Another Scary Security Hole

You've heard your fair share of scary stories about how the lack of proper security processes and equipment can make personal information an easy target for criminals, rogue hackers or just the plain curious. We've got another one for you; this one having to do with voice over Internet Protocol (VoIP), which an increasing number of government agencies (federal, state and local) have installed or are considering installing to reduce telecommunications costs.

Law.com posted an article today by Todd Nugent, a chief technology officer for a law firm in Chicago, who related his experiences with the firm's VoIP system. Here's one of the more scary discoveries he made:

In the process of installing the conference room system, our programmers found that not only could they place conference room calls, they could also arrange to place the call silently, by muting the speaker on the calling phone. This could effectively turn any speakerphone in the firm into a clandestine monitoring device. In other words, running this program would cause any selected speakerphone in the firm to call the conference room, monitoring what was being said in the other room.

Nugent offers this advice: "As with any network connected computer, it is important to change default passwords, apply security updates in a timely way and install security firewalls, intrusion detection and prevention."

As a side note, Nugent cites the National Institute of Standards and Technology's Special Publication 800-50, which specifies "security guidelines for the installation of IP phones" and "is the basis for many government IP phone procurements." The NIST publication advises agencies to separate data and voice networks for IP phones. But Nugent writes that, "of course, one of the attractions for IP phones is the cost savings associated with eliminating dedicated phone wiring, so this is not a welcome recommendation."