VoIP's Security Vulnerabilities

garzpacho writes "Experts predict that attacks on VoIP systems could be right around the corner, and are calling for preemptive security measures. The BusinessWeek article compares the current state of voice-over-IP to the pre-spam email era and suggests that spammers could be the first to exploit the system. From the article: 'Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers. Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says. Comparable economics apply to VoIP calls, he says. Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites. Those and other attempts at identity theft could spring up via VoIP accounts too, experts say. Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.'"

From theoretical to real

[Billosaur]

Of course, there is a difference between potential threats and ones VoIP consumers are actually facing today. So far, much of this is theoretical--much like fears of mass viruses on mobile phones and disastrous phishing attacks over instant-message systems (see BusinessWeek.com, 1/5/06, "IM Security Is One Tough Sell"). VoIP attacks remain rare, although Gartner says Skype has made four big patches to vulnerabilities in the last 18 months.

And while it is all just theoretical, you know someone will eventually get their jollies figuring out how to hack VoIP and create a lane for spammers in the process. Going to VoIP removes a lot of the natural barriers that protect us from telemarketting calls now, and creates new vulnerabilities. There will be a lot more Caller ID spoofing; I can even conceive of someone creating malware that would be planted on your system and track the numbers you frequently call, to build spam call trees and more importantly to get ids and numbers you might trust so you would actually answer the calls. The possibilities are staggering.

Re:You can thank stupid people.

[kefoo]

Never underestimate the power of money to overrule common sense. I saw it every day when I worked as a software engineer.

Turing test!

[jackjeff]

What is bad about email is that it's not always obvious to know whether some email is spam or not. And there is also the risk of phising.

Obviously it's no concern here. If they have to make it cheap, they'll use no operator and revert to pre-recorded messages. You will know right away if the person is "human" or a "recorded message"... as long as machines fail the Turing test :)

There is nothing new about it. Junk calls existed before VOIP.

Not really

[Geoffreyerffoeg]

VoIP is more like the pre-spam IM era than the pre-spam e-mail era. And guess what. We're past the pre-spam IM era and it isn't even close to a problem. I get a spam IM about once every few months, if not rarer, and all it contains is an obfuscated link to some camgirl website or something (I haven't clicked, I'm just guessing).

VoIP, like IM, is a medium that does not lend itself to spam. What can they do, hire telemarketers? You can't very well robot a voice system. And because each system, like IM, is closed within a company, unless that company itself is spamming, they will quickly close down the accounts of anyone who spams because it's easy for them to track.

And I'm Okay with That

[99BottlesOfBeerInMyF]

E-mail brought us basically free international communication with text and images and attachments. Having to filter spam is a very small price to pay, especially since my off the shelf bayesian filtering (combined with temporary accounts for commercial transactions) lets through one or two "maybes" a year. If I can have basically free voice/video communication around the world, I'll gladly put up with having to secure that as well. Anything off my white-list can go to the "maybe" pile and be routed to voicemail unless I feel like taking random calls. ISPs are already implementing security to prevent spoofing. And I already use voice and video communication without any problems. Really, this is a minor inconvenience that comes with a major advance.

Those experts wouldn't happen to work for ATT...

[mmell]

would they?

Re:Leave Grandma alone

[richdun]

Great point - as ridiculous as it may sound, it's like driving a car. You have to learn how to drive and then take a test to get a license (let's for the sake of argument not get into how effective the testing and licensing process is in ensure that you are actually a good, safe driver). We don't want children doing even menial household chores like operating the gas stove that could incinerate your entire house or the washing machine that could flood your entire basement without proper instruction. Why then do people think they can just go buy a computer, plug it in, and go without reading the manuals (though they could be better), learning how to operate the computer (not Video Professor, something a bit more useful and free), etc. On one hand, you can argue (and well) that it shouldn't require a computer science degree to operate a home PC, but on the hand, shoulds are nice, but what is leads to many problems with consumers and the Internet today.

Spit (Voip Spam) will never attain spam ubiquity

[OlivierB]

Yes sending millions of emails is "free", and so is making unlimited VoiP, but Voip is less unlimited than emails, here's why.

When you decide to send an email to a group of people from domains A, B and C, where you have multiple recipients in domains A, B and C you only need to send server A one copy of the message with a list of the recipients it handles. The server then spawns copies of this message to all the mailboxes. Theoretically, you only need to make as many connections are there are domains in your distribution list.
Moreover Spam scales well with bandwith. Meaning a large message will arrive faster with more bandwith, not so much with Voip where you have real-time delivery; i.e. think of Voip as a VCR vs downloading your TV shows as files.

What this means for Spit is that they need to make individual connections for each recipient (although I know of some email like systems, but that's another story). Also they need to connect with each recipient's server or terminal as long as the message is.
What this means is that twice as many recipients will cost you twice as much in time and in bandwith for your spit message.

This fondamental difference is in my opinion a deterrent for any spammer worth his salt willing to reach thousands of recipients.

Spit doesn't scale well, spammers know that and will not pursue this activity as agressively as spamming.

Re:You can thank stupid people.

[arminw]

......Within one week of activating a new POTS phone line, I started receiving about three or four calls per night. It got the point where I stopped answering my home phone unless I was expecting a call. I disconnected my answering machine .....

Caller ID in combination with an old Mac Classic used as an answering machine has solved our unwanted phone call problems almost perfectly.

