Introduction
Organizations have continued to deploy new technologies to meet service demands from their customers. The growth and demand for such services have been fueled by the Internet. As they continue to deploy high-speed Internet (broadband) connectivity, many organizations and individuals that depend on the Internet to communicate through voice telephony have increased exponentially.
The technique is Voice over Internet Protocol (VoIP), which allows users to make calls over the Internet. It requires connected computers, microphones, and headsets. Users may also opt for a VoIP adapter to change signals to Internet packets (Garfinkel, 2005). Users may incur minimum costs for using VoIP. The purpose of this assignment is to evaluate the security of VoIP systems, including SIP and Skype, and show how the security of these systems compares with the security of POTS telephone systems or wireless systems.
Evaluation of the security of VoIP systems, including SIP and Skype
Generally, any technology that depends on the Internet to relay its data is susceptible to security lapses. Today, hackers can infiltrate many communication gadgets, including cellular phones, telephone, and Internet commerce. The Internet is the mode of VoIP, and therefore, any call can be intercepted.
During earlier periods of VoIP, there were no major security concerns for the telephony. Previously, major sources of concern were mainly costs, reliability, availability, and functionality. Today, however, VoIP has become popular and has gained widespread acceptance and usage globally. As a result, security concerns have emerged. The issue becomes more important when VoIP has to substitute the Plain Old Telephone System (POTS), which is the most secure mode of communication.
VoIP is exposed to all security concerns that Internet users may encounter when handling data. VoIP users may experience the following security challenges. First, service theft or phreaking involves the theft of services from service vendors or users. Hackers engage in phreaking to avoid associated costs of VoIP. Encryption for authentication over VoIP communication is not regularly used in SIP (Session Initiation Protocol), and therefore, user credentials may be exposed to hackers.
Second, eavesdropping allows attackers to steal user credentials and have control over VoIP services. Third, hackers may also pose as trustworthy companies and call clients with the aim of obtaining confidential, critical data. This is known as “VoIP vishing or phishing” (VoIP Security, 2015). Fourth, VoIP services rely on software, which is prone to viruses, worms, and malware. This is common for any Internet-enabled services. Malicious code attacks could derail VoIP systems.
Fifth, DoS (Denial of Service) may also affect VoIP. Attackers may infiltrate the network to deny the system its network connectivity through overloading or bandwidth consumption. In the case of VoIP, attackers may flood the system with the redundant SIP call signaling to degrade the system and cause call drops and changes in call management processes. Attackers use DoS attacks to gain remote control of the target network. Sixth, SPIT (Spamming over Internet Telephony) is another common security threat to VoIP.
Attackers send messages in the form of voicemails, clog the system, introduce viruses, and render voicemail services useless. They use the VoIP IP address to SPIT. SPIT may also be accompanied by phishing over VoIP. Seventh, attackers may also engage in call tampering with ongoing calls.
This may involve the introduction of noise packets to interfere with the voice quality, or they could prevent timely delivery of packets and make calls spotty, resulting in longer durations of silence. Finally, man-in-the-middle attacks also affect VoIP. Hackers can seize call signals, SIP messages, and pose as a genuine caller. Hackers can then have opportunities to gain control of the network.
These security threats show that any security challenges experienced in hacked Internet situations could also affect VoIP technologies (VoIP Security, 2015).
Skype Security
The most popular VoIP systems have mainly been deployed to serve small businesses and individuals. However, Skype introduced Skype for SIP in 2009, a service that lets its “peer-to-peer VoIP clients interact with existing IP PBXs and is aimed at small businesses looking to get in on the cost-savings of internet telephony” (Goodchild, 2010).
For users, the security of Skype as a form of VoIP is critical, particularly when compared to analog telephones. Security remains a significant source of concern for many vendors and users. It is difficult to evaluate VoIP and Skype security in isolation because of their interlinked nature. Therefore, to assess the security of Skype, it is vital to focus on certain threats that affect VoIP and then evaluate the system design to determine the level of exposure.
It is also imperative to understand that Skype security is complex (Garfinkel, 2005). First, several factors “influence security of Skype, including the computer and the network itself” (Garfinkel, 2005). Second, Skype has both private and secret protocols, and therefore, only vendors can determine the security of Skype through data provided or reverse engineering software.
Third, Skype has been regarded as a peer-to-peer system, and thus, a third party within the network system may breach its security. However, this may remain unknown to other users engaged in a conversation. Lastly, the Skype system is programmed to update itself when a new version is released, and this may result in “changes of the overall system security without any warning to users” (Garfinkel, 2005).
There are privacy concerns with Skype. The developer of the system claims that information transmitted is encrypted and, therefore, not easy to hack. In other words, one cannot easily analyze scrambled information transmitted through Skype. This implies that the system may be secure against common data snooping. It is, however, difficult to state categorically that Skype is secure against experienced hackers.
