The good and the bad associated with Voice over IP (VoIP) is becoming clearer. Increasingly, consumers and enterprises are turning to VoIP because it can save them money and enable them to take advantage of features, such as unified messaging. As this networking option gains popularity, however, it has also become a prime target for hackers.
“You can look at any new technology,” said Winn Schwartau, president of market research firm The Security Awareness Company. “As soon as it gains sufficient mass, hackers try to exploit it, and that scenario is holding true with VoIP.”
What makes sending commercial messages over VoIP networks appealing is that, like e-mail spamming, it can be done quickly and inexpensively. Spammers can record one voice-mail message and send it to hundreds of thousands of IP addresses, where it appears in users’ voice mailboxes. Spammers can also complete live calls if they desire. With VoIP, many long distance and even international calls cost nothing, or perhaps a few pennies, and the spammers can recoup their expenditures via successful solicitations.
Another similarity to e-mail spam is VoIP spammers are able to spoof users’ voicemail box addresses. Because of the Internet’s openness, anyone can locate a VoIP phone number simply by searching for it. The criminals can then insert it into a message, so it looks the originating call.
Caller ID Not Good Enough
Users have little protection against that ploy. “A user with caller ID could take down a telephone number, report a spamming incident, and then find out that the sending address is bogus,” said Michael Osterman, president of Osterman Research Inc., a market research firm focused on spam.
While the potential problems from VoIP spamming are great, the actual usage to date has been low. “VoIP spam is in a formative stage,” said Richi Jennings, leader of the anti-spam practice at Ferris Research, an e-mail market research firm. “Spammers aren’t using it much now but that will change — and probably quite quickly.”
While attacks against VoIP systems today are rare, the potential problems they can create may be worse than e-mail spam. Instead of receiving spam messages that take up 10K bytes, users will receive voice-mail messages taking up multiple megabytes of storage.
Preying on the Elderly
The voice messages may be more believable than e-mail spam. “What happens when elderly people start to get calls from individuals claiming to represent their banks?” asked Osterman. In some cases, the victims may hand over personal information, such as their account numbers and passwords. Even if they try to rely on a security check, such as caller ID, they may find that the hacker has spoofed that information, so it only experienced computers users may not fooled.
If VoIP spamming takes hold, banks and credit card companies may be hurt. “Banks often call customers to verify credit card transactions,” Osterman Research’s Osterman told TechNewsWorld. “I can envision scenarios where customers would be unwilling to provide personal information because they doubt it is the bank that is actually calling.”
Because VoIP spam is emerging as a potential problem, vendors are taking steps to address it. BorderWare Technologies developed SIPassure, a network appliance that focuses on SIP (Session Initiation Protocol) threats, including people or applications that can spoof a VoIP system, voice spam, hacking attacks, denial-of-service attacks and interception of VoIP or other SIP-based traffic. Management tool maker Qovia Inc. filed a patent application for a method of detecting and blocking VoIP spam so network administrators will be able to defend their users’ voice mailboxes.
Who to Let Through? Who to Stop?
The challenge in building VoIP anti-spam tools is finding algorithms that can determine if calls are generated by humans or machines. Much like the anti-spam tools used for e-mail, the new products need to be able to sort through incoming messages, distinguish wanted from unwanted messages, and ensure that wanted messages reach their recipients.
Service providers are also taking steps to protect customers. The Internet relies on an open networking model where any user can initiate a connection with any other user, but service providers are closing their networks to limit exposure. Typically, they outfit users with IP phones that include a layer of software that isolates them from potential problems.
Skype Technologies separates its users from other through the use of proprietary protocols and encryption, and Verizon establishes Virtual Private Network links among its VoIP users. While blocking unwanted spam, these approaches also limited to conversations by individuals on those networks and do not work when customers talk with individuals using other network services.
Vendors are trying to develop cross network authentication mechanisms. Some would like to let users limit access to outside callers, a feature that has become popular with instant messaging services. Another step is adding an introductory question or two whenever someone received a call from an unfamiliar number. In this case, the user can solicit information and then decide whether or not to accept a call.
Slowing Offshore Spammers
Service providers are looking to block foreign spam houses from accessing their networks. They are demanding that carriers filter out calls from sources not subject to U.S. telemarketing laws. By identifying all members of a VoIP community and enabling users to refuse calls that are not subject to consumer legislation, VoIP network become more like the Public Switched Telephone Network and tracing the source of VoIP spam becomes simpler.
While SIP includes mechanisms for authentication, there are questions about how multiple VoIP carriers can exchange such information and whether or not enough carries will support any new trust mechanisms. One maverick VoIP service provider could become the passageway through which all hackers could enter.
Vendors have just begun examining such issues and trying to develop effective ways to block VoIP spam. “Because there is not a large volume of VoIP spam generated at the moment, vendors can be proactive in trying to slow its march,” concluded Ferris Research’s Jennings. “But they will have to make some decisions soon because it is becoming more of a threat every day.”
The Internet was never developed in an awareness of the real world of human nature. It was built in, and remains in, an academic environment, where security, identity, etc. are not design goals. It was subsidized by the US taxpayer for many years. Protocol development was ended largely for federal cost reasons, decades ago, despite Bob Kahn’s dedication, and its release into the real world was naively subsidized by free inclusion in Unix, from UCB and every system manufacturer. The only surprise is that it took as long as it did to have 40M of our credit cards hacked out of a commercial system a few months ago.
VoIP is plagued by the same rush to market. Without first re-establishing the built-in security of the real telephone network (PSTN), VoIP will end up costing us far more than advertized.
The Internet’s (and VoIP’s) problems could have been solved decades ago, as they largely had been in commercial networks, such as SNA, DECNet, Netware, Vines… Now, we spend $B to try to secure a weak protocol family whose design doesn’t even include the fundamentals of identity and security that an old-fashioned telephone network fortunately still provides to us.