Voice Over IP Under Threat?

← Back to Stories (view on slashdot.org)

Posted by Zonk on Friday January 5, 2007 @03:11AM from the keeping-phone-calls-expensive dept.

An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "

28 of 148 comments (clear)

Min score:

Reason:

Sort:

The problem of telephony + the Internet... by Ingolfke · 2007-01-05 03:14 · Score: 4, Funny

is that people will call you up during your dinner to tell you that you're long lost uncle's oil wealth is available to you in Madagascar or about the wonders of this new herbal male health pill.
1. Re:The problem of telephony + the Internet... by HugePedlar · 2007-01-05 03:18 · Score: 3, Interesting
  
  I wonder if VOIP might solve this to some extent. After all, with Asterisk or similar, the home user can set up an "Auto-Attendant", or menu system to filter calls that get through. Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common. I suspect VOIP will make the telemarketers' jobs harder in the end.
  
  --
  Argh.
2. Re:The problem of telephony + the Internet... by florist · 2007-01-05 03:42 · Score: 2, Informative
  
  Its YOUR uncle, and now YOU'RE no longer in need of correction.
  It's "it's your uncle" and not "its your uncle", and now you're no longer in need of correction, either. :)
3. Re:The problem of telephony + the Internet... by arivanov · 2007-01-05 04:02 · Score: 4, Insightful
  
  Exactly.
  
  I have been doing it for a while now (need to clean the code for the AGI plugin and post it). For my incoming phone lines I have scheduled times when the phone does not ring, when it rings only in my office for known callerIDs or when it rings for everyone who has not withheld their callerid. Trivial to do with asterisk+perl-AGI and quite more powerfull compared to the default autoattendant.
  
  The article brands all VOIP to be Skypelike (and vice versa). VOIP is not just PC based systems and this attack currently applies only to PC based systems. In addition to that it is limited to a specific VOIP system. A valid Skype attack is not applicable to Yahoo, MSN, SIP phones, etc.
  
  Things may change in the future when integrated contact management and click-to-dial becomes commonplace. This is not common enough now and can be found only on PHB/Sales laptops so it is not yet an attack vector that is worth mentioning. By the way, this will apply to any phone system that has click to dial, not just VOIP. Now having outlook+voip worm - that is a scary thought...
  
  --
  Baker's Law: Misery no longer loves company. Nowadays it insists on it
  http://www.sigsegv.cx/
4. Re:The problem of telephony + the Internet... by tehcyder · 2007-01-05 05:17 · Score: 3, Funny
  
  Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common.
  So you'd set up a filter especially to recognise and let through any caller with an Indian accent? That's a fine example of multi-cultural tolerance, it makes such a change from the usual racism on slashdot. Well done sir!
  
  --
  To have a right to do a thing is not at all the same as to be right in doing it
Logical progression by CommunistHamster · 2007-01-05 03:15 · Score: 5, Insightful

This seems a logical progression of phishing, but it's hardly going to be a large impediment to the adoption of VOIP. Phishing hasn't dissuaded people from using email.
And that's why... by AltGrendel · 2007-01-05 03:15 · Score: 3, Interesting

...I'm still using copper. I know that this will work itself out, that the technology will improve, etc, etc.. but until it does, I'm going to stay away from it. For me, it doesn't make sense to be an early adopter of VoIP.
But that just my opinion.

--
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
1. Re:And that's why... by Metaphorically · 2007-01-05 03:28 · Score: 2, Funny
  
  Yes, I'm following the same strategy with email...
  
  --
  more of the same on Twitter.
2. Re:And that's why... by walt-sjc · 2007-01-05 04:25 · Score: 2, Insightful
  
  Don't worry, this article is mostly FUD. For one, it assumes that all phones will be vulnerable to the same flaws. They won't - they run MANY different code bases. There is no mono-culture in VoIP like there is with desktop operating systems (well, except for the Skype example - I don't use skype anyway due to the closed/proprietary nature of it.) It also assumes that any security flaws won't be fixed or addressed. Anyone that deals with IP phones knows that new firmware comes out every few months. If you have a Vonage-like VoIP service, new firmware can be pushed out to you automagically. Lastly, I expect that VoIP proxies will becomes a standard feature in SOHO routers in the not-too-distant future to deal with multiple NATed phones and other issues. Probably something like a light version of SER. Expect them to be able to filter crap out like modern firewalls / web proxies do.
3. Re:And that's why... by walt-sjc · 2007-01-05 04:27 · Score: 5, Insightful
  
  Oh yeah - one more thing - who does the author of this article work for? Hmm. Panda. What do they do? Antivirus and security software. Self serving FUD is what this is.
4. Re:And that's why... by radish · 2007-01-05 05:37 · Score: 2, Insightful
  
  I still use copper too. The copper in my coax cable which carries my internet traffic, and with it, my VOIP calls. Of course, what this article is talking about is people who use autodialers of one kind or another - which includes cell phones, PBXs with click-to-call, Skype, etc - it's got nothing to do with VOIP as a technology for transmitting the voice data. My VOIP solution uses a perfectly normal phone, not a computer, and so until Uniden and VTech start issuing vulnerability warnings I think I'm OK.
  
