Internet-based telephony (also known as VoIP) is being adopted in businesses across the country, thanks to its promise of lower monthly costs and easier administration. But it also means more voice data is less secure.
It looks very likely that VoIP technology will completely replace analog phones in the not-too-distant future, at least in most companies.
But with every advance comes a new threat. With an analog phone system, the hacker has a few conventional ways of getting on the system, whether by breaking into your office and attaching a bug or by tapping the main phone trunk liens or exchanges. These are high-expertise, high-cost attacks.
But, as one analyst points out, “Unfortunately, phone calls from your computer are fundamentally different from phone calls from your telephone. Internet telephony’s threat model is much closer to the threat model for IP-networked computers than the threat model for telephony.”
A lone hacker with a few software tools (such as a packet sniffer) can, with far less difficulty, intercept calls at multiple points along the transmission. Digital voice data can be intercepted by establishing a spyware application on a network and the data can be sent out for monitoring to anywhere on the Internet with no wire-cutters or alligator clips required.
Experts in the business strongly recommend encryption when using a VoIP system. There is a range of solid tools for making sure that voice transmissions, as they go over the Internet, are almost impossible to use if intercepted. Some are third-party programs, others are vendor-specific.
Tools for data encryption are widely available, but according to one report, they are rarely used.
Note that encrypting a phone call involves having both sides capable of encrypting and decrypting data. That means that encryption works best within the company, such as in organizations that already have a VPN (Virtual Private Network) set up to protect text-based data transfers. It is also possible to coordinate encryption with out-of-local-network people you frequently exchange calls with.
Encryption is just one part of the security issue. An even bigger threat could be a Trojan Horse program on a PC or a server that intercepts the call before it is encrypted or after it is decrypted. That means you must make sure that your basic antivirus protections are strong, and that you get expert in monitoring network activity.
Your VoIP provider should offer you services for setting up and monitoring security. If they don’t have that kind of expertise and are incapable of consulting with your company about it, you have a problem.