To understand the significance of voice over IP (VoIP), it's useful to travel back in time. Specifically, go to 4:45 a.m. on Sunday, Sept. 3, 1967. If you happened to be in a car in Sweden at that moment, you had to stop the car and do nothing for five minutes. Then at 4:50 you had to move your car from the left side of the road to the right, and then stop again. Finally, at 5 a.m., you could proceed, on the right. In those 15 minutes, the entire country changed a 300-year-old custom of Vänstertrafik, left-side driving, to Högertrafik, right-side driving.
In fact Dagen H, or H Day as it was called (the H for Högertrafik), began earlier than 4:45 that morning. It began in 1963, when the Riksdag (Swedish parliament) voted to switch in order to simplify border crossings with right-side-driving Norway, and to reduce accidents associated with Sweden's use of left-hand-drive cars on the left, which puts the driver at the edge of the road instead of the middle.
It was an epic cultural and infrastructural shift. Sweden created the Högertrafikkommision (HTK) — an entire bureaucracy to manage the massively complex project. Bus stops jumped sides of the street, traffic lights moved, roads got new lines and signs, one-way streets went the other way.
And, of course, people had to figure out how to drive on the right, so an education program started that included psychologists.
Even the day itself was more complex than a 15-minute square dance of Saabs and Volvos. In fact, nonessential vehicles were banned from the roads until 6 a.m., an hour past the official 5 a.m. crossover. Stockholm extended its ban until 3 p.m. A picture taken of a street in Stockholm right before the switch shows vehicles comically strewn across a street, like someone bumped a table full of Matchbox cars. Still, it worked. No fatalities were reported on Dagen H, and over the long term it seemed to have the desired effect, or at least no measurable negative effect, on road safety.
Similar to Dagen H, the changeover from plain old telephone service, POTS, to VoIP will deeply challenge ingrained customs. For 100 years, telecommunications has been carried on a closed proprietary network, highly stable but limited in its applications, and connected to tens of millions of cheap appliances, dumb terminals called phones. A utility.
As voice over IP and voice over the Internet grow, telecom will change to become open and
extensible, capable of supporting limitless new applications, often traversing an insecure and unstable public network and connected to complex and vulnerable multitasking end points called computers. An enterprise.
Unlike Dagen H, though, VoIP is switching over organically, driven by market forces, not a bureaucracy. There is no four-year plan and no education program preceding its rollout. No choreographed crossover on some target date. VoIP is just kind of happening.
This would seem to create security concerns and, yes, VoIP is following IT tradition by being rushed to market before its security implications have been thought through. But this story isn't another lecture to CSOs and CISOs on the need to secure VoIP. Regardless of how well the protocol is secured, security executives have a far more substantial challenge: mapping the new threat landscape of voice communications when their organizations decide to shift from closed to open, from dedicated to shared, from utility to enterprise.
With VoIP, phone conversations move around the world in the same way
It is a cultural and infrastructural shift as epic as Dagen H. Soon, in a very real way, voice will no longer be voice. It will be data.
"We have this inherent belief of a certain quality of service and security with phones, of what the system can do for us," says Andrew Graydon, the chair of the VoIP Security Alliance. "Most of that is pure speculation; we don't know for real, but it doesn't matter. It's what people believe."
Just what people believe, without ever really thinking about it, is quite specific and detailed. People believe that their phone will work, perhaps even in a blackout; that the number they dial will connect to the phone assigned to that number, and the number that caller ID identifies is where that call comes from; that the call is not being surreptitiously recorded; that people taking advantage of the system, like telemarketers, can be controlled; and that breaking into this system is difficult enough to make it an undesirable criminal vector, which in turn pushes vulnerability elsewhere (to, say, computer communications).
People believe all this because of voice communications' heritage as a utility. That heritage is due in part to regulation of the technology, but also because of the limitations of the analog technology itself. It was analog, copper wires carrying electrical pulses into microphones and out of speakers. It made sense to make it a dedicated, closed network because that's all it could handle, really.
Today, most of the PSTN, public switched telephone network, is digital, not analog. But the so-called first mile (the part of the connection from home or office phone across tall wooden poles along the street and into a switching office) remains predominantly analog. As long as that's part of a phone call, some of those inherent beliefs about the security and availability of the phone can remain.
Users of VoIP will have to adjust expectations. Most VoIP or voice over Internet calls completed today sidestep the first (or, if it's an incoming call, last) mile. In the consumer setting, VoIP comes in two ways, either as a dedicated service over broadband data lines like the cable companies' coaxial wires, or as an Internet service, such as Skype. In a corporate setting, most VoIP deployments to date have been as internal corporate voice networks. It's early on, especially in the corporate setting, where customers are starting by using it just as a (potentially) less expensive voice line and easing into the advanced applications VoIP services promise.
