Experts Still Fear VOIP Hack Attack
While IP-based calls are usually cheaper and offer far more user choice and control than analog phone service, some consumer-grade VOIP services push their calls over the public Internet, where they are more vulnerable to interception or manipulation than on the PSTN (see Vendor Points to VOIP Vulnerabilities and VOIP Security Poses a Problem).
While, so far, abuses such as number hijacking, spam over Internet telephony (SPIT), and caller ID spoofing have largely been future-tense problems, security experts agree that these and myriad other crimes will challenge security efforts as VOIP grows.
A recent IDC study predicts the number of U.S. households using VOIP will increase from 3 million in 2005 to 27 million by the end of 2009. And with that in mind, the warnings against VOIP threats are becoming more insistent.
“Your phone is no longer a phone -- it’s a computer,” says Sujeet Shenoi, a VOIP security expert and computer science professor at the University of Tulsa. Now that telephones will be intelligent, they are capable of all kinds of things, both good and bad, Shenoi says.
“As VOIP gets rolled out en masse across residential areas especially, you’re going to have increased subscribers, but also increased numbers of potential attackers who now have their own personal playground to play with this technology,” says David Endler, chairman of the VOIP Security Alliance (VOIPSA) and director of security research at TippingPoint Technologies Inc. Endler says VOIP is like any other “killer app” in that vendors are first focused on rolling out its capabilities to consumers. Then, as the number of users ramps up, the security issues are addressed in response to market demand.
But VOIP services may prove especially inviting targets to hackers and other misfits, because the personal and financial havoc wreaked by them could be greater.
“If your organization’s network is under a distributed denial-of-service attack, that may mean that your Web browsers run a little slow,” Endler says (see Cisco IOS Hole Points to VOIP Threat). “However, if a VOIP-enabled call center is under a distributed denial-of-service attack, calls may be coming in unintelligibly or they might not be coming in at all.”
“I’m not so concerned about SPIT -- that is just an inconvenience,” Shenoi says. “The thing I am most worried about is worms,” Shenoi says. “Somebody could write a worm that overloads the 911 system and shuts it down; that’s pretty serious.”
With a little programming know-how, Shenoi says, VOIP hackers can create a “man in the middle” scheme wherein calls to a certain IP number or numbers could be hijacked and rerouted to another phone line.
North Texas State computer science professor and VOIP security expert Ram Dantu points out that VOIP crimes may not only be more damaging, they can also be more annoying to the user (see VOIP Threats Loom Large).
“SPIT is different than spam because if spam lands in my email in the middle of the night I don’t care, but if a SPIT call comes in in the middle of the night, it wakes me up,” Dantu says. “And it might be an emergency, it might be my mother, or it might be somebody calling from the airport and I want to answer the call.”
But, Dantu says, there is no sure way to differentiate between a SPIT call and a legitimate call. Dantu says he's taking his concerns to Washington this summer as a number of experts will meet to discuss what policy changes need to be made in light of these new threats.
Consumer VOIP providers such as Vonage Holdings Corp. and 8x8 Inc. (Nasdaq: EGHT) have not reported any major VOIP-related mischief. “As of now, we haven’t heard much from our subscribers about spamming or spoofing or any sort of security issue,” says 8X8’s director of consumer marketing Karen Hong. “Believe me -- when it happens our call centers will hear about it.
“We have proprietary encryption algorithm for our access devices, but we haven’t really implemented it yet. But we are ready to do that if the circumstances come." 8x8’s VOIP service, Packet8, has 55,000 paying customers.
As one might imagine, the VOIP security business is growing as quickly as VOIP itself. Several softswitch vendors have touted their VOIP security features lately, as have network software suppliers.
Several VOIP security packages are listed in Light Reading's new IP Services Software Directory. To access the directory, click here. To add your company's name and information, click here.
— Mark Sullivan, Reporter, Light Reading
For further education, visit the related Light Reading Webinar archive: