x
Optical/IP

Experts Still Fear VOIP Hack Attack

With more consumers expected to adopt VOIP service in the next few years, experts worry that the benefits of the technology might be offset by its immense potential for fraud and abuse.

While IP-based calls are usually cheaper and offer far more user choice and control than analog phone service, some consumer-grade VOIP services push their calls over the public Internet, where they are more vulnerable to interception or manipulation than on the PSTN (see Vendor Points to VOIP Vulnerabilities and VOIP Security Poses a Problem).

While, so far, abuses such as number hijacking, spam over Internet telephony (SPIT), and caller ID spoofing have largely been future-tense problems, security experts agree that these and myriad other crimes will challenge security efforts as VOIP grows.

A recent IDC study predicts the number of U.S. households using VOIP will increase from 3 million in 2005 to 27 million by the end of 2009. And with that in mind, the warnings against VOIP threats are becoming more insistent.

“Your phone is no longer a phone -- it’s a computer,” says Sujeet Shenoi, a VOIP security expert and computer science professor at the University of Tulsa. Now that telephones will be intelligent, they are capable of all kinds of things, both good and bad, Shenoi says.

“As VOIP gets rolled out en masse across residential areas especially, you’re going to have increased subscribers, but also increased numbers of potential attackers who now have their own personal playground to play with this technology,” says David Endler, chairman of the VOIP Security Alliance (VOIPSA) and director of security research at TippingPoint Technologies Inc. Endler says VOIP is like any other “killer app” in that vendors are first focused on rolling out its capabilities to consumers. Then, as the number of users ramps up, the security issues are addressed in response to market demand.

But VOIP services may prove especially inviting targets to hackers and other misfits, because the personal and financial havoc wreaked by them could be greater.

“If your organization’s network is under a distributed denial-of-service attack, that may mean that your Web browsers run a little slow,” Endler says (see Cisco IOS Hole Points to VOIP Threat). “However, if a VOIP-enabled call center is under a distributed denial-of-service attack, calls may be coming in unintelligibly or they might not be coming in at all.”

“I’m not so concerned about SPIT -- that is just an inconvenience,” Shenoi says. “The thing I am most worried about is worms,” Shenoi says. “Somebody could write a worm that overloads the 911 system and shuts it down; that’s pretty serious.”

With a little programming know-how, Shenoi says, VOIP hackers can create a “man in the middle” scheme wherein calls to a certain IP number or numbers could be hijacked and rerouted to another phone line.

North Texas State computer science professor and VOIP security expert Ram Dantu points out that VOIP crimes may not only be more damaging, they can also be more annoying to the user (see VOIP Threats Loom Large).

“SPIT is different than spam because if spam lands in my email in the middle of the night I don’t care, but if a SPIT call comes in in the middle of the night, it wakes me up,” Dantu says. “And it might be an emergency, it might be my mother, or it might be somebody calling from the airport and I want to answer the call.”

But, Dantu says, there is no sure way to differentiate between a SPIT call and a legitimate call. Dantu says he's taking his concerns to Washington this summer as a number of experts will meet to discuss what policy changes need to be made in light of these new threats.

Consumer VOIP providers such as Vonage Holdings Corp. and 8x8 Inc. (Nasdaq: EGHT) have not reported any major VOIP-related mischief. “As of now, we haven’t heard much from our subscribers about spamming or spoofing or any sort of security issue,” says 8X8’s director of consumer marketing Karen Hong. “Believe me -- when it happens our call centers will hear about it.

“We have proprietary encryption algorithm for our access devices, but we haven’t really implemented it yet. But we are ready to do that if the circumstances come." 8x8’s VOIP service, Packet8, has 55,000 paying customers.

As one might imagine, the VOIP security business is growing as quickly as VOIP itself. Several softswitch vendors have touted their VOIP security features lately, as have network software suppliers.

Several VOIP security packages are listed in Light Reading's new IP Services Software Directory. To access the directory, click here. To add your company's name and information, click here.

— Mark Sullivan, Reporter, Light Reading


For further education, visit the related Light Reading Webinar archive:

Page 1 / 7   >   >>
paolo.franzoi 12/5/2012 | 3:19:23 AM
re: Experts Still Fear VOIP Hack Attack
Note that there are all these concerns about voice, of course there are crickets out there on video.

