CallManager's vulnerability to denial-of-service attacks as well as hacks that would let users increase their system access privileges don't constitute a worst-case scenario. But when you consider Infonetics Research's prediction that spending on VoIP will grow from $1.2 billion in 2004 to $23 billion in 2009, it quickly becomes obvious that even minor security lapses could have a widespread impact on a company's ability to keep the phones up during a major network attack.
Cisco CallManager extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. Both the DOS and privilege-escalation vulnerabilities, whose patches are available, affect CallManager 3.2 and earlier, as well as certain versions of CallManager 3.3, 4.0, and 4.1.
Cisco's influence in the IP telephony market will only grow. A market share report issued Thursday by Synergy Research Group indicates that Cisco's IP telephony technology over the past year owned about 18% of the office telephone system market with more than 30,000 customers and 7 million phones sold over the six years Cisco has been in the market. This means Cisco's chances to avoid being a major target for security attacks is about as effective as an elephant successfully hiding behind a lamppost.
My colleague Nick Hoover and I set out to understand the implications of Cisco's growing dominance in the IP telephony market, and you can in the January 23 issue read what we discovered.
One source that didn't make it into Monday's story told me that people think that because they've implemented security on their IP network that voice-over-IP is taken care of. Think again, says Frank Dzubeck, president of Communications Network Architects Inc., an industry analysis firm in Washington, D.C. "Security in IT is not enough," he says. "You're going to have to consider security on the protocols that you use in the VoIP environment." Companies must also consider implementing network tunneling and data encryption to protect their VoIP communications.
Nick learned that, despite a lack of widespread attacks, security researchers have seen heavy scrutiny from hackers trying to probe endpoints -- phones and PC-based softphones -- for vulnerabilities. And there's also the possibility that hackers will trick phone users into handing over personal information, not unlike the goal of phishing. But that's not to exaggerate the risk. Symantec's Dave Cole calls the threat of VoIP attacks real, but warns that it shouldn't be overblown. There are many benefits. "Is there a dramatic amount of risk over people using normal phones?" says Cole, director of the company's Security Response program. "I don't think it is."
Sounds like a split decision for now, but keep in mind that any technology that becomes widely deployed also becomes a bigger target to the hacker community. Any plans for VoIP implementation should include a plan for managing worst-case-scenario security issues.