During the past few years the two most significant focuses for remaining IT budget have been security and cost saving systems capable of demonstrating rapid ROI. But in almost all areas of business there is a trade off between risk and cost. As companies have double-locked the doors by spending on security for the data network, they may have left the windows open by pursuing saving in areas such as VoIP (Voice over Internet Protocol).

The VoIP 'revolution' has been talked of since the 1990's as the 'next big thing' in the enterprise telecoms sector; saving companies vast amounts of money on both call charges and internal network infrastructure and support costs. But just as the VoIP market is finally taking a cautious step towards delivering some of its long-overdue promise, the increasing priority of IT security may force it two steps back.

Recent research, by Secure Test, on the Cisco 7900 series VoIP phones have revealed serious security concerns (Note: Secure Test have independently tested the Cisco 7900 as this is the most widely used enterprise VoIP solution. Similar problems may well exist in other vendors products). With susceptibility to both DoS (denial of service) attacks and interception issues, it is clear that transferring phone systems to an IP network opens them up to many of the same security concerns as Ethernet data networks. More worryingly, phone systems may be harder or even impossible to patch.


Like many IP devices Cisco's VoIP phones are vulnerable to ARP (Address Resolution Protocol) spoofing, allowing 'man-in-the-middle' attacks and including data interception and packet injection. This means that any VoIP phone can be tapped by anyone else with a phone on the same network, any individual VoIP phone can be crashed easily and any VoIP network infrastructure is heavily vulnerable to DoS attacks.

Looking first at the vulnerabilities of VoIP phones to DoS attacks, Secure Test's initial research has shown that Cisco 7900 series phones, specifically where running the default Skinny (SCCP) protocol for messaging, can be crashed relatively easily using one of several methods. By attaching a PC to the VoIP network it is possible to send malformed messages to a target phone or to cause a buffer overflow on one of several fields resulting in a crash. By performing any of these attacks on the switchboard phone, research demonstrated that it would be relatively trivial for an attacker to disable an entire phone system in minutes.

Further research then went on to show that using a similar DoS attack, a Cisco 1760 VoIP enabled router was also vulnerable. Sending a message of 50,000 characters plus to port 2000 (the TCP port used by the router to communicate with the phones) causes every VoIP phone on the network to reboot or crash, completely disrupting communications.