Ofcom, the UK’s communications regulator has recently published a review of the Wholesale Voice Markets covering the period up to 2016. This is a critical period as British Telcom along with other domestic and overseas providers are switching service delivery to IP networks using VoIP services.
The surprising element of the Ofcom review is that it makes little reference to security. Simwood, a UK wholesale telecoms carrier, have published a detailed analysis of this omission and other aspects of the Ofcom review (https://blog.simwood.com/2020/08/wvmr-part-1/).
Simwood single out the fact that the Ofcom review fails to promote the use of encryption for VoIP services. In fact, British Telecom’s service does not support encryption. As VoIP services grow and become the norm and as other carriers and resellers enter the market it is inevitable that at least some peering connections between carriers use 3rd party transit networks. Sending plain-text calls over these over these networks is risky to say the least. The same problem exists with access networks, the majority of VoIP traffic on these networks is not encrypted. Simwood’s that 90% or more of VoIP call are unencrypted for their entire path.
While the Ofcom review applies to the UK market, the failure to mandate or even address security for VoIP services is a global problem. Without adequate security controls, information transmitted over voice and video networks is vulnerable to attack and interception. For businesses this exposes information exchanged with customers and suppliers and communication between employees. Much of this information exchange is subject to regulatory control raising the questions does the regulator understand the legal requirement for security.
While the goal must be effective end-to-end security, the pragmatic approach tackles the problem in stages.