On the other hand, Williams feels that some of the FUD spread by suppliers with vested interests are both counter-productive and excessive.
"One of the marketing tools that security companies have used is Fud, which has been useful for shifting security solutions. But the problem is that if you go too far, you put people off," he says. Rogier Mol, senior analyst of European IP telephony at IDC, meanwhile, believes that potential security risks around the technology vary according to how it is used. "At the moment, security risks for VoIP and IP telephony aren't high. This is predominantly because most implementations aren't exposed to the Internet right now and most organisations use the technology for internal calls, which is just the same as sending your data internally around the network," he says.
But by 2007, as this situation starts to change and the use of the SIP addresses for IP phones becomes more widespread, leading to their inclusion on collateral such as business cards, so the risks are likely to increase proportionately.
"Using VoIP and SIP over the publicly accessible Internet is inherently more insecure than using a PSTN line, which is based on more proprietary equipment and doesn't go out over the Net. This means that traffic is potentially more open to abuse," says IDC's Mol.
But he agrees with Gartner that the idea of voice traffic being intercepted by a third party is "a bit over-hyped". "It's a theoretical risk, but not very likely because it's difficult to do. If you're on the same internal network, it would be easier as you have to plug into the network and collect voice packets, but you'd still have to put them back together to decipher them," says Mol.
But despite some hype there are concrete examples of VoIP systems being tampered with. Datamonitor analyst Williams recalled an incident where a router was hacked and the perpetrators re-programmed it to insert swear words into conversations going over the line, a scenario that could have potentially damaging consequences for the business concerned.
"While it's only been a one off so far, if people are able to hack into a router and insert things, they'll have the same ability to hack in and copy information, which amounts to a potential confidentiality risk," he says.
Talkback
I was very interested to read Ian Williams’ take on the adoption of internet telephony, and support his view that one of the biggest inhibitors to the growth of VoIP is the question of availability. Telephony "dial-tone" requirements for VoIP will raise the bar for performance and increase the complexity of the network.
I think it can be agreed that network hiccups can be a frustrating phenomenon regardless of when and where they occur. Despite the problems they nurture, however, they seem to have become a widely embedded and accepted facet of organisational culture. Today, if the always-on network is disrupted, few people will even notice. Do you really care if your email took a few minutes to be delivered, or that your browser page did not load? Things inevitably get slow(er) at peak times, but in truth, these performance inconsistencies are considered minor annoyances. Conversely, I don’t think the same would be true if you went to pick up the phone and there was no dial tone. With VoIP, people will notice if a connection takes more than 500ms or if the VoIP phone cannot get an address on the network.
Consider this example; if you were relying solely on VoIP to place an emergency services call, a disrupted internet connection could be potentially disastrous. An extreme example perhaps, but the underlying premise is the same; having your avenues for communication severed, for any period of time, can be a costly and dangerous thing for business. That said, VoIP in itself is not an inherently risky technology. Essentially, it is more a case of network availability. If all of an organisations’ communication devices, such as voice, fax and email, are 100% reliant on a singular network, the availability of that network does become mission critical to the business.
Therefore, the bigger picture for rolling out VoIP is not whether or not companies can protect themselves from any specific security attack; rather, it is more a case of investing in the network infrastructure to ensure your data network is capable of handling the increased complexity.