WiFi VOIP: How Safe?

Just as vendors prepare the first generation of dualmode cellular and WiFi mobiles for launch later this year, the wireless security community is starting to turn up threats to 802.11 VOIP handsets in the field.

The Wireless Vulnerabilities & Exploits site, a repository of -- surprise! -- wireless security threats, has posted a number of advisory notes about Hitachi Ltd. (NYSE: HIT; Paris: PHA)'s IP5000 unit and UTStarcom Inc. (Nasdaq: UTSI)'s F1000 handset.

A number of different attacks are listed on the site, from denial-of-service attacks to remote login vulnerabilities.

For instance, independent security consultant Shawn Merdinger, who focuses on WiFi vulnerabilities, claims on the WV&E site that the UTStarcom phone is open to break-in from a hacker logging in remotely (a method known as rlogin). "Once an attacker has connected to the device through the rlogin service they have full access to the phone," says Merdinger.

UTStarcom says that it has fixed all of the problems in the latest version of its device. "[Merdinger] got hold of an early version of the phone," says UTStarcom's product manager for handsets, Howard Frish.

Hitachi is looking for a spokesperson that can comment on the matter.

Still, these threats show that users don't yet have a comprehensive plan for how to deal with such threats.

Bo Mendenhall, senior information security analyst for health sciences at the University of Utah, says that it is too soon to define best practices for VOIP phone security.

"It's hard enough to get VOIP to run through WiFi as it is," he says in an email.

In fact, given the security worries that continue to float around enterprise wireless LAN, there's a perhaps surprising lack of concern about the security of these new 802.11 handsets, according to analysts.

"Unfortunately, today's VoFi [Voice-over-WiFi] handsets by and large don't have the degree of configurability needed for real security, nor do they currently place much of an emphasis on security overall," notes Craig Mathias, principal analyst at the Farpoint Group . "I'd remind everyone, however, that ordinary telephony isn't secure, and we shouldn't expect all that much of VoFi or other VOIP security at this point." Analyst Jack Gold at J.Gold Associates suggests that some technical changes will be needed for the "dumb" WiFi VOIP phones as the devices go through growing pains. "I don’t think any of the current phones working over wireless have firewalls built in to keep intruders out. They ultimately will have to do so, as 'phishing' attacks on wireless devices of all kinds can take place easily."

He suggests that 802.11 handsets should also run WPA wireless security software "at the very least" to protect against malicious attacks and call monitoring. (See WPA2 Secures Support for more on WPA security.)

While it's still very early days for voice-over-802.11 handsets, users and vendors alike will have to think hard about security issues -- particularly since vendors are scheduled to bring a wave of new dualmode handsets to market, creating the potential for many more of these devices entering the workplace, often without the IT department knowing about it. (See UMA Steps Up.)

— Dan Jones, Site Editor, Unstrung

wlanner 12/5/2012 | 4:06:08 AM
re: WiFi VOIP: How Safe? I think the concept of dual mode phones is a good thing. As the phones converge to run all sorts of applicatons, having LAN access will be important (basically a PDA with voice). But, I disagree on the reasoning vendors give: "Having a voice call transition from the cell network to the LAN to save money" (at least in the enterprise, at home there is a good use case).

Why? Because its basically free already. What I mean is, internet access used to cost X cents per minute, then $x of some amount of minutes and now its $x for unlimited access.

Is my cell phone far away? I now pay $29 or $39 and get some enourmous amount of minutes that I rarely go over (remember 39 cents per minute). How much longer before someone say its $x per month use it all you want (basically, I'm there because I never reach all my minutes anyways)?

And with wi-fi, despite all the vendor claims and even with 802.11e, after you get 7 or more calls, the performance is non-deterministic of the AP. Especially, if everyone is using voice and data.

So, I'm happy to keep my cell connection.

What is very interesting is all data portion of the phone (but not too sexy). Over the cell network its like watching paint dry, but I would love to get wi-fi speeds with email, internet, etc...

So, I think there is a great use case. I just don't buy into the hype that I'm its all about saving $$$ for my voice calls which work perfectly fine today.
IPobserver 12/5/2012 | 4:06:05 AM
re: WiFi VOIP: How Safe? Saw some really cool looking GSM-WiFi phones from Chinese vendor E28 at 3GSM this week.

All the cool phones seem to be comming from Asian vendors.

Agree that the data portion is the attraction for dual mode.
[email protected] 12/5/2012 | 4:06:05 AM
re: WiFi VOIP: How Safe? Cost aside, there may be better reception in buildings, tunnels, etc,

The cost advantage may be in only having one phone, one phone number, etc, etc.

Right now, I have a desk phone and a cell phone. If my cell phone had this feature, the company could do away with the desk phone, and all the infrastructure behind it, i.e., the PBX/Centrex, support, etc,
Sign In