US warns on risk of net-based telephony Security alert could herald rethink on new system
The US government has issued a strong warning about the security risks associated with internet-based telephony, one of the fastest-growing communications technologies.
Internet-based telephony known as voice over internet protocol, or Voip promises lower costs and greater flexibility by using existing data networks. But a report by the National Institute of Standards and Technology, which develops technology guidelines for US government agencies, warns of the “inherent vulnerabilities” of Voip.
“Voip systems can be expected to be more vulnerable than conventional telephone systems, in part because they are tied in to the data network, resulting in additional security weaknesses and avenues of attack.”
The warning from the institute is likely to prompt some companies, agencies and consumers to reassess plans for adopting the technology.
According to Gartner, the market research group, spending by US companies and public-sector organisations on Voip systems will grow to $903m this year, up from $686m in 2004. Investment in hybrid systems, which handle Voip and traditional calls, will grow from $1.5bn to $2bn.
By 2007 Gartner expects 97 per cent of new phone systems installed in North America to be Voip or hybrids. The Telecommunication Industry Association predicts that 26m users will have Voip by 2008.
While the technology proliferates, the government is concerned managers do not fully understand security implications.
In its report this week Nist says a main source of confusion “is the (natural) assumption that, because digitised voice travels in packets just like other data, existing network architectures and tools can be used without change”. It warns that “Voip adds a number of complications to existing network technology and these problems are magnified by security considerations.”
Firewalls and intrusion detection systems used to protect data networks often interfere with voice calls by delaying information as it travels across the network. This leads to calls breaking up or being dropped. In addition, firewalls are no defence against internal hackers.
Unless calls are encrypted, anyone with physical access to an organisation's local area network can attach monitoring equipment and tap into calls. While this is in theory possible with traditional telephone networks, access to switching equipment is easier to control.
Nist's report, signed by Donald Evans, commerce secretary, warns agencies that essential telephone services, “unless carefully planned, deployed and maintained, will be at greater risk if based on Voip” because the internet is in general less reliable than the public switched telephone network.
Noting that “an especially challenging security environment is created when new technologies are deployed”, Nist recommends using separate voice and data networks when feasible.
华盛顿严重警告:网络电话“不安全”
美国政府已对互联网电话服务的安全风险发出强烈警告。网上电话是发展最快的通信技术之一。
互联网电话技术被称作“语音IP”(Voip)。该技术使用现有数据网络,有望实现较低成本和更大的灵活性。但美国标准与技术研究院(NIST)发布的一份报告对语音IP的“固有脆弱性”提出了警告。美国标准与技术研究院负责为美国政府机构制定技术指引。
“预期语音IP系统会比传统电话系统更易受攻击,部分是因为语音IP系统同数据网络相连,具有额外的安全弱点和攻击通道。”
来自该研究院的警告可能促使一些公司、机构和消费者重新评价采用语音IP电话的计划。
据市场研究集团加特纳(Gartner)称,今年美国公司和公共部门机构在语音IP系统方面的支出将从2004年的6.86亿美元增至9.03亿美元。在混合系统上的投资将从15亿美元增至20亿美元。混合系统能同时处理语音IP和传统通话。
加特纳预计,到2007年,97%的北美新装电话系统将采用语音IP或混合系统。美国电信业协会(Telecommunication Industry Association)预测,到2008年,将有2600万用户使用语音IP电话服务。
在该技术得到普及的同时,政府担心管理者未充分理解它的安全影响。
美国标准与技术研究院本周在报告中表示,产生混乱的主要原因之一,“是人们(自然地)假定,由于数字化的语音正像其它数据一样以分组传送,现存的网络构架和工具可以得到利用而无需改变”。研究院警告说,“语音IP电话使现存网络技术增加了大量复杂因素,而由于安全方面的各项考虑,这些问题被放大了。”
用于保护数据网络的防火墙和入侵侦测系统延缓了数据在网络上的传播,因而经常干扰语音电话。这导致电话中断或脱线。此外,防火墙无法防御内部黑客。
除非将通话加密,否则只要有人能亲身接近一个机构的局域网,他就可以安上监听设备以监听通话内容。虽然这对传统电话网络在理论上也有可能,但交换设备更容易保护。
