<http://www.wired.com/news/print/0,1294,66512,00.html> Wired News Hold the Phone, VOIP Isn't Safe By Elizabeth Biddlecombe? Story location: http://www.wired.com/news/technology/0,1282,66512,00.html 02:00 AM Feb. 07, 2005 PT In recognition of the fact that new technologies are just as valuable to wrongdoers as to those in the right, a new industry group has formed to look at the security threats inherent in voice over internet protocol. The VOIP Security Alliance, or VOIPSA, launches on Monday. So far, 22 entities, including security experts, researchers, operators and equipment vendors, have signed up. They range from equipment vendor Siemens and phone company Qwest to research organization The SANS Institute. They aim to counteract a range of potential security risks in the practice of sending voice as data packets, as well as educate users as they buy and use VOIP equipment. An e-mail mailing list and working groups will enable discussion and collaboration on VOIP testing tools. VOIP services have attracted few specific attacks so far, largely because the relatively small number of VOIP users doesn't make them a worthwhile target. (A report from Point Topic in December counted 5 million VOIP users worldwide.) But security researchers have found vulnerabilities in the various protocols used to enable VOIP. For instance, CERT has issued alerts regarding multiple weaknesses with SIP (session initiation protocol) and with H.323. Over the past year, experts have repeatedly warned that VOIP abuse is inevitable. The National Institute of Standards and Technology put out a report last month urging federal agencies and businesses to consider the complex security issues often overlooked when considering a move to VOIP. NIST is a member of VOIPSA. "It is really just a matter of time before it is as widespread as e-mail spam," said Michael Osterman, president of Osterman Research. Spammers have already embraced "spim" (spam over instant messaging), say the experts. Dr. Paul Judge, chief technology officer at messaging-protection company CipherTrust, says 10 percent of instant-messaging traffic is spam, with just 10 to 15 percent of its corporate clients using IM. "It is where e-mail was two and a half years ago," said Judge. To put that in perspective, according to another messaging-protection company, FrontBridge Technologies, 17 percent of e-mail was spam in January 2002. It put that figure at 93 percent in November 2004. So the inference is that "spit" (spam over internet telephony) is just around the corner. Certainly, the ability to send out telemarketing voicemail messages with the same ease as blanket e-mails makes for appealing economics. Aside from the annoyance this will cause, the strain on network resources when millions of 100-KB voicemail messages are transmitted, compared with 5- or 10-KB e-mails, will be considerable. But the threat shouldn't be couched solely within the context of unlawful marketing practices. Users might also see the audio equivalent of phishing, in which criminals leave voicemails pretending to be from a bank, said Osbourne Shaw, whose role as president of ICG, an electronic forensics company, has led him to try buying some of the goods advertised in spam. In fact, according to David Endler, chairman of the VOIP Security Alliance and director of digital vaccines at network-intrusion company TippingPoint, there are many ways to attack a VOIP system. First, VOIP inherits the same problems that affect IP networks themselves: Hackers can launch distributed denial of service attacks, which congest the network with illegitimate traffic. This prevents e-mails, file transfers, web-page requests and, increasingly, voice calls from getting through. Voice traffic has its own sensitivities, which mean the user experience can easily be degraded past the point of usability. Furthermore, additional nodes of the network can be attacked with VOIP: IP phones, broadband modems and network equipment, such as soft switches, signaling gateways and media gateways. Endler paints a picture in which an attack on a VOIP service could mean people would eavesdrop on conversations, interfere with audio streams, or disconnect, reroute or even answer other people's phone calls. This is a concern to the increasing number of call centers that put both their voice and data traffic on a single IP network. It is even more of a concern for 911 call centers. But Louis Mamakos, chief technology officer at broadband telephony provider Vonage, says he and his team "spend a lot of time worrying about security" but the problems the company has seen so far have centered on "more pedestrian" threats like identity theft. Vonage has not yet signed up for the VOIP Security Alliance, said Mamakos, and employees already spend a lot of time working on security issues with technology providers. "I'm not sure if (VOIPSA) is a solution to a problem we don't have yet," he said. "We need to judge what the incremental value is in working with another organization." He also talked about how hard it would be to break into Vonage's service. Access to Vonage's signaling traffic requires authentication. The infrastructure is much more distributed than the websites that have been taken offline by denial of service attacks. And anyone wanting to eavesdrop on a Vonage phone conversation would have to be physically very close to the broadband connection leading to the target, as the farther away the eavesdropper is, the more commingled the target's voice traffic will be with other traffic on the network. Meanwhile Kelly Larrabee, a spokeswoman for the peer-to-peer VOIP provider Skype, noted that Skype users control what information about themselves is available and who can contact them. She also said end-to-end encryption is used to protect voice conversations. The only vulnerability so far, aside from uncertified third-party applications, is through file transfers -- and again, this is under user control. But these words could be like a red rag to a bull. As one commentator put it, a continuous duel is going on between network users and abusers, and spammers and hackers could well be reading this article. This poses the question of whether a group like the VOIP Security Alliance should refrain from announcing its efforts in the media and from making its membership and e-mail list free and open to all. In response, said VOIPSA's Endler, "The people we really have to worry about are already thinking about (how to misuse VOIP)." Today's effort is to ensure that VOIP systems are reinforced "before it gets to the point that there are easily available tools for the script kiddies to use," he said. -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'