  --
  ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"
Open VoIP Clients are Safer by Doc+Ruby · 2007-01-05 03:17 · Score: 2, Insightful

Who's got an OSS Flash or Java applet that is a SIP or IAX client? If we keep the VoIP SW on the server (tested and upgraded), and give it access to our network/AV HW only on request in a sandbox, we're pretty safe against viruses. These applets can be signed and distributed easily, unlike OS-installable full apps, or dedicated HW.

--
--
make install -not war
VoIP-Spam is another threat by Rastignac · 2007-01-05 03:17 · Score: 3, Insightful

Spams in my inbox is painfull. Spams using VoIP will be very very painfull.
VoIP will be cheap enough for spammers, and easy to handle by spamrobots...

--
-- Rastignac was here.
1. Re:VoIP-Spam is another threat by HugePedlar · 2007-01-05 03:22 · Score: 2, Insightful
  
  So you set up a menu system: "Press 3 if you're not a spambot". Solved, more or less.
  
  --
  Argh.
Why would this threaten VoIP? by Raistlin77 · 2007-01-05 03:17 · Score: 5, Insightful

I would say there are likely far more people who use regular landlines and cell phones and don't use VoIP, but that do still maintain phone books on their computers. If they call with their regular phone, the same will occur. Why drag VoIP into the cross-hairs alone?
VERY UNLIKELY, see why... by crazyjeremy · 2007-01-05 03:18 · Score: 3, Insightful

This seems to be a misleading article. Most phishing techniques do not use elaborate setups as suggested. They use very simple techniques. Oddly enough, the article author seems to agree.
Evidently, this would require a large degree of innovation, research and development on the part of the creators of malicious code, and I genuinely doubt that they would bother.
The potential scenerio quoted in the post is so far fetched, it's doubtful anyone will ever pull it off. It involves hacking their voip system, home computer (and address book), a mass-mailing spam which happens to also include the email address of the hacked computer, user intervention (they must read the spam and respond), and the hacker must also have a good enough radio voice to fool the homeowner into thinking he's actually calling his real bank. Don't know about you, but we're not to afraid of this possible Voice over IP threat.

--
Funnypics
Not Unique to VOIP by mmurphy000 · 2007-01-05 03:22 · Score: 3, Informative

Changing phone numbers in an address book isn't unique to VOIP. A virus could scan Outlook and other common address book systems and change phone numbers, whether VOIP or not. Since most people don't have their bank phone numbers memorized, they'll assume that the address book entry is correct. Even if they use a non-VOIP phone, the phishing attack can work.

Now, a VOIP system might have an integrated address-book/speed-dial system that could also be attacked. But otherwise, I don't see where this is unique to VOIP.

--
The Busy Coder's Guide to Android Development
Whaaat? by ISoldMyLowIdOnEbay · 2007-01-05 03:22 · Score: 2, Insightful

I too, can come up with lots of non-scenarios based on speculation...

What if someone hacks the telephone exchange and redirects all calls to the bank to a new number?

What if I get a letter from my bank saying they have moved, and a phisher builds a new bank at that address, thus allowing them to take all my details?
Dr. Weird had it right after all by Sneakernets · 2007-01-05 03:25 · Score: 4, Funny

"Steve... send the PHONE SPIDERS."

--
"No freeman shall ever be debarred the use of arms." -- Thomas Jefferson
Scaremongering by vaderhelmet · 2007-01-05 03:26 · Score: 2, Interesting

This is a concept at best. A virus going through peoples' cell phones (which are far more in use than VoIP sets) to do the same thing is even more viable. This is another 'exploit' that relies on people to be completely oblivious to what their technology is doing. I agree that it is a problem, but it has nothing to do with VoIP. A lot of PHBs are already afraid enough of 'voices in the network' without somebody throwing 'OMFG What if?!' at them.

OMFG, What if someone wrote a virus that relinked your favorites in your browser to point directly at the phishing sites?

