Sidewinder on VoIP security best practice

With Voice over Internet Protocol (VoIP) for the NHS just around the corner, Davey Winder assesses the security implications of this latest communications tool.

Five early adopter trusts have been piloting Voice over Internet Protocol (VoIP) across the NHS’ N3 network, BT recently revealed, and 35 have said they want to follow suit. Not all that surprising, when you consider that the NHS Connecting for Health business case suggests an annual potential saving for the NHS of £6 million on internal calls.

Throw in the fact that 70 per cent of NHS call charges derive from landline to mobile calls, and that a deal with O2 for subsidised VoIP to mobile rates has been negotiated, and you can see why many people are getting excited by the cheap phone calls bandwagon. But is there a danger that security issues could cause the wheels to fall off? “It is vital for IT managers to consider security in the initial planning stages and adopt a holistic approach to security policy.”

First steps

According to Steven Howarth, a security sales specialist at Cable & Wireless, the NHS IT manager’s very first step should be to conduct a security risk assessment before moving users onto the VoIP network - even though N3 is tried and tested. “It is vital for IT managers to consider security in the initial planning stages and adopt a holistic approach to security policy,” he says.

Unfortunately, VoIP is still new enough to be ever-evolving. Developmental protocols and design standards inevitably mean future vulnerabilities are hard to spot - and that means some sort of ongoing monitoring is required.

“Someone trying to manage a VoIP network must implement security monitoring and assessment products to create islands of defence,” says Colby DeRodeff, senior security engineer at ArcSight. Typically, using a security information management platform will make ongoing management as simple as using a dashboard.

Top Tip: Don’t be left trying to shut the stable door after the security horse has bolted. A security risk assessment is required before moving users onto the VoIP network.

Boxing clever

Research on VoIP security presented to the RSA Conference 2007 revealed that manufacturer defaults often make for an insecure installation straight out of the box. But these can be mitigated simply by tweaking the settings before rolling out a VoIP system - as long as you know which settings to tweak, that is. "Within any healthcare organisation, patient privacy is always going to be the primary focus. And there is no doubt that VoIP introduces an additional route to unauthorised patient data."

Dan York, director of IP Technology at Mitel, does - and he’s in the mood for sharing. He says:

1. Enable voice encryption to prevent eavesdropping or modification of the voice stream.
2. Enable call control/signalling encryption to prevent denial-of-service attacks.
3. Change all default passwords.

To which I would add, change the default voicemail as it is very easy to identify which system is being used by simply listening to this message, and this makes it easier for a hacker to target an attack, using known weaknesses.

Top Tip: Don’t rely on out-of-the-box security settings; they could leave you wide open to attack.

Privacy matters

Within any healthcare organisation, patient privacy is always going to be the primary focus. And there is no doubt that VoIP introduces an additional route to unauthorised patient data. "The lesson here is that just as every PC is a potential network gateway for hackers, so are VoIP phones. They are also gateways. They are just dressed up differently."

It is surprisingly easy for a hacker to eavesdrop on a VoIP conversation - it’s certainly easier than tapping a landline. That’s because the call is just network traffic-data, and by using readily available packet sniffers the ne’er-do-wells can grab that data as it floats past and reconstruct it to playback the conversation.

A potential weak spot is the IP phone hardware itself, as not all of this kit supports encryption. Indeed, some only supports truly secure communications between a very limited range of high end handsets. IT managers need to ensure that the entire system is deployed with suitably secure phone handsets to prevent privacy gaps from appearing.

Top tip: Encrypt everything, everywhere!

Painting the threatscape

Ken Munro is managing director at penetration testing specialists SecureTest, and he knows a thing or two about VoIP threats. Two that he thinks NHS IT managers should learn about are “grey routing” and “hub-hijacking”.

“Grey routing allows the hacker to place calls for free. A ‘freeware’ tool for performing this hack is openly available online,” he says. “Hub-hijacking is a more sinister threat because it is difficult to detect.

“Hub-hijacking exploits the fact that most VoIP phones use a simple network architecture, with a single hub allowing anyone to connect via the phone to other systems housed on the same IP network. For instance, the hacker could use the VoIP phone to access a local area network or to tap into individual desktops or even a central server.”

The lesson here is that just as every PC is a potential network gateway for hackers, so are VoIP phones. They are also gateways. They are just dressed up differently.

Top tip: Consult the experts to ensure that you are covered against emerging VoIP threats, rather than relying upon your own knowledge alone.

In summary, VoIP is a new communications tool and a very good and potentially cost effective one. However, it means that more people will be using computers more than before, and in unfamiliar ways. That’s a hacker’s golden opportunity.

The good news is that the rules for defeating the hacker are familiar: be vigilant, get protected, and learn how users’ working practices create their own vulnerabilities.

About the author: Author, journalist and consultant, Davey Winder has been writing about security issues for 16 years and was IT Security Journalist of the Year 2006, an award from BT.