VoIP Security: When Voice Becomes Data

To understand the significance of voice over IP (VoIP), it’s useful to travel back in time. Specifically, go to 4:45 a.m. on Sunday, Sept. 3, 1967. If you happened to be in a car in Sweden at that moment, you had to stop the car and do nothing for five minutes. Then at 4:50 you had to move your car from the left side of the road to the right, and then stop again. Finally, at 5 a.m., you could proceed, on the right. In those 15 minutes, the entire country changed a 300-year-old custom of Vänstertrafik, left-side driving, to Högertrafik, right-side driving.

In fact Dagen H, or H Day as it was called (the H for Högertrafik), began earlier than 4:45 that morning. It began in 1963, when the Riksdag (Swedish parliament) voted to switch in order to simplify border crossings with right-side-driving Norway, and to reduce accidents associated with Sweden’s use of left-hand-drive cars on the left, which puts the driver at the edge of the road instead of the middle.

It was an epic cultural and infrastructural shift. Sweden created the Högertrafikkommision (HTK) — an entire bureaucracy to manage the massively complex project. Bus stops jumped sides of the street, traffic lights moved, roads got new lines and signs, one-way streets went the other way.

And, of course, people had to figure out how to drive on the right, so an education program started that included psychologists.

Even the day itself was more complex than a 15-minute square dance of Saabs and Volvos. In fact, nonessential vehicles were banned from the roads until 6 a.m., an hour past the official 5 a.m. crossover. Stockholm extended its ban until 3 p.m. A picture taken of a street in Stockholm right before the switch shows vehicles comically strewn across a street, like someone bumped a table full of Matchbox cars. Still, it worked. No fatalities were reported on Dagen H, and over the long term it seemed to have the desired effect, or at least no measurable negative effect, on road safety.

Similar to Dagen H, the changeover from plain old telephone service, POTS, to VoIP will deeply challenge ingrained customs. For 100 years, telecommunications has been carried on a closed proprietary network, highly stable but limited in its applications, and connected to tens of millions of cheap appliances, dumb terminals called phones. A utility.

As voice over IP and voice over the Internet grow, telecom will change to become open and

extensible, capable of supporting limitless new applications, often traversing an insecure and unstable public network and connected to complex and vulnerable multitasking end points called computers. An enterprise.

Unlike Dagen H, though, VoIP is switching over organically, driven by market forces, not a bureaucracy. There is no four-year plan and no education program preceding its rollout. No choreographed crossover on some target date. VoIP is just kind of happening.

This would seem to create security concerns and, yes, VoIP is following IT tradition by being rushed to market before its security implications have been thought through. But this story isn’t another lecture to CSOs and CISOs on the need to secure VoIP. Regardless of how well the protocol is secured, security executives have a far more substantial challenge: mapping the new threat landscape of voice communications when their organizations decide to shift from closed to open, from dedicated to shared, from utility to enterprise.

With VoIP, phone conversations move around the world in the same waysometimes on the same fiber-optic cable — that e-mail, spam, World Cup video highlights, IM conversations and malicious software attacks all move around the world, as little packets of 0s and 1s.

It is a cultural and infrastructural shift as epic as Dagen H. Soon, in a very real way, voice will no longer be voice. It will be data.

“We have this inherent belief of a certain quality of service and security with phones, of what the system can do for us,” says Andrew Graydon, the chair of the VoIP Security Alliance. “Most of that is pure speculation; we don’t know for real, but it doesn’t matter. It’s what people believe.”

Just what people believe, without ever really thinking about it, is quite specific and detailed. People believe that their phone will work, perhaps even in a blackout; that the number they dial will connect to the phone assigned to that number, and the number that caller ID identifies is where that call comes from; that the call is not being surreptitiously recorded; that people taking advantage of the system, like telemarketers, can be controlled; and that breaking into this system is difficult enough to make it an undesirable criminal vector, which in turn pushes vulnerability elsewhere (to, say, computer communications).

