Companies are being warned that Skype is not a 'quick fix' VoIP solution for businesses, and they risk "long-term pain" when deploying such VoIP applications, despite achieving a "short-term gain". So says security testing vendor NTA Monitor.
Yet as the recent snow falls have demonstrated, applications such as Skype have proved to be useful for employees. But according to NTA, companies that "succumb to the temptation for the seemingly 'quick-fix', lower set-up costs and reduced international phone bills of consumer solutions such as Skype, may achieve short-term gain but undoubtedly long-term pain."
NTA argues that technologies such as Skype are 'closed software', which makes it hard to understand the code on which the product is based, or exactly what is going on behind the scenes. "As a result, security is an unknown quantity because the security community cannot assess it as readily," said Roy Hills, technical director of NTA Monitor, in a statement.
"In the current economic climate, individuals and businesses alike are doing what they can to make savings, but we are increasingly concerned about the number of companies taking a short-term view that proves more costly long-term," he said.
"Once implemented, Skype cannot subsequently be integrated into a corporate network infrastructure, so it has to be replaced by a commercial grade solution sooner or later. This is costly in terms of expense, time and potential disruption," he added.
While it is true that Skype is intended as a consumer-facing VoIP offering rather than a business solution, it has not stopped some from offering a way to make it more business friendly. For example VoSKY launched last year an appliance to allow mainstream SIP-based IP PBXs to interconnect with the Skype network.
"If you start using Skype in a business-critical way, you don't know the risk, as we cannot audit it," said Adrian Goodhead, technical manager at NTA. "Of course, that is a risk with any third party application, but Skype can remove data from a network. Also it is the reality that you have to open yourself up to certain traffic for this to work."
He concedes that applications such as Skype can be a valuable tool, but he is concerned that businesses are using Skype but don't understand the security implications.
"Companies need to do a risk assessment," Goodhead told Techworld. "The risks in relation to Skype are generally quite low, as Skype traffic is encrypted (in a proprietary way). I often get an uncomfortable feeling when someone tells me about proprietary encryption, but I suppose it is better than none at all."
"It is always a good thing to look for security certification," he added. "Compare Skype with Blackberry services for example. Skype not gone through government vetting procedures like Blackberry."
"We work mostly in corporate space, mostly testing commercial applications, but Skype seem to be the case that they are averse to getting it tested," Goodhead added.
Skype did not respond at the time of writing.
And Goodhead also has concerns about commercial VoIP solutions, pointing to "well known vulnerabilities" in applications from Cisco, Avaya, and Mitel. He said that it is possible to intercept and record people's voice conversations, as the VoIP traffic moves in an unencrypted manner.
"We have tools that will allow you to listen in," he said, "The challenge is you would not know this is happening. It is completely stealthy."
The warning from NTA Monitor comes just after Skype launched Skype 4.0 for Windows, which it is calling "the most distinctive new release in the company's five-year history." The new version offers full-screen video calling, better call quality, and is supposedly easier to use.