Several factors influence the security of encrypted information. These include the algorithm of encryption, choices of encryption keys, implementation processes, algorithm, and its protocol, and the execution of the algorithm and protocol in the system (Garfinkel, 2005). Such strategies aim to protect transmitted data.
Authenticity
Skype users have their credentials. These consist of usernames, passwords, and e-mail addresses, among others. Any users can only gain access to Skype by logging in using their credentials. In case users forget their passwords, Skype manages the process and send new passwords to “users through their registered e-mail addresses” (Garfinkel, 2005).
Hence, E-mail Based Identification and Authentication is “one approach used for Skype authentication processes” (Garfinkel, 2005). Simply, users can log in without requesting credential modifications if not forgotten or compromised.
Skype relies on its network to verify user credentials. However, it is unclear how the system conducts these verification procedures. During authentication processes, many threats may take place. Malicious users may obtain login credentials of other users while malicious ISPs (Internet Service Providers) may channel information to malicious Skype nodes, and therefore, other users can easily obtain such information. In some instances, a malicious node may provide fake authentication for login to other users. These scenarios show that the Skype authentication process may be compromised at any point during the user login processes.
Availability
Constant availability of telephone service is important to users. The Internet was designed to survive certain defects in important links, and availability has become important for system developers. Generally, the telephone service has been superior to the Internet-based on availability. Hence, Skype may provide inferior availability.
In addition, other factors may also influence the availability of Skype. In case of server failure during authentication processes, Skype may not be available to users. Although current VoIP systems may not have these challenges, a system with one gateway service may suffer widespread failure in case of gateway failure.
Survivability
The Internet has unique designs to ensure that services or communication between nodes continue in case of any interruptions. The system has packet-switched networks to “ensure availability of services after interference, and this is known as survivability” (Garfinkel, 2005). During the design process, the designers can choose their preferred model for the survivability of the network. For instance, the use of a single server to connect a communication channel can result in failure if the server fails.
On the contrary, if two servers are used to connect communication channels, then the system may survive in case of a single server disruption. Survivable networks tend to be “expensive relative to other system designs with single points of failures” (Garfinkel, 2005).
In addition, it is not clear whether survivable systems offer superior services on a daily basis if compared to other systems without such provisions. Consequently, Internet service providers or users may not offer services that can resist the random failure of certain components. In this regard, it is not clear whether Skype’s system may withstand the arbitrary failure of its servers or external attacks.
Resilience
In case of disruption, Internet connections can be rapidly restored compared to POTS systems. Wireless networking offers such advantages. In this regard, Skype and other VoIP systems offer such flexibility to users, including changes in IP addresses. These qualities make Skype extremely resilient to network changes. That is, they can rely on nearby networks to function once users register on the network.
Conversely, Skype users may not operate their systems if authentication systems become unreliable or unavailable. The situation may result from network destruction, hackers’ interference, hostile inside activities, or sabotage by parent firms. As a result, Skype may be rendered unavailable and thus useless to affected users.
Session Initiation Protocol (SIP)
SIP is a protocol for VoIP, and it promises to offer a common protocol that can combine both voice and data networks for new system applications (Collier, 2005). The technology would ensure that users could integrate different voice system parts from various service providers and vendors to deliver quality VoIP services.
Many SIP vendors, however, have concentrated on its features and compatibility at the expense of security (Collier, 2005). This makes the system vulnerable to common IP and VoIP security risks and other attacks unique to its features. Hence, it is necessary to evaluate these drawbacks and relevant security measures.
First, SIP may suffer registration hijacking. This takes place when hackers impersonate valid users to gain access to the systems and then replace authentic credentials. As a result, attackers receive all incoming calls. Registration in SIP is always simple and easy for spoofing. Weak credentials may be used, while authentication may not be mandatory.
Second, proxy impersonation may also occur when hackers pose as users in order to facilitate connections with a rogue proxy. Successful impersonation gives attackers full control and accessibility to SIP messages and calls.
Third, cases of message tampering have also been reported with SIP. Hackers may seize and change packets transmitted between SIP components. It may take place during registration, proxy manipulation, or any components used to handle SIP messages (Collier, 2005).
Fourth, a session tear down involves monitoring call signals and then relaying sign off a message to users by attackers. Weak authentication has been a major challenge for users, and therefore, hackers have been able to exploit it to construct sign off messages to both users and derail ongoing calls.
Fifth, SIP also experiences denial of service (DoS) like any other Internet supported system. Attackers may administer DoS attacks through various methods described above or introduce specific attacks to complete the system breach. SIP processing components do not require strong credential authentication and therefore are most likely to process any requests, including ones originating from potential hackers.
How security of these systems compares with the security of POTS telephone systems or wireless systems
For making calls with VoIP, an Internet connection is required. Hence, the VoIP communication platform can be reasonably affordable. The VoIP offers flexibility, for instance, being available nearly at any location and abilities to add extra features to the account, such as messaging or voicemail. The Public Switched Telephone Network (PSTN) or POTS may lack these qualities.
