[ISN] How secure is VoIP?

[InfoSec News]

http://www.mercurynews.com/mld/mercurynews/13859672.htm

By Jessie Seyfer
Mercury News
Feb. 13, 2006

The allure of Internet phone calling is understandable -- dirt-cheap
calls to anywhere in the world, sound quality that's at times superior
to the traditional land-line and the ability to take your phone number
with you when you travel.

But, buyer beware. These calls are just like any other form of digital
communication, like e-mail, which can be hacked, spammed and saved on
servers.

While Internet calling programs from Skype and Vonage to Google and
Yahoo are getting more and more popular, security experts warn that
they're not as secure as your traditional land-line.

``Lots of people are ignoring the risks about it,'' said Rodney
Thayer, a Mountain View security consultant. ``Sometimes there's
absolutely no encryption. Someone could listen to your conversation.  
It's not clear that these services have been hardened so that no
inappropriate activity could take place.''

Thayer is one of several experts who will be in San Jose this week for
the RSA Conference at the McEnery Convention Center, which highlights
just about every aspect of computer security -- data encryption,
spam-blocking and anti-fraud methods, for example. Thayer will lead a
daylong seminar on Internet phone-calling security.

The conference comes on the heels of a national debate over President
Bush's authorization of wiretaps without first obtaining a warrant,
and a battle between Google and the Department of Justice over
privacy. The Mountain View company is fighting a subpoena it received,
as did Yahoo, America Online and Microsoft, asking them to provide
information to the government about people's search habits.

Adding more heat to the issue is an ongoing legal conflict between
several Internet phone-calling providers -- as well as privacy
advocates -- with the government over whether companies should be
required to make it easy for law enforcement to conduct wiretaps over
their networks. The providers argue that taking steps to make
wiretapping easier will actually make networks more vulnerable to
malicious attacks. Federal regulators believe Internet phone systems
should follow the same rules as traditional ones, and should offer a
standardized level of access to law enforcement. The matter remains
before a federal appeals court.


Spoken e-mail

In thinking about the threats Internet callers may face, experts say
it's helpful to think of the calls as spoken e-mails -- after all,
they both consist of packets of data zipping across the Internet.

Therefore, it's possible for Internet phone calls to be plagued by the
same attacks that dog e-mail: Hackers listening to your calls,
automated spam messages that call you, and so-called ``phishing''
requests -- phone messages that seek personal financial information
from recipients with the intention of raiding their bank accounts.

``I think the next generation of spam is spam voice mail over VoIP,''
said Chris Rouland, chief technology officer at the Atlanta-based
Internet Security Systems company, which supplies security for large
phone networks and other businesses. VoIP stands for Voice Over
Internet Protocol, and is the industry term for Internet
phone-calling.

At home, people using Internet phone calls should take the same
precautions they do for Web and e-mail communications: ``Never
accepting calls from people they don't know and don't trust. Never
giving out personal information to strangers and people you don't
trust,'' said Terrell Karlsten of Yahoo.

Skype uses encryption, or hiding data with difficult-to-break codes,
and Yahoo uses other methods, to protect conversations.

Experts suggest anyone thinking of signing up for Internet calling
services ask or make sure they're clear about a specific company's
policy toward security and privacy. No spam yet

So far, there have not been any major documented incidents of fraud or
spamming from using Internet phone-calling. But while growing in
popularity, Internet phone calling is still in its infancy.

Eleven percent of American households will be using some form of
Internet phone service by 2010, according to Forrester Research.  
Industry analysts at In-Stat reported that the number of people using
the technology worldwide grew by 62 percent from 2004 to 2005.

Cisco Systems, which makes routing and switching equipment that sends
Internet data where it needs to go, believes businesses and Internet
service providers should safeguard voice conversations for their staff
and customers in the same way they can protect e-mail and instant
messaging.

``Secure your phones, secure your routers, secure your VoIP call
centers, secure your applications,'' said Jayshree Ullal, senior vice
president of Cisco's DataCenter, Switching and Security Technology
group.


Securing the network

Many security options can be installed on the computer network, rather
than on people's individual desktop computers, Ullal said.

Yet security experts say that if people want to listen to your
Internet telephone conversations, they can. In fact, a simple Web
search produced a site offering a program to do just that. The program
is designed to break into networks and then capture the packets of
data containing the conversation, and reconstruct them into an audio
file.

But the experts also point out that while it's possible for hackers to
record conversations, it's unlikely that such attacks will occur
randomly. Attacks are more likely to occur on office networks than
home networks and are likely to involve conversations that will give
hackers information they can sell.

For businesses dealing with financial or legal transactions,
additional protection is a must, said Kelli Long, of CallTower, a Utah
company that sets up phone networks for businesses.

``From a consumer's perspective, if I'm out browsing the Internet and
if I'm sending e-mails back and forth, I should expect basically the
same amount of security for my voice calls, and at this point,
probably even less,'' Long said.


Saving conversations

So what happens to Internet voice conversations once they're finished?
Like any data, an Internet phone call can be saved. And there
generally aren't any guidelines about who has a right to save what
information.

Yahoo's Instant Messaging service does not save conversations, nor
does Skype's, according to representatives. ``Privacy is very
important to our users,'' Yahoo's Karlsten said.

``We also have preventative measures we've implemented . . . detecting
sending patterns and habits associated with spammers.'' Google would
not release information about the security of its Google Talk
application. But the terms of service for the program state:

``Google may access or disclose your personal information, including
the content of your communications, if Google is required to do so in
order to comply with any valid legal process or governmental
request.''

Rouland admitted that rules around Internet phone calls are just
starting to be developed, but the security concerns shouldn't scare
people off from Internet phone-calling entirely.

``VoIP is a great application and we expect it to revolutionize the
telephone systems today,'' he said. But right now, ``We're in a little
bit of the Wild West.''