Editor’s Notes
Security issues in telephone
and speech applications
William S. Meisel, Publisher & Editor
Problems with security
in Information Technology systems have been highlighted by some recent
high-profile losses of millions of customer records with sensitive
information that could be used in fraud and identity theft. Most of the
attention has been on databases within enterprises, but some security
breaches have affected enterprise telephone operations. One cost of moving
telephony toward IP standards and away from proprietary systems is that
hackers have a more consistent and familiar target. Lizanne Kaiser, senior
principal consultant, Voice Services, Genesys Telecommunications
Laboratories, noted in a conversation that security is not just a matter
of customer data, but that the enterprise business rules that are often
embedded in customer service applications are sensitive.
Steve Chirokas of
Convergys recently pointed out specific problems with speech application
security (p. 1), but Voice over IP (VoIP) installations independent of
speech technology have also had some recent problems. For example, in July,
flaws in Cisco’s Call Manager, which controls VoIP call routing, were
reported by Internet Security Systems (ISS). According to ISS,
an attacker exploiting these vulnerabilities can trigger a heap overflow
within a critical Call Manager process, causing both a denial of service
condition and enabling an attacker to compromise the Call Manager server.
This could allow the attacker to redirect calls or eavesdrop, as well as
gain unauthorized access to networks and machines running Cisco VoIP
products. ISS also announced a solution to the problem for its customers.
In
reporting the Cisco VoIP vulnerability, the Wall Street Journal said, “The
move online will expose the phone system to the kind of hacker and virus
attacks that have plagued the Internet, experts have said. They expect
attacks on VoIP systems to increase as the technology gains wider use.” The
massive change brought by IP technologies and a Voice User Interface in
telephony has already created uncertainty in purchasing and upgrading
telephony systems, and the concern over security issues gives further
credence to the caution with which companies are approaching these
purchases, slowing industry growth.
Typical of warnings is
one from Yaron Raps, a solution partner at BusinessEdge Solutions, a
consulting firm, at an industry conference in April: “There are hackers
today focused on the PSTN and the Internet, but VoIP, which unites the
worlds of voice and the Internet, exacerbates the existing security
vulnerabilities inherent in both. Further, VoIP introduces unique security
and fraud threats that never existed before.”
That’s the bad news. The good news is that bringing telephony into the IT
mainstream lets it benefit by the increased attention being paid to security
in networks and IT software in general, without requiring telephone-specific
solutions. On the other hand, there are specific issues introduced by
telephony and speech recognition, such as the potential for the log files
used for tuning speech applications to contain sensitive information such as
credit card numbers. Since the number of transactions available in these log
files is small and is not easily extracted compared to well-organized
standard databases, log files may not be a security priority. However,
security is an issue that the speech industry can’t ignore.