Just like VoIP and cell phones and your browser, when you click on a contact or favorite, the vast majority of them show you the underlying value. If you don't recognize that number, end the call. You need to be cognizant of what is happening. It is your fault, not the technologies' fault, if something bad happens due to something like this.
What about a BotNet? by bhsx · 2007-01-05 03:40 · Score: 2, Interesting

A serious botnet can have 50k-100k minion boxes out there... Imagine if VOIP hit even 20% penetration, that would obviously be 10k-20k phones that botnet owner has access to. If you were the type of slimeball or, gods forbid, terrorist, what would you do with 20 thousand phones you had access to? Think DDOS on 911? Think maybe just dialing pay phone services like the old auto-dialer spyware? People maybe shouldn't be allowed to run their VOIP systems on just any old machine... Perhaps all those writing VOIP code for Windows systems should just stop and burn all copies of their apps? That doesn't sound too bad :P

--
put the what in the where?
Re:and? by LurkerXXX · 2007-01-05 03:40 · Score: 2, Insightful

It's not at all a bad thing to have in your phone's address book. Say you are on a trip and your wallet gets stolen, etc. You may want to call your bank, credit card company, etc, very quickly to put stops on your accounts.
Re:You could just stop using Windows... by solevita · 2007-01-05 03:42 · Score: 5, Insightful

I've seen this argument crop up regularly on /. recently, but that doesn't make it a good one. Why? Well lets extend your argument to its logical conclusion - not only should we all use different operating systems, web browsers, CPU architectures, but we should all also use different file formats, standards and networking protocols.

I'll never get caught by a phising scam because my web browser doesn't support the HTML used on fake-paypal.com and I can't even connect to it anyway because I'm using a brand of TCP/IP used only by myself and a handful of /. geeks.

Call me crazy, but I want to work on something that I can easily share with my colleagues - I want the most open digital environment I can get.

I refuse to accept that lazy/poor programmers can excuse the security holes in their products by claiming that everyone should be aiming for security through obscurity. Lets stop blaming Windows/Internet Explorer users for the insecurity of the products they use. Security through diversity is just renamed security through obscurity; it's no security at all.
Maybe a FUTURE problem by Opportunist · 2007-01-05 03:43 · Score: 3, Interesting

Let's face it, who's the prime target for phishing? Joe Average Users. "We" (as in, people who enjoy technology as a pastime more than just a tool) know about such problems, and we know how to deal with them. I still never heard of a 'clued' person to become a phishing target. We certainly don't answer to mails akin to "Hi, I'm your Bank, please send me all your details in reply or your account will be frozen", and we usually routinely check for unwanted BHOs and tasks, and we certainly run up to date AV software (or at least have another reason to assume with some sort of faith that we are not infected).

In short, we know the threat. And we're also the ones who use VOIP predominantly, aside of companies (who better have someone like us as their IT-security person there). Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon.

So personally, I'd rate THAT threat low. At least for now.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Re:You could just stop using Windows... by planetmn · 2007-01-05 03:45 · Score: 4, Interesting

WTF?

Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft? This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.

I recently received a phishing scam email from somebody purporting to be Wells Fargo Bank. First clue is obvious, I don't have an account with them, but I was curious. So I clicked the link in Firefox. The site comes up, looks similar to the real Wells Fargo site, but has a completely non-legitimate URL. So then I clicked the link in IE7. Guess what, IE7 knew it was a phishing site.

So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user. Stop blaming third parties for what amounts to human error. And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.

And your suggestions are absolutely insane. One thing that computing monoculture brings is a standard implementation. How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours". The reason the PC grew so quickly was the ability to choose between different software and hardware easily, and be sure of compatibility. Sure, niche markets existed, such as the Mac, but the PC was much more extensible and much more desirable.

-dave

--
/., where "Apple and Google provide Iran with nukes" will be refuted with "But Microsoft is a convicted monopolist"
I'll take VOIP... by weeboo0104 · 2007-01-05 03:57 · Score: 2, Funny

viruses over a virus from a public pay phone anyday!

Those shankers hurt!

--
It is easier to build strong children than to repair broken men. -Frederick Douglass
Re:You could just stop using Windows... by 99BottlesOfBeerInMyF · 2007-01-05 05:28 · Score: 2, Insightful

Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft?

The attack described relies upon a worm that can compromise desktop systems. Worms are a lot easier to implement if their are a huge number of identical targets with identical holes. Currently that target is Windows.

This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.

