A Grad Student Hacks Cisco’s VoIP Tech! Should We All Freak Out?

One of the main arguments against IP telephony revolves around security. More specifically, there are some people out there concerned that IP telephony isn’t as secure as traditional telephony, and as such it isn’t viable to use in serious organizations, including large business or any group working in a highly competitive industry. This concern sounds legitimate at first, but it really doesn’t pan out when thoroughly explored, even when a big news story drops talking about a systemic vulnerability, as just happened when a 5th year grad student researcher at Columbia breached security in a Columbia VoIP phone and managed to record its calls.

First thing’s first, let’s start with the grad student’s achievement to evaluate whether it’s really as significant and ground-breaking as the media wants to make it seem.

Maybe It Wasn’t Such an Impressive Feat

To make a long answer short- no, it isn’t that revolutionary, especially when contextualized against tapping a traditional landline phone. The main reason why this student’s accomplishment just isn’t that big a deal lies in the fact his system required physical access to the VoIP phone. Specifically he “inserted an external circuit board on the Cisco phone,” and from there he “used a mobile phone app he developed to connect to the circuit board and obtain microphone data from the compromised phone…” While its distressing that this one hack could then compromise every phone on the network, not simply the targeted device, ultimately even the grad student’s professed ability to hack a phone without inserting a new circuit board into it, these methods do require access to a physical serial port or directly adjusted device settings.

In other words- in order to hack VoIP phones you need physical or remote access to that phone or to its network, which isn’t always easy to obtain.

There are certainly security concerns you need to address when signing up for IP telephony but high-tech espionage isn’t among likeliest potential nightmare a small to medium size business owner should be loosing his sleep over.

So Why the Hysteria?

Privacy will always be a concern when it comes to the internet and any sort of data-driven communication. Security breaches happen online, certainly, but privacy will really always be a concern because it makes for a good news story. Tell people their personal information is going to be snagged and sold to the highest bidder and you’re guaranteed to have eyes on your news story. People have been having panic attacks about online privacy since the earliest days of the internet and this commonly shared fear doesn’t seem to be declining anytime soon.

And guess what? Even though privacy concerns need to be taken seriously that doesn’t mean they should prevent any organization from signing up for IP telephony. Any good IP telephony provider will be able to offer you some basic security features for your new VoIP phones or Hosted PBX, and these security features will encrypt your data just as effectively as any online shopping cart, database, or other form of IP communication.

Cost vs. Benefit

Beyond basic voice call encryption your IP PBX could also encrypt trunk lines or hosted PBX provider may have additional layers of privacy protection. The problem is that with each added layer of security, your phone system’s versatility and end user productivity will decrease. Privacy has its costs and these costs could be significant.

Which brings us to our final point- if your organization is comfortable with its employees sending business-oriented unencrypted email then is there a reason to fear IP telephony? Any organization that utilizes email, messaging, or any other online form of communication has already opened itself up to all of the worst-case privacy scenarios they fear so much. There isn’t much point to shy away from IP telephony. Privacy breaches are something to think about and guard against, absolutely, but they need to be considered with the right sense of perspective and context rather than a crippling feeling of hysteria.