Network security

Securing voice communications

Kurt Ellzey
June 11, 2021 by
Kurt Ellzey

Over the years numerous types of secure voice communications have been attempted, all with varying results. Some have been extremely successful, while others have become shorthand for badly implemented ideas. 

For today's environment, text can be far too slow, and voice in some cases is the only way to be able to deliver key information that must be acted upon immediately. This can range from trying to deliver a message that someone is in danger to 911, all the way up to diplomatic channels running halfway around the planet. Different organizations are tightening voice security in many ways. 

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Rise of VoIP

Voice over IP (VoIP) as a concept has been wildly successful for the past several decades in allowing what used to be a very analog process for transmitting voices to become a digital one. 

This has helped to simplify the technology required for the network to function and treat voice as just another type of data to transmit. While there have been hundreds of different applications over the years, the first one that many users will have had exposure to when it comes to VoIP is Skype. 

Originally developed by the same group that helped to create the peer-to-peer file sharing application Kazaa, Skype had a hybrid infrastructure allowing for both direct communication in a peer-to-peer setting, but also operating in a client/server setup. While there have been multiple claims both proven and disproven about Skype's security over the years, it has been impossible to completely validate its security since the system itself is closed source. 

In 2013, it was discovered that despite the claims of encryption being used, after completely reworking the software since its purchase in 2011, the new owner Microsoft had access to unencrypted versions of communications that were performed using Skype.

VoIP during COVID-19

During the COVID-19 epidemic, many applications started to rise to prominence that had previously been small-scale in particular niches.  Discord has never claimed to be meant for encrypted communications, as it primarily started as a community and gaming chat service. While it does use encryption, video chats for example do not have end-to-end encryption active. The same can also be said of Zoom, the now ubiquitous video chat client.

One of the few applications to choose user and message security above all else is Signal. Their end-to-end encryption methods have been independently examined, and although they found some issues at the time, the researchers declared the protocols being used as "cryptographically sound." The protocol developed for Signal has been implemented over the years in multiple products, including Skype and Facebook Messenger, but it is not enabled by default in these applications. 

Google Duo also supports end-to-end encryption, one of the only Google chat applications to do so. It does this by using DTLS-SRTP (Datagram Transport Layer Security Extension to Establish Keys for the Secure Real-time Transport Protocol) to create a point-to-point connection similar to that of a VPN.

Closed communication systems

If larger organizations want to keep internal communications secure, this usually means bringing it in-house instead of relying on web services. In-house phone systems and on-premises communications servers have historically been extremely useful, not only in keeping costs low for everyday calls and check-ins, but also for making sure that communications don't necessarily have to go outside if at all possible.

Microsoft's Skype for Business for example, formerly Microsoft Lync, allows organizations to have a closed-loop encrypted communication system that combines some of the most useful functions from standard VOIP clients into a secure system that can also be used while mobile.

Just because a system has been implemented internally, however, does not mean that it cannot still become compromised. After all, once a voice message becomes data, it can be accessed like anything else. This is especially true of data at rest in situations like voicemail in MP3 or similar formats on servers. If a user's workstation becomes compromised, then any voice communications that they send out from that system may not be secure.

We also have to remember about other devices that may be listening in, such as malicious apps installed on mobiles or digital assistants that have been misconfigured. Like any security system, implementation is only the start. Regular maintenance and user training are also required.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Stay vigilant to keep voice communication secure

Securing voice communications is a tricky situation. Do you go with what the users already know but run the risk of it not being as secure as it could be? Or do you build a solution yourself and take on the liability and maintenance tasks in-house?

Whenever we are thinking about communications, scope is critical. If we need secure communications among a small number of people across a wide area, that will make us lean towards one solution. If we need it for a large number of people in a very small area, that will take us in a much different direction. Be sure to do your homework and deep dive into your research before choosing a particular solution, as what you may think is secure may be only mostly secure.


The dos and don’ts of securing your VoIP communications, PC Mag

Secure voice communications, CHIPS

Kurt Ellzey
Kurt Ellzey

Kurt Ellzey has worked in IT for the past 12 years, with a specialization in Information Security. During that time, he has covered a broad swath of IT tasks from system administration to application development and beyond. He has contributed to a book published in 2013 entitled "Security 3.0" which is currently available on Amazon and other retailers.