Falling IP prices raise security risks

IP devices are punching holes into corporate networks and unsuspecting users are at risk, according to analysts.

The falling prices of IP telephony, Web-based video surveillance and Internet-enabled multi-function devices have resulted in high volumes being sold to small- and medium-sized companies, often unaware of the importance of network security.

But experts, although warning that with the emphasis on volume, security can often get forgotten, are split on where the responsibility for protecting users should lie.

"The value proposition for the resellers of these devices has to change," Gartner research director, Steve Bittinger, said.

"Just selling a product and forgetting about it can lead to that product being misused, which will reflect badly on the reseller.

"They need to work out how to fit education into the equation."

IDC security specialist, Megan Dahlgren, said security should start with the vendors.

"There's a lot of finger-pointing but vendors, the channel and the end users all have their role to play," she said. "Technology needs to have security written in from the start ... They [vendors] love to go on for ages about the widgets in their products but don't develop them from the business perspective."

VoIP software company Avaya's solutions manager, Roy Wakim, made it clear the proliferation of IP telephony was a security risk for companies unaware of the difference from a traditional telephone system.

"You used to have to break into a PABX room and physically attach copper wires to eavesdrop on a conversation," Wakim said. "Now anybody in the organisation, and outside, can potentially get access."

He stressed the importance of stringent security methods such as the voice and tone packet encryption in Avaya's products.

"A lot of the vendors don't come clean about what they are doing," he said. "The manufacturers should be responsible for the security of the products they make."

ARN discovered thousands of unprotected IP devices available on the Internet from a simple search engine query, and at one point was able to control a network security camera in a Queensland research facility.

In addition, the rise in popularity of multi-function devices - those that can serve as photocopiers, printers and scanners - are serving as additional threats to corporate security as the devices are usually connected and administered via a Web interface.

Any breach resulting from poorly configured machines could reflect badly on the supplier, Bittinger said.

"Users will ultimately start judging vendors on how good the security of a device is," he said. "Organisations that are focused on just selling boxes will lose out."

But IDC's Dahlgren is sceptical of the value of information available on a security camera or network printer when compared to the cost of implementing security procedures.

"There's no money in hacking these devices - I would be very surprised if there was much of a threat to comĀ­panies," she said. "Security is not free. There has to be a dollar value associated with any risk for companies to make a decision on the value to the business."