WiFi VOIP: How Safe?
The Wireless Vulnerabilities & Exploits site, a repository of -- surprise! -- wireless security threats, has posted a number of advisory notes about Hitachi Ltd. (NYSE: HIT; Paris: PHA)'s IP5000 unit and UTStarcom Inc. (Nasdaq: UTSI)'s F1000 handset.
A number of different attacks are listed on the site, from denial-of-service attacks to remote login vulnerabilities.
For instance, independent security consultant Shawn Merdinger, who focuses on WiFi vulnerabilities, claims on the WV&E site that the UTStarcom phone is open to break-in from a hacker logging in remotely (a method known as rlogin). "Once an attacker has connected to the device through the rlogin service they have full access to the phone," says Merdinger.
UTStarcom says that it has fixed all of the problems in the latest version of its device. "[Merdinger] got hold of an early version of the phone," says UTStarcom's product manager for handsets, Howard Frish.
Hitachi is looking for a spokesperson that can comment on the matter.
Still, these threats show that users don't yet have a comprehensive plan for how to deal with such threats.
Bo Mendenhall, senior information security analyst for health sciences at the University of Utah, says that it is too soon to define best practices for VOIP phone security.
"It's hard enough to get VOIP to run through WiFi as it is," he says in an email.
In fact, given the security worries that continue to float around enterprise wireless LAN, there's a perhaps surprising lack of concern about the security of these new 802.11 handsets, according to analysts.
"Unfortunately, today's VoFi [Voice-over-WiFi] handsets by and large don't have the degree of configurability needed for real security, nor do they currently place much of an emphasis on security overall," notes Craig Mathias, principal analyst at the Farpoint Group . "I'd remind everyone, however, that ordinary telephony isn't secure, and we shouldn't expect all that much of VoFi or other VOIP security at this point." Analyst Jack Gold at J.Gold Associates suggests that some technical changes will be needed for the "dumb" WiFi VOIP phones as the devices go through growing pains. "I don’t think any of the current phones working over wireless have firewalls built in to keep intruders out. They ultimately will have to do so, as 'phishing' attacks on wireless devices of all kinds can take place easily."
He suggests that 802.11 handsets should also run WPA wireless security software "at the very least" to protect against malicious attacks and call monitoring. (See WPA2 Secures Support for more on WPA security.)
While it's still very early days for voice-over-802.11 handsets, users and vendors alike will have to think hard about security issues -- particularly since vendors are scheduled to bring a wave of new dualmode handsets to market, creating the potential for many more of these devices entering the workplace, often without the IT department knowing about it. (See UMA Steps Up.)
— Dan Jones, Site Editor, Unstrung