Hold the Phone, VOIP Isn't Safe

R.A. Hettinga rah at shipwright.com
Wed Feb 9 08:21:00 PST 2005


Wired News

Hold the Phone, VOIP Isn't Safe 
By Elizabeth Biddlecombe?

Story location: http://www.wired.com/news/technology/0,1282,66512,00.html

02:00 AM Feb. 07, 2005 PT

In recognition of the fact that new technologies are just as valuable to
wrongdoers as to those in the right, a new industry group has formed to
look at the security threats inherent in voice over internet protocol.

 The VOIP Security Alliance, or VOIPSA, launches on Monday. So far, 22
entities, including security experts, researchers, operators and equipment
vendors, have signed up. They range from equipment vendor Siemens and phone
company Qwest to research organization The SANS Institute.

 They aim to counteract a range of potential security risks in the practice
of sending voice as data packets, as well as educate users as they buy and
use VOIP equipment. An e-mail mailing list and working groups will enable
discussion and collaboration on VOIP testing tools.

 VOIP services have attracted few specific attacks so far, largely because
the relatively small number of VOIP users doesn't make them a worthwhile
target. (A report from Point Topic in December counted 5 million VOIP users

 But security researchers have found vulnerabilities in the various
protocols used to enable VOIP. For instance, CERT has issued alerts
regarding multiple weaknesses with SIP (session initiation protocol) and
with H.323.

 Over the past year, experts have repeatedly warned that VOIP abuse is
inevitable. The National Institute of Standards and Technology put out a
report last month urging federal agencies and businesses to consider the
complex security issues often overlooked when considering a move to VOIP.
NIST is a member of VOIPSA.

 "It is really just a matter of time before it is as widespread as e-mail
spam," said Michael Osterman, president of Osterman Research.

 Spammers have already embraced "spim" (spam over instant messaging), say
the experts. Dr. Paul Judge, chief technology officer at
messaging-protection company CipherTrust, says 10 percent of
instant-messaging traffic is spam, with just 10 to 15 percent of its
corporate clients using IM. "It is where e-mail was two and a half years
ago," said Judge.

 To put that in perspective, according to another messaging-protection
company, FrontBridge Technologies, 17 percent of e-mail was spam in January
2002. It put that figure at 93 percent in November 2004.

 So the inference is that "spit" (spam over internet telephony) is just
around the corner. Certainly, the ability to send out telemarketing
voicemail messages with the same ease as blanket e-mails makes for
appealing economics.

 Aside from the annoyance this will cause, the strain on network resources
when millions of 100-KB voicemail messages are transmitted, compared with
5- or 10-KB e-mails, will be considerable.

 But the threat shouldn't be couched solely within the context of unlawful
marketing practices. Users might also see the audio equivalent of phishing,
in which criminals leave voicemails pretending to be from a bank, said
Osbourne Shaw, whose role as president of ICG, an electronic forensics
company, has led him to try buying some of the goods advertised in spam.

 In fact, according to David Endler, chairman of the VOIP Security Alliance
and director of digital vaccines at network-intrusion company TippingPoint,
there are many ways to attack a VOIP system. First, VOIP inherits the same
problems that affect IP networks themselves: Hackers can launch distributed
denial of service attacks, which congest the network with illegitimate
traffic. This prevents e-mails, file transfers, web-page requests and,
increasingly, voice calls from getting through. Voice traffic has its own
sensitivities, which mean the user experience can easily be degraded past
the point of usability.

 Furthermore, additional nodes of the network can be attacked with VOIP: IP
phones, broadband modems and network equipment, such as soft switches,
signaling gateways and media gateways.

 Endler paints a picture in which an attack on a VOIP service could mean
people would eavesdrop on conversations, interfere with audio streams, or
disconnect, reroute or even answer other people's phone calls. This is a
concern to the increasing number of call centers that put both their voice
and data traffic on a single IP network. It is even more of a concern for
911 call centers.

 But Louis Mamakos, chief technology officer at broadband telephony
provider Vonage, says he and his team "spend a lot of time worrying about
security" but the problems the company has seen so far have centered on
"more pedestrian" threats like identity theft.

 Vonage has not yet signed up for the VOIP Security Alliance, said Mamakos,
and employees already spend a lot of time working on security issues with
technology providers.

 "I'm not sure if (VOIPSA) is a solution to a problem we don't have yet,"
he said. "We need to judge what the incremental value is in working with
another organization."

 He also talked about how hard it would be to break into Vonage's service.
Access to Vonage's signaling traffic requires authentication. The
infrastructure is much more distributed than the websites that have been
taken offline by denial of service attacks. And anyone wanting to eavesdrop
on a Vonage phone conversation would have to be physically very close to
the broadband connection leading to the target, as the farther away the
eavesdropper is, the more commingled the target's voice traffic will be
with other traffic on the network.

 Meanwhile Kelly Larrabee, a spokeswoman for the peer-to-peer VOIP provider
Skype, noted that Skype users control what information about themselves is
available and who can contact them. She also said end-to-end encryption is
used to protect voice conversations. The only vulnerability so far, aside
from uncertified third-party applications, is through file transfers -- and
again, this is under user control.

 But these words could be like a red rag to a bull. As one commentator put
it, a continuous duel is going on between network users and abusers, and
spammers and hackers could well be reading this article. This poses the
question of whether a group like the VOIP Security Alliance should refrain
from announcing its efforts in the media and from making its membership and
e-mail list free and open to all.

 In response, said VOIPSA's Endler, "The people we really have to worry
about are already thinking about (how to misuse VOIP)."

 Today's effort is to ensure that VOIP systems are reinforced "before it
gets to the point that there are easily available tools for the script
kiddies to use," he said.

R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

More information about the cypherpunks-legacy mailing list