Trouble On The Line

IP telephony promises cheaper, better phone service--and a plague of security problems to boot

Next time you're in the office, take a look at your phone. If it's not running on your company's IP network yet, it's probably the last phone you'll ever have that isn't. Any corporation facing an upgrade or overhaul of its telephone system needs to consider making the switch to IP. It's now inevitable.

But a potentially crippling problem comes with this emerging new technology: security. Many experts in IT circles are raising concerns about how serious the threats will be as IP telephony grows. It is, after all, another Internet application, just like e-mail–and think about what's happened with that technology. Five years ago, spam was not a problem anyone devoted much energy to, but now, as e-mail has become nearly ubiquitous, spam represents the majority of traffic on the Internet, and needs constant monitoring by IT staff. Of course, e-mail is also the most common channel for all kinds of malevolence: viruses, denial-of-service attacks (purposely bringing down a network with millions of nearly simultaneous messages) and phishing (hoaxes that lure victims into giving up sensitive personal information or passwords).

Guess what? All those things, and maybe more, are possible over IP telephony. “You're now using the same network for voice traffic that you've been using all along for data traffic,” says Carmi Levy, a senior research analyst with Info-Tech Research Group in London, Ont. “[With conventional telephony] you weren't worried about someone literally stealing a phone conversation, saving it as an MP3 and using it for corporate espionage. Moving to a digital realm opens up the possibility for whole new ways of violation.” And who knows what new things some criminal mastermind–or enterprising teenage hacker–might come up with?

In some crucial ways, voice is not just another Internet application like e-mail. For instance, it's not really that hard to delete unwanted e-mails. But what if you have scores of voice-spam messages (already charmingly known in the industry as spam-over-Internet telephony, or SPIT) in your voice mail every morning? Not only are voice applications more cumbersome for individuals to manage, but they are even more mission-critical than e-mail. Think your website going down is bad for business? That's nothing compared to hackers compromising your voice network.

One company leading efforts to design protection for IP telephony just happens to be in Mississauga, west of Toronto. BorderWare Technologies Inc. is a privately held, 140-employee company started in 1994–“three Internet lifetimes ago,” according to its founder and now chairman, John Alsop. Its debut product was one of the world's first Internet firewalls, a product that was initially dismissed as unnecessary. After BorderWare was bought by a U.S. competitor, in 1996, Alsop co-founded iPass–a very successful wireless security company that had US$166 million in revenue last year. In 1998, Alsop returned to Mississauga and bought back BorderWare, whose business was by then flagging badly. Alsop's strategy was to launch an e-mail security product–again, the market scoffed. Now, Internet and e-mail security are large, quickly growing and fiercely competitive segments of the IT industry.

Today, BorderWare, which has partnerships with the likes of 3Com and Hewlett-Packard, is at it again: in June, it launched the market's first security appliance for IP telephony. “As soon as we started looking at voice over IP, we said, 'Hey, this is like a hole you can drive a Mack truck through, and somebody's going to do it,'” says Alsop. “Humans are just very reactive in nature. Until the tsunami hits the beach, nobody worries about deploying the detectors out in the ocean. It's kind of the same thing here. There is a lot of initial interest, but sometime in the next year there's going to be a highly visible incident that will open the gates, and then it's going to go crazy.”

It's important to note that VoIP isn't inherently any more insecure than e-mail or other connections to the Internet. But the technology will add new layers to the complex problem of corporate network security. If–or when–your company's voice network is attacked, you can bet you'll look at that phone on your office desk in a whole new way.