Eventually, VoIP phone companies want to eliminate the last mile of POTS that runs into houses and offices to open up a huge potential consumer and business market for VoIP. They want "pure" IP voice for two reasons. One: cost. It's cheaper for them to carry voice over public and private IP networks than it is to transmit over proprietary networks, so they can charge less. And two: It opens new applications. The open protocols that are used to support a pure VoIP phone call can support countless new services. To get an idea of what kind of services, one can look to the cell phone world where e-mail, Web access, games, photos and video are all getting mashed up with phone calls. A so-called killer app for businesses would be combining voice with documents, collaboration software and presentation materials to get many people located in several places talking and working together. Still
other applications will come, many not yet imagined, all of which promise to generate new revenue.
But that openness and application-rich environment, as the vendors would call it, also mean that all of that inherent, culturally ingrained faith in the phone goes away.
"Dedicated protocols give you control," says Robert Garigue, chief security executive and VP for information integrity at Bell Canada Enterprises. "The reality of living on open protocols [like IP] is that the complexity is beyond the imagination of the designers. As you extend them, you realize there are new points of concern. We have a baseline service. How it can be extended, plugged in or mashed up to other applications — it's just the start. The bad guys are going to find new opportunities with VoIP that will turn into business models."
The deeply philosophical choice to switch voice platforms (though it probably won't be thought of in such lofty terms as the choice is made) upends a system that was limited to a few manageable concerns that generally required dedicated, knowledgeable attackers to exploit, to one that has innumerable unmanageable risks capable of being exploited by tyros. Threats mitigated easily before on the PSTN suddenly reach new levels of uncertainty: service outages, quality of calls (which could drop to something closer to cell phones rather than landlines), a lack of 911 availability and, worst of all, exploitation of the phone for theft, fraud and other malfeasance. To be sure, these risks existed before. But VoIP makes them harder to control. VoIP opens up voice communications to these risks in two ways. First, VoIP is easier to hack than POTS.
"Once telephony goes over IP, it's no longer eavesdropping on voice, it's eavesdropping on data, and that's so much easier," says Bruce Schneier, founder and CTO of Counterpane Internet Security. "It's like the difference between intercepting a handwritten note versus an SMS message. It's the difference between a letter and an e-mail."
If you wanted to eavesdrop on an analog phone call, Graydon of the VoIP Security Alliance likes to note, you could. But you'd have to go to your local box store, pick up a box phone, two crocodile clips, a reflective vest and a helmet. Then learn some simple but arcane ways to tap the line. When you scurry up the pole, try not to look too conspicuous. Fake credentials like logos on the helmet help. If you want to eavesdrop on a VoIP call, though, you won't need to climb a pole. You'll still need some arcane knowledge to locate the data stream, but once you have that, all you need is a packet sniffer and software that converts the data into a WAV audio file (tools like Cain & Abel, a software program that can locate and record VoIP streams, are freely available on the Internet). Think of virtually any
threat to data, whether it's malicious, accidental or a nuisance, and it will threaten VoIP in a way that it couldn't have easily threatened POTS. For example:
" Good old-fashioned power failures.
" Denial-of-service attacks and other nonmalicious network congestion that affects phone availability. Especially problematic if firewalls can't recognize voice traffic as distinct and requiring a higher quality of service, which immediately and severely disrupts voice availability.
" Eavesdropping and wiretapping. Used to log voice and keyed-in data, such as account numbers.
" Spoofing. Used in VoIP phishing, where a call will be ID'd as from your bank but is really being collected by baddies (doubly bad since it's a hack that preys on our inherent trust of the phone
network; where most people have learned to distrust e-mail, the same is not true for the phone).
" Viruses and bots. Used to either destroy data or the device or to co-opt the phone into some other activity such as toll fraud
The second form of risk is that with VoIP, there are simply more threats to exploit than there are on the phone. The openness — of protocols like IP and of infrastructure like the Internet's — that makes VoIP application-rich also makes it unimaginably hard to control, since it's open to everyone, including those who want to exploit it. As anyone who uses e-mail will tell you, along with the good — instant, cheap communications — you have to accept the bad — spam and malware. Bringing more applications to voice may increase its power and usefulness but it also opens up more threats, and that has to be balanced against the potential gains in productivity or efficiency.
New threats include:
" SPIT, or spam over Internet telephony. An offshore alternative to telemarketing that could
sidestep the national Do Not Call Registry. Graydon notes that a computer overseas could deliver 20,000 phone calls with a recorded sales pitch in five seconds.
" Logging. Privacy concerns abound for a technology that's far easier to capture, log and
mine (maliciously or as a marketing tool) than analog voice.
" Unsanctioned use. Internet voice services, such as Skype, can be downloaded and used by individuals as easily as an instant messenger, introducing all the threats of Internet voice without any of the controls.
" More computers. Advanced voice applications require advanced phones, and VoIP phones are essentially small computers. "IP phones are trickier than PBX digital phones," says Bob Litterer, information security manager at Genzyme, noting that IP phones constitute an additional burden to the telecom administrators who must adequately provision and configure network resources and maintain IP phone firmware and software. "They require specific VLAN [virtual LAN] tagging in DHCP scopes, require tricky firmware upgrades, and they can crash at inconvenient times." In other words, they're as reliable (and risky) as PCs, not phones.