The Mac allows the audible, live monitoring of the first 10 seconds of any message coming in within which time we can decide to answer the phone or not. Any number we don't know or not listed is not answered live by us at all unless the caller leaves a message, which is also not answered unless we want to. A large display caller ID shows who is calling. The Mac answers all calls we don't recognize. We have not talked to a single phone solicitor in several years. Something like this should work even better for VOIP, since the computer can contain a list of callers the recipient is willing to talk to. The other calls go into the junk call bin, just as the spam junk e-mail does. The only calls that get answered live are the wanted ones. The do not call list is worthless anyway, but just as the spammers use technology, so, technology can also work against them. Fight fire with fire.

Re:The phishing threat is probably real.

[studpuppy]

AMEN! I had the same experience with a different company, and when I called the 800 number their IVR system didn't even bother to indicate that you had called the right company - it just immediately went in to prompting me to enter my credit card number.

I must've hung up a dozen times before deciding to simply #, * and 0 my way through their menu system until it finally dumped me to a human being with whom I could ask a question (or two, or three...) before giving any personal information.

And the kicker is that they initially called me because they thought someone had applied for a card in my name... so I didn't even have a valid CC # to get through their stupid IVR system in the first place.

I left a message for their VP of customer service to suggest that they, perhaps, fix their stupid process and system...

Honestly Officer, it wasn't me.... it was him. He did it. Not me. Can I go home now?

Separating Hype From Reality

[carpeweb]

From TFA:

... but not before the problem has succeeded in wreaking havoc. It happened with e-mail and is happening now with instant messaging and mobile devices ...

From my brain:

Really? Havoc? C'mon! Yes, spam is a problem, but my email has never been close to a state of "havoc" because of it, and filters came along pretty quickly. No, they don't work as well as I would like, but they work.

From TFA:

... Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers ...

From my brain:

OK, this is more of a clarification of where the threat arises. Why is a VOIP user more vulnerable to *receiving* SPIT than a non-VOIP user? According to TFA, it's the technology and economics of *making* VOIP calls that will lead to the problem. (FYI, no SPIT from VOIP yet on my two-year old Vonage account; however, I do get regular and annoying SPIT from Congresswoman Marilyn Musgrave, who I doubt is using VOIP, because it's not in the Bible.) VOIP calls can do the same damage to landline and cellular phones, can't they?

From TFA:

... Added security vulnerabilities could erode the cost savings associated with VoIP systems ...

From my brain:

The cost savings from VOIP, as with many new technologies, are savings in *marginal* costs. Security measures aren't implemented on a per-call basis, so security threats won't affect the marginal cost savings. So, unless the security threats really are grave enough to shut down VOIP systems, I don't see how they can outweigh the cost savings.

From TFA:

... And security companies such as ISS have a financial stake in companies bracing against possible threats. ISS's basic network security now includes VoIP protection. Security software mainstays Symantec (SYMC) and McAfee (MFE) are also said to be working on VoIP security products. Both companies declined to comment for this article ...

From my brain:

They have a financial stake? Really? They probably declined comment because they thought they had done more than enough by writing the article.

Re:You can thank stupid people.

[Stellian]

VoIP phone spamming won't be any different than current telemarketing.

Wrong !
That's just like saying email spam won't be any different than junk mail.
VoIP spam is a nightmare in the making. A normal telemarketer needs to pay to have access to the phone network, and needs to be a business so it could be held accountable for any wrongdoings. It cannot operate from China or the long distance costs would kill it. There is only so much calls you can initiate per second from a normal telco trunk. You also need a human operator for each call, the costs per call tipically do not allow you to waste them with recorded message.
Enter VoIP Telemarketing: anonymous Viagra kings, enjoying the anonymity and low cost of the Internet calls to make billions of robot calls from zombied machines. In my opinion, it's the worst threat facing VoIP today.

Response percentages must be wrong

[Checkered+Daemon]

"Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says."

That's gotta be a misquote or typo, or Ingevaldson is nuts. 1% to 3% is around the accepted minimum for dead tree spam. In an interview with a professional email spammer about a year ago (yeah, I'm too lazy to look it up) she said that she could make a good profit with a 1 in 10,000 response rate! Probably helps explain why I still get penile enlargement spam even though almost everyone on the planet who'd fall for it has undoubtedly already sent in the $50 and gotten the rock and the string.

Re:I must sound like a broken record

Webs of trust are easily compromised, just look at your average email worm.

Currently it goes..

Step 1: Infect PC
Step 2: Extract email addresses from email client
Step 3: Propogate!!

With PK it becomes..

Step 1: Infect PC
Step 2: Compromise keys through passphrase capture
Step 3: Extract email addresses
Step 4: Propogate!!

Heck, if you used the same key to sign your emails as your VOIP headers (not a bad idea under a Grand Unified PK Scheme) then getting bitten by an email worm means your friends are open to both signed and legitimate looking emails carrying trojans, as well as phone calls from telemarketers that bought your key on the dark-grey spammer market.

You merely touch on the problems of initial key exchange, ignoring the greater problems of overall key management.

Don't get me wrong, I'd love PK to work. I'm just skeptical, especially when I consider how many PGP/GPG keys I've generated / revoked / signed and for so many different reasons (system compromise/reinstall, email address changes, etc).