Internet telephony, or Voice over IP
wise to the benefits of turning speech into packets to be delivered via the
Internet. But some experts say that security efforts are lagging.
Denial of Service (DoS) attacks against VoIP networks are a real
possibility, according to Frost & Sullivan analyst Jon Arnold — and there’s
even a distant risk of spam over Internet telephony, or SPIT.
“The proliferation of Voice over IP is so small right now, it’s not the
kind of magnet for attacks that e-mail is,” Arnold said.
Frost & Sullivan forecasts a 15 percent penetration of VoIP in North
America by 2008. That figure is for landlines only; wireless could have a
major impact in the numbers, according to Arnold. But VoIP security threats are real.
“Spam is a small piece of the much
bigger issue of voice security in the IP world,” Arnold said. “It’s come on
the scene quietly, and the security industry hasn’t kept pace.”
VoIP providers are already on the lookout for DoS exploits.
“DOS … can happen to VoIP providers unless they place security mechanisms
in place,” said Louis Holder, executive vice president of product
development for VoIP provider Vonage.
VoIP systems require every customer to have a terminal adapter
at their locations.
“Each customer then becomes a node that
could help do a Denial of Service attack on a network,” said Brian Fowler,
CTO of Voiceglo, a VoIP service provider that monitors its network for
nonconforming packets, which are filtered and extracted. “They can be turned
against other networks.”
Still, Fowler is aware of the pervasiveness of SPIT. “We worry about it all the time,” he said.
“We’ve been lucky at this point.”
Arnold said that VoIP hackers could do plenty of evil besides just
disrupting networks. “You can find some holes and drain financial resources
out of companies,” he said. “You can start charging phone calls to them and buying
stuff over the phone. That’s the really scary stuff.”
What worries Arnold most is Microsoft’s adoption of Session Initiation
Protocol (SIP), a signaling protocol for Web conferencing, telephony,
presence, events notification and instant messaging.
“Once you’re in a SIP environment,” he said, “you become vulnerable to
the vulnerabilities of the public Internet. And if you’re a hacker, what
market are you going for?”
In January 2003, CERT warned
SIP was vulnerable to remote code execution and other cracks, while the U.K.
National Infrastructure Security Co-Ordination Centre advised
early this year that the H.323 networking protocol for transmitting
audio-visual data supported by many VoIP networks put them at risk for DoS
and buffer overflow attacks.
The viability of SPIT is less clear.
“That is not possible to do with Vonage’s voicemail system” Holder said.
“In order to get a voice message into our system, you have to stream
real-time voice into it.”
In other words, if a spammer wanted to send
someone a one minute long voice message, he
would have to stream that message to the voicemail system for a whole
minute; he couldn’t just e-mail the message as a file into the system.
Even though the information is carried as data in Vonage’s system, Holder
said, it starts and ends as voice. “Phones have IP addresses,” he said, “but
the voice conversation still needs to be played in real time. And it’s
converted back to voice in real time.”
But Qovia, a company that sells enterprise tools for VoIP monitoring and
management, recently applied for a patent on technology to broadcast
messages via VoIP — and another one for a method of blocking such
broadcasts. The broadcast methodology only works on a pure VoIP network,
while most of today’s services are hybrids of IP and traditional telephone
lines.
“SPIT becomes an issue when you don’t have to go out over the
traditional telephony lines,” said Qovia CEO Richard Tworek. “As soon as my
VoIP system touches the Internet cloud, that’s when it starts to become
interesting. We predict it’s going to happen, much as spam e-mail did. Were
trying to get ahead of the game.”
The company realized pretty quickly that where there’s a channel, there’s a
pitchman, said Pierce Reid, Qovia vice president of marketing. “Someone is
going to use [VoIP] for spam.” Since every other medium has been the conduit
of unwanted marketing messages, from bulk faxes to telemarketing to
IM spam, he said, Qovia engineers began to research whether it was possible to
broadcast voicemail. It was easy.
Qovia insists it would never allow the technology to be used for
marketing, let alone spam.
“There are positive uses of the broadcast capability,” said Tworek. “And
none of us would agree that unsolicited marketing is a positive use; that’s
not in our future.”
However, he sees the broadcast capability being useful
for public agencies, such as Homeland Security, that might need to reach
people with vital messages.
Qovia will incorporate its SPIT-blocking technology in future releases of
its security products, while enforcement of its patent on broadcasting, if
granted, could be used to shut down VoIP spammers.