Conversations at ShmooCon this past weekend gave me the idea that having trusted devices attached to a VoIP network would mitigate some attacks (and would also be really cool!). For one thing, requiring trusted hardware would, in theory, make PC-based attacks on the voice network much harder to launch, since the voice traffic handling hardware wouldn’t talk to the untrusted PC (or another untrusted handset, for that matter).

A scalable solution would require a TPM certificate hierarchy, though, which would in turn require cooperation between the OEMs and their customers in order to provision and manage keys. I’m not claiming that would be a trivial task. But in order to realize the true benefits of unified communications, it may be a necessary step.

Here’s another recent article about VoIP security. I note that, in general, the threats discussed therein would not be mitigated by trusted hardware (and encryption can be implemented without it).

No Comments »