Public Switch Telephone Network,” said Nick Frost, Consultant at the ISF. “We take it for granted but it is extremely resilient, something that VoIP can not currently deliver. But it is inevitable that eventually VoIP will take over as the voice service of choice, bringing with it these additional new security risks.”

This latest ISF report along with over 150 authoritative reports on information security issues is available to ISF members.

About the ISF

The Information Security Forum was founded in 1989 and is a not-for-profit international association of over 270 leading organisations which fund and co-operate in the development of practical, business driven solutions to information security and risk management problems. The ISF undertakes a leading-edge research programme and has invested more than US$100 million to create a library of over 200 authoritative reports that are available free of charge to ISF Members.

For more information and a list of members, visit www.securityforum.org.