Slashdot Mirror

← Back to Stories (view on slashdot.org)

Voice Over IP Under Threat?

Posted by Zonk on from the keeping-phone-calls-expensive dept.

An anonymous reader writes "The IT Observer is discussing the possible scary future of Voice over IP targeted viruses, and what that could mean for the consumer. The article discusses the likelihood that VoIP is going to become even more popular, and the damage that a targeted 'flash virus' could perpetrate in a very short amount of time. From the article: 'Let's imagine a scenario that could become commonplace in the near future: A user has an IP telephony system on his computer (both at home and at work). In his address book on the computer there is an entry, under the name Bank, with the number 123-45-67. Now, a hacker launches a mass-mailing attack on thousands or millions of email addresses using code that simply enters users' address books and modifies any entry under the name Bank to 987-65-43. ... If any of these users receives a message saying that there is a problem in their account, and asking them to call their bank (a typical phishing strategy), they may not be suspicious, as they are not clicking on a link in an email ... If they use their VoIP system to call the bank, they will be calling the modified number, where a friendly automated system will record all their details. ' "

15 of 148 comments (clear)

  1. The problem of telephony + the Internet... by Ingolfke · · Score: 4, Funny

    is that people will call you up during your dinner to tell you that you're long lost uncle's oil wealth is available to you in Madagascar or about the wonders of this new herbal male health pill.

    1. Re:The problem of telephony + the Internet... by HugePedlar · · Score: 3, Interesting

      I wonder if VOIP might solve this to some extent. After all, with Asterisk or similar, the home user can set up an "Auto-Attendant", or menu system to filter calls that get through. Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common. I suspect VOIP will make the telemarketers' jobs harder in the end.

      --
      Argh.
    2. Re:The problem of telephony + the Internet... by arivanov · · Score: 4, Insightful

      Exactly.

      I have been doing it for a while now (need to clean the code for the AGI plugin and post it). For my incoming phone lines I have scheduled times when the phone does not ring, when it rings only in my office for known callerIDs or when it rings for everyone who has not withheld their callerid. Trivial to do with asterisk+perl-AGI and quite more powerfull compared to the default autoattendant.

      The article brands all VOIP to be Skypelike (and vice versa). VOIP is not just PC based systems and this attack currently applies only to PC based systems. In addition to that it is limited to a specific VOIP system. A valid Skype attack is not applicable to Yahoo, MSN, SIP phones, etc.

      Things may change in the future when integrated contact management and click-to-dial becomes commonplace. This is not common enough now and can be found only on PHB/Sales laptops so it is not yet an attack vector that is worth mentioning. By the way, this will apply to any phone system that has click to dial, not just VOIP. Now having outlook+voip worm - that is a scary thought...

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    3. Re:The problem of telephony + the Internet... by tehcyder · · Score: 3, Funny
      Perhaps even some form of voice recognition (recognising people's voices in your address book, or, controversially, an Indian accent) might become common.
      So you'd set up a filter especially to recognise and let through any caller with an Indian accent? That's a fine example of multi-cultural tolerance, it makes such a change from the usual racism on slashdot. Well done sir!
      --
      To have a right to do a thing is not at all the same as to be right in doing it
  2. Logical progression by CommunistHamster · · Score: 5, Insightful

    This seems a logical progression of phishing, but it's hardly going to be a large impediment to the adoption of VOIP. Phishing hasn't dissuaded people from using email.

  3. And that's why... by AltGrendel · · Score: 3, Interesting
    ...I'm still using copper. I know that this will work itself out, that the technology will improve, etc, etc.. but until it does, I'm going to stay away from it. For me, it doesn't make sense to be an early adopter of VoIP.

    But that just my opinion.

    --
    The simple truth is that interstellar distances will not fit into the human imagination

    - Douglas Adams

    1. Re:And that's why... by walt-sjc · · Score: 5, Insightful

      Oh yeah - one more thing - who does the author of this article work for? Hmm. Panda. What do they do? Antivirus and security software. Self serving FUD is what this is.

  4. VoIP-Spam is another threat by Rastignac · · Score: 3, Insightful

    Spams in my inbox is painfull. Spams using VoIP will be very very painfull.
    VoIP will be cheap enough for spammers, and easy to handle by spamrobots...

    --
    -- Rastignac was here.
  5. Why would this threaten VoIP? by Raistlin77 · · Score: 5, Insightful

    I would say there are likely far more people who use regular landlines and cell phones and don't use VoIP, but that do still maintain phone books on their computers. If they call with their regular phone, the same will occur. Why drag VoIP into the cross-hairs alone?