You're assuming that improvements to computers can't significantly reduce the risk of the described phishing attack, but that is not the case. Simply by having many different OS's and browsers this type of attack would become a whole lot harder. Further, there is no reason why a given OS should grant a new binary access to read or write to your phonebook without explicit approval from the user with some pretty strongly worded warnings is plain English. In a free market, I'm guessing every desktop OS would include this functionality as soon as it became an issue, but Windows has not done so, despite worms grabbing data from the e-mail address book. The reason for this is, quite simply, it doesn't cost MS a significant amount of money when people are compromised because the vast majority of users don't have realistic options of other OS's (it's not at walmart, kmart or meijer).

So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user.

Do most users have IE7? Is it even available on Win2K? Did IE7 recognize it as a phishing site before a significant number of people had already been there?

Stop blaming third parties for what amounts to human error.

Sure some malware and scams are the result of human error, but a lot of them are also the result of poorly designed software for the environment in which it is operating.

And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.

The previous poster was specifically talking about the scenario in the article. That scenario required that the system was compromised by a worm. Diversity of OS's does reduce the ability of worms to spread and diversity of OS's motivates companies to innovate solutions to out compete others. Those innovations may include ways to stop worms, don't you think? Maybe instead of complaining about people's opinions by trying apply them to a situation they weren't talking about you should consider them in terms of what we're discussing.

How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours".

Who says that would be the case? If other OS's were common the practice of writing portable code that worked on multiple OS's and offering them would be more profitable and thus more common. Further, VM software, like portable Java apps would be more profitable. Your cause and effect is reversed. People offer software only on one platform because there is one dominant OS. When there were multiple competing platforms, even long ago, there was more software offered with cross-platform options.
Re:You could just stop using Windows... by 99BottlesOfBeerInMyF · 2007-01-05 06:35 · Score: 2, Interesting

Or, it would only require a user to run certain software, which is the reason a lot of people get malware/spyware on their computers in the first place.
Yeah, trojans are a problem, although all the studies I've seen by number of infections put malware without user interaction in the lead.
This would not stop if there were no holes. It would only stop if there was a way to ensure that people didn't run software they download AND that any software provided to them was legitimate.
OS's don't need to prevent software from running, just have mechanisms to determine trust levels (signing) and provide granular controls based upon those trust levels, while keeping the user informed about what is happening. The problem with trojans isn't that people double click on things, it's that when they do so the OS doesn't tell them if they ran a program or opened a file, and if a program how trustworthy is it and what is it doing, and giving them the option to stop it from doing things they don't want it to do. The average user never, ever, ever installs a program that they want to have access to their e-mail addresses and phone numbers. Why then can a user click on something called nakedpic.jpg and have a program silently access and modify that list? There is no technical reason and there are even OS's in use today that will stop exactly that.
The problem is that many people get annoyed at those prompts to the point that they turn them off (if that's an option) or they ignore them.
This is called poor UI design. If there are so many prompts that users get annoyed, you've messed up your design. The example I gave above will show a prompt that will never be seen by 99% of users. If the user can ignore a prompt it was poorly designed, like almost all prompts on Windows. People can ignore prompts because most of them are useless and they almost all have the same two options (OK)(Cancel). A proper dialogue would say something like, "The program 'nakedpic.jg.exe' would like to read and modify your phone numbers (Stop it from changing my phone numbers)(Let it change my phone numbers once)(Always let it change my phone numbers)(advanced Options)." So the user has four options all in plain English. In they must either read at least one of them, or pick randomly, and even that would be better than defaulting to always allowing everything. People who think UI design is not a security issue (like MS) are way off base.
The average consumer just doesn't know when to allow permissions and when not to.
There are probably people in the world that could not understand the message I gave as an example. They are few and far between. For the rest, it is more a matter of giving them the info and control they need, rather than asking them obscure questions in technobabble, most of which are wholly unnecessary.
Consider that XP is the dominant OS, and that IE7 was rolled out through windows update, yes.
Assuming all users running a system that supported it and IE6 have already switched, it would have 54% according to the numbers I've seen, so yeah, most but not by a lot.
Irrelevant. The average consumer is running XP, and therefore has IE7.
No, it isn't irrelevant. A lot of people are on Win2K and MS decided not support them. Would they have made the same decision if they did not have monopoly control of the market?
I don't know. But it recognized it, and Firefox didn't. So I fail to see how Microsoft could be blamed in this instance.
I'm not blaming MS at all, just asking a question and hopefully implying that anecdotal evidence is not particularly useful for making decisions. The point I was making was that MS can do a lot more to stop malware. I showed an example of how they could do so above. Now, I'll hypothesize a reason. MS has no need to respond to customers and give them what they want because they have no competition and, as such, to motivation to do so. I firmly believe that if MS was bro