VoIP Security: When Voice Becomes Data

With voice over IP picking up speed, CSOs face the challenge of navigating an entirely new security threat landscape for the phone system

1 2 Page 2
Page 2 of 2

As a corollary to the problem of unlimited applications, combining voice and data on a single network creates a new opportunity for blended threats. That is, attackers can infiltrate voice through applications that previously weren't connected to voice, and the other way around. They can use voice to get to the applications. A simple example is using a corporate presentation being shared over a VoIP system as an attack vector.

If all of this seems like doomsaying, consider that most of the above threats have already emerged in the real world, despite the fact that VoIP and voice over Internet are technological infants. One vendor documented four cases of VoIP phishing in which caller ID identifies the call as from your bank and the recorded message asks you to punch in account information, which is logged. (That vendor also sells anti-phishing software, so take its "research" with a grain of salt.) Vonage, a VoIP vendor, provided a notorious early proof of concept of VoIP spam when it planted in its customers' voice mails a prerecorded advertisement for its upcoming IPO.

But the most notorious case of VoIP's fallibility yet to come to light involved spoofing. A Florida man named Edwin Pena allegedly paid a hacker in Washington state $20,000 to exploit router vulnerabilities so he could spoof VoIP providers. Federal prosecutors allege Pena stole minutes of service — 10 million in total — and resold them at cut rates for pure profit, which turned out to be hundreds of thousands of dollars.

The type of attack used in the scheme was a "brute force" scan for router vulnerabilities, a simple old hack in the data world that's not capable of affecting the PSTN. Is that because the PSTN is technically more secure? Not necessarily. "PSTN switches are all based on the same system as IP routers and switches," Graydon says. "All that's happened is we ourselves have more access to the routers and switches in the IP world."

You'd be forgiven for thinking, "Here we go again." The tech industry, notorious for rushing to market with "revolutionary" products only to have their lack of security and stability embarrassingly exploited, looks like it has just another case of putting the revenue cart before the security horse. (And then selling more products to secure the original product, at an additional cost: Already vendors are

marketing anti-SPIT software, VoIP firewalls, and VoIP monitoring and management software. These

costs will eat into any savings the VoIP offers over traditional phone service and add a layer of

complexity.) "It's extremely frustrating," Graydon says. "You sit there and go, 'Guys, you're doing it

again. Did you not learn the last time?'"

Only this time, the stakes are higher. If, say, instant messaging was rushed to satisfy market

demand without being properly secured or having its threats understood, that wasn't good. But what

were the expectations and assumptions about chat's security in the first place? Probably limited. With

voice, there are those culturally ingrained expectations. We even have a name for it: Dial-tone

reliability. Voice can't fail, we've come to expect that, and yet here's a technology rushing to market

that, so far, can't meet the expectation.

In a sense, vendors offering VoIP service are pushing a cake-and-eat-it-too agenda. They want

voice to have the power of data with the security of POTS, even if such a platform doesn't yet exist. So

they're left selling voice as another data type but also acknowledging that voice is special. "I say voice is

not data," says Lawrence Dobranski, the leader of product security architecture in the office of the CTO

at Nortel. "From a risk management perspective it has to be thought of differently. We're sharing voice

on data infrastructure, and that means the threat landscape is opened." That's a core point of this story.

"People bring an awful lot of expectations with voice. We have to make sure we get the security of VoIP

right, and that won't be easy; that will be difficult."

Gus de los Reyes, a technology consultant for AT&T Labs developing security capabilities for

VoIP services, is more sanguine. De los Reyes says he and the other AT&T Labs technology experts

can prevent his company's VoIP products from going to market if he feels a security control isn't ready,

and he says he's done that. He has the power to control the rush to market, so he doesn't even see a

rush to market. "There's a much greater awareness with VoIP than there was with things like e-mail.

Maybe too much awareness. People don't want to make the same mistakes with VoIP."

But it appears they are, as demonstrated by Pena's alleged scheme, which involved no fewer than

15 VoIP companies, startups without the kinds of controls in place that an old telecom company like

AT&T might have, and the emergence of all the other datalike threats to voice that VoIP has

enabled.

De los Reyes does eventually acknowledge that some companies will rush to market, but that's only

to sate demand coming from those who aren't considering the risks up front. For, none of this would be

an issue if companies and individuals thought about the full threat landscape and the costs and risks

associated with that, instead of getting sucked in by the pure per-minute cost savings and neat

applications VoIP offers. "If security says you can't do something, people just go around it," he says.

"Users are going to do what they're going to do, so we have to secure what they do. It's gonna happen.

You can't stop the flood of technology."

That might be true, but you could hope to contain it. After all, Sweden didn't just let people switch

to Högertrafik whenever and wherever it suited them. Imagine if it had. In fact, the one thing that

has prevented the new voice services from really flying out of control is the PSTN. In many cases the old

copper that remains in the first mile of phone connections has at least slowed the proliferation of VoIP,

both its great potential and its great threat.

If you're focused on VoIP's potential, then POTS is the last obstacle before a voice communications

revolution. If you're focused on the threat, then the century-old analog technology has become, of all

things, a security control.

Reach Senior Editor Scott Berinato at sberinato@cxo.com

a>.

Copyright © 2006 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 hot cybersecurity trends (and 2 going cold)