April 08, 2006

Why IP Phones (VOIP) Needs Encryption

On Wired News, crypto expert Bruce Schneier sums up why encryption is a necessary ingredient for VOIP usage. Here's why I'd want crypto for any VOIP solution, but I'd want it baked in as a seamless function:

I use a cable provider for Internet access, which is simply described as a neighborhood network. Although it would take some skill, who wants their neighbors being able to listen in?

Think the Government isn't listening in? Think again.

Just as importantly, sometimes I provide confidential information over the phone, such as a credit card number or my SSN -- many times when I'm asked to verify my identity. You know where I'm going with this -- criminal activity and identity theft. Bruce agrees. Organized crime has simply gone high tech, although a single hacker can also do a lot of damage with identity theft.

Per Schneier: "My greatest worry is the criminal attacks. We already have seen how clever criminals have become over the past several years at stealing account information and personal data. I can imagine them eavesdropping on attorneys, looking for information with which to blackmail people. I can imagine them eavesdropping on bankers, looking for inside information with which to make stock purchases. I can imagine them stealing account information, hijacking telephone calls, committing identity theft. On the business side, I can see them engaging in industrial espionage and stealing trade secrets. In short, I can imagine them doing all the things they could never have done with the traditional telephone network.

This is why encryption for VOIP is so important. VOIP calls are vulnerable to a variety of threats that traditional telephone calls are not. Encryption is one of the essential security technologies for computer data, and it will go a long way toward securing VOIP."

Now, as Bruce said later in the article, it's important to recognize that crypto is not a panacea. I'm guessing it probably won't stop SPIT (SPam over Internet Telephony) should it become a larger concern. But it could make it that much harder for someone to eavesdrop, which is both a deterrent and an incentive to go after easier targets. Just as long as it's not just encryption for encryption's sake.

Along those lines, Phil Zimmerman (of PGP fame) has just released the public beta of Zfone, an encryption tool for VOIP. I used PGP for e-mail back in the 90's. While effective for use with a small number of people willing to configure and learn it, it was just too burdensome for many others. While I applaud Phil's efforts, it will be interesting to see if Zfone will be easier to use and ultimately adopt. Regardless, consumer-facing VOIP still needs shoring up in the security department, beyond encryption, but still has to remain easy to use.

Topic(s):   Privacy & Security
Posted by Jeff Beard