  6. VERY UNLIKELY, see why... by crazyjeremy · · Score: 3, Insightful
    This seems to be a misleading article. Most phishing techniques do not use elaborate setups as suggested. They use very simple techniques. Oddly enough, the article author seems to agree.
    Evidently, this would require a large degree of innovation, research and development on the part of the creators of malicious code, and I genuinely doubt that they would bother.
    The potential scenerio quoted in the post is so far fetched, it's doubtful anyone will ever pull it off. It involves hacking their voip system, home computer (and address book), a mass-mailing spam which happens to also include the email address of the hacked computer, user intervention (they must read the spam and respond), and the hacker must also have a good enough radio voice to fool the homeowner into thinking he's actually calling his real bank. Don't know about you, but we're not to afraid of this possible Voice over IP threat.
    --
    Funnypics
  7. Not Unique to VOIP by mmurphy000 · · Score: 3, Informative

    Changing phone numbers in an address book isn't unique to VOIP. A virus could scan Outlook and other common address book systems and change phone numbers, whether VOIP or not. Since most people don't have their bank phone numbers memorized, they'll assume that the address book entry is correct. Even if they use a non-VOIP phone, the phishing attack can work.

    Now, a VOIP system might have an integrated address-book/speed-dial system that could also be attacked. But otherwise, I don't see where this is unique to VOIP.

    --
    The Busy Coder's Guide to Android Development
  8. Dr. Weird had it right after all by Sneakernets · · Score: 4, Funny

    "Steve... send the PHONE SPIDERS."

    --
    "No freeman shall ever be debarred the use of arms." -- Thomas Jefferson
  9. Re:You could just stop using Windows... by solevita · · Score: 5, Insightful

    I've seen this argument crop up regularly on /. recently, but that doesn't make it a good one. Why? Well lets extend your argument to its logical conclusion - not only should we all use different operating systems, web browsers, CPU architectures, but we should all also use different file formats, standards and networking protocols.

    I'll never get caught by a phising scam because my web browser doesn't support the HTML used on fake-paypal.com and I can't even connect to it anyway because I'm using a brand of TCP/IP used only by myself and a handful of /. geeks.

    Call me crazy, but I want to work on something that I can easily share with my colleagues - I want the most open digital environment I can get.

    I refuse to accept that lazy/poor programmers can excuse the security holes in their products by claiming that everyone should be aiming for security through obscurity. Lets stop blaming Windows/Internet Explorer users for the insecurity of the products they use. Security through diversity is just renamed security through obscurity; it's no security at all.

  10. Maybe a FUTURE problem by Opportunist · · Score: 3, Interesting

    Let's face it, who's the prime target for phishing? Joe Average Users. "We" (as in, people who enjoy technology as a pastime more than just a tool) know about such problems, and we know how to deal with them. I still never heard of a 'clued' person to become a phishing target. We certainly don't answer to mails akin to "Hi, I'm your Bank, please send me all your details in reply or your account will be frozen", and we usually routinely check for unwanted BHOs and tasks, and we certainly run up to date AV software (or at least have another reason to assume with some sort of faith that we are not infected).

    In short, we know the threat. And we're also the ones who use VOIP predominantly, aside of companies (who better have someone like us as their IT-security person there). Auntie Mable and Joe Hicksberger won't switch to VOIP any time soon.

    So personally, I'd rate THAT threat low. At least for now.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  11. Re:You could just stop using Windows... by planetmn · · Score: 4, Interesting

    WTF?

    Now, I understand in the Slashdot world, anything that pokes at Microsoft and Windows is instantly thought of as insightful and true, but what the hell does this problem have to do with Microsoft? This problem exists because of social habits of human beings. Most phishing scams work only when there is action taken by a victim that is either uncaring, or doesn't know better.

    I recently received a phishing scam email from somebody purporting to be Wells Fargo Bank. First clue is obvious, I don't have an account with them, but I was curious. So I clicked the link in Firefox. The site comes up, looks similar to the real Wells Fargo site, but has a completely non-legitimate URL. So then I clicked the link in IE7. Guess what, IE7 knew it was a phishing site.

    So in my above example, Microsoft was not at fault, in fact, they were proactive enough to protect the user. Stop blaming third parties for what amounts to human error. And if you think OS diversity would help the problem, you are wrong. People react the same way to phishing scams regardless of OS.

    And your suggestions are absolutely insane. One thing that computing monoculture brings is a standard implementation. How would the average consumer react if they were told "this software won't work on this OS" or worse "this software only works on certain flavors of linux, but not yours". The reason the PC grew so quickly was the ability to choose between different software and hardware easily, and be sure of compatibility. Sure, niche markets existed, such as the Mac, but the PC was much more extensible and much more desirable.

    -dave

    --
    /., where "Apple and Google provide Iran with nukes" will be refuted with "But Microsoft is a convicted monopolist"