Voice Over Internet Protocol
Guidance on the Security Risks of VoIP
The Federal Deposit Insurance Corporation (FDIC) is providing guidance to financial institutions on the security risks associated with voice over Internet protocol (VoIP). VoIP refers to the transmission of voice communications over the Internet rather than through the public switched telephone network (PSTN). When a telephone call is made, VoIP translates the caller's voice into a stream of data packets by an analog-digital converter. The data packets are transmitted over the Internet and converted to a voice signal on the other end of the communication.
VoIP can be an attractive alternative to traditional telephone networks because of the potential cost savings. For example, long distance charges incurred through the PSTN can be eliminated. In addition, only one network is managed for both voice and data, resulting in additional savings. However, the initial costs for implementation of VoIP can be significant. There are also increased data security risks associated with VoIP. Before making an investment in VoIP technology, a financial institution should weigh the benefits (lower communication expenses) against the disadvantages (substantial implementation costs and increased data security risks).
Risks and Vulnerabilities
VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, trojans1 and man-in-the-middle attacks.2 Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud (theft of service), all of which can result in the loss of privacy and integrity. In addition, industry observers are concerned about the potential exploitation of SPAM using VoIP. In this situation, SPAM would refer to unwanted and potentially offensive phone calls.
Speed is imperative to the quality of transmission, and in order to achieve adequate voice quality, VoIP requires the highest priority access to available bandwidth. VoIP must be fast enough to avoid a delay, even by milliseconds, in the processing and delivery of voice packets. The loss, out-of-sequence delivery or non-delivery of data packets can also adversely affect the quality of VoIP.
Financial institutions can access various publicly available sources to develop VoIP security policies and practices. Widely accepted best practices are published by the National Institute of Standards and Technology (NIST), the agency responsible for developing information security standards for federal agencies (Special NIST Publication 800-58, Security Considerations for Voice over IP Systems, can be found at http://csrc.nist.gov/publications/nistpubs/800-58/SP800-58-final.pdf 621k (PDF Help)).
Financial institutions contemplating the use of VoIP technology should consider the following best practices. Details of these best practices are further discussed in the attached “Voice over Internet Protocol Informational Supplement.”
- Ensure that the institution has examined and can acceptably manage and mitigate the risks to information, systems operations and continuity of essential operations when implementing VoIP systems.
- Assess the level of concern about security and privacy. If warranted and practical, do not use “softphone” systems, which implement VoIP using an ordinary PC with a headset and special software.
- Carefully review statutory requirements for privacy and record retention with competent legal advisors.
- Develop appropriate network architecture.
- Use VoIP-ready firewalls and other appropriate protection mechanisms. Financial institutions should enable, use and routinely test security features included in VoIP systems.
- Properly implement physical controls in a VoIP environment.
- Evaluate costs for additional backup systems that may be required to ensure continued operation during power outages.
- Consider the need to integrate mobile telephone units with the VoIP system. If the need exists, consider using products implementing WiFi Protected Access (WPA), rather than Wired Equivalent Privacy (WEP).
- Give special consideration to emergency service communications. Automatic location services are not always as available with VoIP as they are with phone calls made through the PSTN.
When a financial institution decides to invest in VoIP technology, the associated risks should be evaluated as part of a financial institution's periodic risk assessment and discussed in status reports submitted to the board of directors as mandated by section 501(b) of the Gramm-Leach-Bliley Act. Any identified weaknesses should be corrected during the normal course of business.
If improperly implemented, VoIP can pose significant operational risks to financial institutions. Therefore, management should perform a comprehensive risk assessment before implementation to ensure the confidentiality, integrity and availability of voice communications using VoIP technology.
||Michael J. Zamorski
Division of Supervision and Consumer Protection
1 Trojans are malicious programs or programming code that either masquerade as or are inserted into innocuous applications.
2 A man-in-the-middle-attack is when an intruder sits between two parties, monitors the transmission and is then able to impersonate one of the parties.