Ever thought about DOS attacks or porn hijacks of IPTV?

seven
DCITDave 12/5/2012 | 3:19:19 AM
re: Experts Still Fear VOIP Hack Attack poor choice of wording. should have said, "nuisances"
HWxPERT 12/5/2012 | 3:19:19 AM
re: Experts Still Fear VOIP Hack Attack The article states:

"While, so far, abuses such as number hijacking, spam over Internet telephony (SPIT), and caller ID spoofing have largely been future-tense problems, security experts agree that these and myriad other crimes will challenge security efforts as VOIP grows"

Is caller ID spoofing a crime? Doesn't the law always lag new technology?

bored_lurker 12/5/2012 | 3:19:18 AM
re: Experts Still Fear VOIP Hack Attack Also the article make it sound as if VoIP is exclusively vulnerable to caller ID spoofing. According to this article:
(http://www.securityfocus.com/n...
that is not the case.

Yes, I understand they mean a more, ahem, direct approach of hacking. Sorry, but when I see an article that tells about the bad theoretical things that could happen to VoIP without mentioning the current, in practice same thing happening to everyone then I think FUD. The only saving grace is the article at least did state it was only theory.
bored_lurker 12/5/2012 | 3:19:18 AM
re: Experts Still Fear VOIP Hack Attack Sorry, HTML included the ) in my last post. Here is the link to the article again:

http://www.securityfocus.com/n...
dljvjbsl 12/5/2012 | 3:19:18 AM
re: Experts Still Fear VOIP Hack Attack This would seem to be something that could easily be overcome by government regulation. If this becomes a issue the office on which these PBX trunks home could block any unexpected caller id info.
HeavyDuty 12/5/2012 | 3:18:59 AM
re: Experts Still Fear VOIP Hack Attack Think of the time and effort you put in to secure the servers, workstations and PCs that run a TCP/IP protocol stack and access the Internet (if you only access an intranet, security is easier). Then, compare that to the effort, lack thereof, needed to secure your PSTN PBX and telephone.

Now, do tell why you're still thinking about swapping to an IP based phone system?

If you had a digital, two pair connection all the way to your desktop (PSDN: Public Switched Digital Network; a.k.a., ISDN), you would already have all the functions that the IP phone vendors are promising with all the security of your current PBX; unless you've already installed an IP-PBX!

PSDN is what your phone calls would have been if ISDN had not been aborted by the Incumbent Local Exchange Carriers (a.k.a., RBOCs). The ILECs want to keep control of their bandwidth, so they push statistically multiplexed systems (IP, Frame-Relay, ATM, etc...) that they can oversubscribe, by as much as 1000%.

Other useful characteristics of users dynamically allocating their own bandwidth exist, much to the chagrin of the ILECs, but that is a long rant for another day.

So, if you want the features promised via an IP phone, but you would prefer to keep the secure, peace of mind of your current PSTN phone system; pester your ILEC for P/ISDN till they cry, "uncle!"
HeavyDuty 12/5/2012 | 3:18:59 AM
re: Experts Still Fear VOIP Hack Attack "seem to be something that could easily be overcome by government regulation..."

IP telephony is often a subset of the Internet, a call being routed completely or partially through the Internet is not able to be completely controlled at the end-points, and therefore international in scope. Should one nation regulate, mere relocation to a less regulated country bypasses said inconvenience utterly.
scooby 12/5/2012 | 3:18:42 AM
re: Experts Still Fear VOIP Hack Attack Gosh, if it were only that easy. Those thinking that the security of traditional PSTN/PBX systems is simple or trivial should spend a bit of time working on it. Or at least read NIST 800-24. Or take the fifty cents a local pay phone call costs now and buy a clue.

Voice is only part of the puzzle. In the future, voice becomes an even smaller part of the puzzle. Those trying to shoehorn the converged communications applications of the future into a mold made for voice will experience a lot of frustration as the rest of the communications world passes them by.

ISDN. Pul-leeeeze. :-)
dljvjbsl 12/5/2012 | 3:18:41 AM
re: Experts Still Fear VOIP Hack Attack
ISDN. Pul-leeeeze. :-)


ISDN is a 30 year old cable and modem replacement technology. Ethernet made it obsolete and supplanted it in the early 80s.

If you want the telpehone company to supply all services with the obvious implications then support ISDN.
Page 1 / 7   >   >>
HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE