[ISN] Hold the Phone, VOIP Isn't Safe

[InfoSec News]

http://www.wired.com/news/technology/0,1282,66512,00.html

By Elizabeth Biddlecombe
Feb. 07, 2005

In recognition of the fact that new technologies are just as valuable
to wrongdoers as to those in the right, a new industry group has
formed to look at the security threats inherent in voice over internet
protocol.

The VOIP Security Alliance, or VOIPSA, launches on Monday. So far, 22
entities, including security experts, researchers, operators and
equipment vendors, have signed up. They range from equipment vendor
Siemens and phone company Qwest to research organization The SANS
Institute.

They aim to counteract a range of potential security risks in the
practice of sending voice as data packets, as well as educate users as
they buy and use VOIP equipment. An e-mail mailing list and working
groups will enable discussion and collaboration on VOIP testing tools.

VOIP services have attracted few specific attacks so far, largely
because the relatively small number of VOIP users doesn't make them a
worthwhile target. (A report from Point Topic in December counted 5
million VOIP users worldwide.)

But security researchers have found vulnerabilities in the various
protocols used to enable VOIP. For instance, CERT has issued alerts
regarding multiple weaknesses with SIP (session initiation protocol)  
and with H.323.

Over the past year, experts have repeatedly warned that VOIP abuse is
inevitable. The National Institute of Standards and Technology put out
a report last month urging federal agencies and businesses to consider
the complex security issues often overlooked when considering a move
to VOIP. NIST is a member of VOIPSA.

"It is really just a matter of time before it is as widespread as
e-mail spam," said Michael Osterman, president of Osterman Research.

Spammers have already embraced "spim" (spam over instant messaging),
say the experts. Dr. Paul Judge, chief technology officer at
messaging-protection company CipherTrust, says 10 percent of
instant-messaging traffic is spam, with just 10 to 15 percent of its
corporate clients using IM. "It is where e-mail was two and a half
years ago," said Judge.

To put that in perspective, according to another messaging-protection
company, FrontBridge Technologies, 17 percent of e-mail was spam in
January 2002. It put that figure at 93 percent in November 2004.

So the inference is that "spit" (spam over internet telephony) is just
around the corner. Certainly, the ability to send out telemarketing
voicemail messages with the same ease as blanket e-mails makes for
appealing economics.

Aside from the annoyance this will cause, the strain on network
resources when millions of 100-KB voicemail messages are transmitted,
compared with 5- or 10-KB e-mails, will be considerable.

But the threat shouldn't be couched solely within the context of
unlawful marketing practices. Users might also see the audio
equivalent of phishing, in which criminals leave voicemails pretending
to be from a bank, said Osbourne Shaw, whose role as president of ICG,
an electronic forensics company, has led him to try buying some of the
goods advertised in spam.

In fact, according to David Endler, chairman of the VOIP Security
Alliance and director of digital vaccines at network-intrusion company
TippingPoint, there are many ways to attack a VOIP system. First, VOIP
inherits the same problems that affect IP networks themselves: Hackers
can launch distributed denial of service attacks, which congest the
network with illegitimate traffic. This prevents e-mails, file
transfers, web-page requests and, increasingly, voice calls from
getting through. Voice traffic has its own sensitivities, which mean
the user experience can easily be degraded past the point of
usability.

Furthermore, additional nodes of the network can be attacked with
VOIP: IP phones, broadband modems and network equipment, such as soft
switches, signaling gateways and media gateways.

Endler paints a picture in which an attack on a VOIP service could
mean people would eavesdrop on conversations, interfere with audio
streams, or disconnect, reroute or even answer other people's phone
calls. This is a concern to the increasing number of call centers that
put both their voice and data traffic on a single IP network. It is
even more of a concern for 911 call centers.

But Louis Mamakos, chief technology officer at broadband telephony
provider Vonage, says he and his team "spend a lot of time worrying
about security" but the problems the company has seen so far have
centered on "more pedestrian" threats like identity theft.

Vonage has not yet signed up for the VOIP Security Alliance, said
Mamakos, and employees already spend a lot of time working on security
issues with technology providers.

"I'm not sure if (VOIPSA) is a solution to a problem we don't have
yet," he said. "We need to judge what the incremental value is in
working with another organization."

He also talked about how hard it would be to break into Vonage's
service. Access to Vonage's signaling traffic requires authentication.  
The infrastructure is much more distributed than the websites that
have been taken offline by denial of service attacks. And anyone
wanting to eavesdrop on a Vonage phone conversation would have to be
physically very close to the broadband connection leading to the
target, as the farther away the eavesdropper is, the more commingled
the target's voice traffic will be with other traffic on the network.

Meanwhile Kelly Larrabee, a spokeswoman for the peer-to-peer VOIP
provider Skype, noted that Skype users control what information about
themselves is available and who can contact them. She also said
end-to-end encryption is used to protect voice conversations. The only
vulnerability so far, aside from uncertified third-party applications,
is through file transfers -- and again, this is under user control.

But these words could be like a red rag to a bull. As one commentator
put it, a continuous duel is going on between network users and
abusers, and spammers and hackers could well be reading this article.  
This poses the question of whether a group like the VOIP Security
Alliance should refrain from announcing its efforts in the media and
from making its membership and e-mail list free and open to all.

In response, said VOIPSA's Endler, "The people we really have to worry
about are already thinking about (how to misuse VOIP)."

Today's effort is to ensure that VOIP systems are reinforced "before
it gets to the point that there are easily available tools for the
script kiddies to use," he said.