Although private and secure IP networks may provide high quality and safe VoIP communication platforms, VoIP still faces major drawbacks and risks relative to POTS.
Vendors and organizations may ignore security concerns and certain drawbacks when looking for external communication platforms. Nevertheless, it is imperative to acknowledge that VoIP relies on an openly accessible Internet connection, and the connection quality of the Internet may influence the quality of VoIP communication. A lack of Internet due to any reason implies that no voice calls for users.
Most important, VoIP telephone calls face major security risks. For instance, eavesdropping, identity theft, hacking, or even abuses of private, critical date are some cases of security concerns for VoIP. In addition, it is not possible to monitor all online communications (the case of Snowden). In fact, vishing is an emerging case of security threat that exposes users to malicious third parties (Vijayan, 2002). These are facts users of VoIP must face. Conversely, no such cases were reported with POTS.
Of course, it is fundamental for firms to move rapidly with technologies, including VoIP or changes in POTS. However, POTS offers high quality and assured availability. These qualities guarantee superior value to business and protection against malicious third parties, including spies. Landlines are readily available and do not depend on the quality of the Internet connection. A POTS system is not prone to hackers and other malicious third parties.
For international business communication, factors such as voice quality, guaranteed availability, and secure communication platforms are extremely vital. For individuals or organizations that rely on VoIP, they risk security, availability, and quality. Theft of confidential, critical data can damage the reputation of any organization with severe consequences to affected parties. In addition, costs associated with damages are far greater than the costs related to getting high-quality POTS services.
In addition, POTS is not outdated. It can ensure manageable global call routing and provide other additional applications to enhance call experiences. In fact, POTS is still useful for toll-free calls and other regional calls. The industry has recognized the need to transit with emerging technologies of VoIP (Narcisi, 2013), but POTS is still useful and continues to offer a safe, secure, available, and reliable communication platform relative to VoIP.
Wireless systems are also exposed to some serious security threats relative to POTS. Many users, for instance, have failed to secure their smart wireless systems. Specifically, these users have ignored minimum security recommendations for wireless devices.
For instance, they have failed to use passwords, screen lock systems, erase data remotely for lost devices, or locate missing phones. Wireless systems are also vulnerable to malicious software. Malicious software may gain access to private data or send unauthorized messages. These behaviors show the presence of malicious software in wireless devices.
Wireless systems can be traced, and users’ locations are disclosed. These features offer less privacy to owners. Many apps tend to indicate the locations of users. In addition, such apps are more intrusive and may gather various data stored in a wireless device. While apps may request for users’ permission, they collect more information beyond their functions. Intrusive software platforms are widespread, and many people have started to reject them. Finally, wireless systems also expose other devices such as computers to risks of malware, viruses, and worms.
This evidence suggests that POTS is more secure relative to wireless systems, VoIP, including SIP and Skype.
Securing VoIP
Currently, many experts have identified various threats to VoIP and possible ways of securing the system (Bradley, 2009). Encryption can be used to secure VoIP (Vijayan, 2002). It is vital for users to get an enterprise-class solution for a specific influx intended to harm the network. Scalability can protect the system from DoS and ensure a secure edge for users.
Users are also advised to observe the utmost privacy in virtual LANs, and they should encrypt their messages and segregate network traffic. In addition, users must harden their VoIP network systems by ensuring that systems are safe and have passed verification procedures. This is critical for any system, which handles data.
Users should also change their factory-default passwords and update systems against viruses, worms, and malware. In addition, one can avoid SPIT by taking precautions when giving out contact details.
While traditional methods of protecting the Internet can still serve VoIP, users should learn about a wide range of “carrier-class border control solutions that will help organizations manage security threats from the core of their networks all the way to the access points” (Bradley, 2009).
Conclusion
Individuals and businesses have opted for VoIP to reduce the costs of making phone calls. POTS is relatively safe and could be consistent than VoIP (Narcisi, 2013).
However, security and reliability threats for VoIP have remained a significant areas of focus for vendors and users. VoIP may become more secure as vendors and users work together to develop solutions for identified risks. As new solutions emerge, VoIP will become more secure and reliable. Until then, users should be cautious when handling any transaction that involves sensitive, critical information.
Overall, organizations and users should learn about specific security threats and related solutions to protect their networks from intrusion. This strategy would give them an edge to use VoIP over POTS.
References
Bradley, B. (2009). VoIP Security: The Basics. Network World. Web.
Collier, M. (2005). Basic Vulnerability Issues for SIP Security. Web.
Garfinkel, S. L. (2005). VoIP and Skype Security. Web.
Goodchild, J. (2010). Skype Security: Is the Popular VOIP Service Safe for Business? Web.
Narcisi, G. (2013). VoIP vs. PSTN: VoIP heats up as the PSTN moves into retirement. Web.
Vijayan, J. (2002). VOIP: Don’t overlook security. Computer World. Web.
VoIP Security. (2015). Web.