People believe all this because of voice communications’ heritage as a utility. That heritage is due in part to regulation of the technology, but also because of the limitations of the analog technology itself. It was analog, copper wires carrying electrical pulses into microphones and out of speakers. It made sense to make it a dedicated, closed network because that’s all it could handle, really.

Today, most of the PSTN, public switched telephone network, is digital, not analog. But the so-called first mile (the part of the connection from home or office phone across tall wooden poles along the street and into a switching office) remains predominantly analog. As long as that’s part of a phone call, some of those inherent beliefs about the security and availability of the phone can remain.

Users of VoIP will have to adjust expectations. Most VoIP or voice over Internet calls completed today sidestep the first (or, if it’s an incoming call, last) mile. In the consumer setting, VoIP comes in two ways, either as a dedicated service over broadband data lines like the cable companies’ coaxial wires, or as an Internet service, such as Skype. In a corporate setting, most VoIP deployments to date have been as internal corporate voice networks. It’s early on, especially in the corporate setting, where customers are starting by using it just as a (potentially) less expensive voice line and easing into the advanced applications VoIP services promise.

Eventually, VoIP phone companies want to eliminate the last mile of POTS that runs into houses and offices to open up a huge potential consumer and business market for VoIP. They want “pure” IP voice for two reasons. One: cost. It’s cheaper for them to carry voice over public and private IP networks than it is to transmit over proprietary networks, so they can charge less. And two: It opens new applications. The open protocols that are used to support a pure VoIP phone call can support countless new services. To get an idea of what kind of services, one can look to the cell phone world where e-mail, Web access, games, photos and video are all getting mashed up with phone calls. A so-called killer app for businesses would be combining voice with documents, collaboration software and presentation materials to get many people located in several places talking and working together. Still

other applications will come, many not yet imagined, all of which promise to generate new revenue.

But that openness and application-rich environment, as the vendors would call it, also mean that all of that inherent, culturally ingrained faith in the phone goes away.

“Dedicated protocols give you control,” says Robert Garigue, chief security executive and VP for information integrity at Bell Canada Enterprises. “The reality of living on open protocols [like IP] is that the complexity is beyond the imagination of the designers. As you extend them, you realize there are new points of concern. We have a baseline service. How it can be extended, plugged in or mashed up to other applications — it’s just the start. The bad guys are going to find new opportunities with VoIP that will turn into business models.”

The deeply philosophical choice to switch voice platforms (though it probably won’t be thought of in such lofty terms as the choice is made) upends a system that was limited to a few manageable concerns that generally required dedicated, knowledgeable attackers to exploit, to one that has innumerable unmanageable risks capable of being exploited by tyros. Threats mitigated easily before on the PSTN suddenly reach new levels of uncertainty: service outages, quality of calls (which could drop to something closer to cell phones rather than landlines), a lack of 911 availability and, worst of all, exploitation of the phone for theft, fraud and other malfeasance. To be sure, these risks existed before. But VoIP makes them harder to control. VoIP opens up voice communications to these risks in two ways. First, VoIP is easier to hack than POTS.

“Once telephony goes over IP, it’s no longer eavesdropping on voice, it’s eavesdropping on data, and that’s so much easier,” says Bruce Schneier, founder and CTO of Counterpane Internet Security. “It’s like the difference between intercepting a handwritten note versus an SMS message. It’s the difference between a letter and an e-mail.”

If you wanted to eavesdrop on an analog phone call, Graydon of the VoIP Security Alliance likes to note, you could. But you’d have to go to your local box store, pick up a box phone, two crocodile clips, a reflective vest and a helmet. Then learn some simple but arcane ways to tap the line. When you scurry up the pole, try not to look too conspicuous. Fake credentials like logos on the helmet help. If you want to eavesdrop on a VoIP call, though, you won’t need to climb a pole. You’ll still need some arcane knowledge to locate the data stream, but once you have that, all you need is a packet sniffer and software that converts the data into a WAV audio file (tools like Cain & Abel, a software program that can locate and record VoIP streams, are freely available on the Internet). Think of virtually any

threat to data, whether it’s malicious, accidental or a nuisance, and it will threaten VoIP in a way that it couldn’t have easily threatened POTS. For example:

” Good old-fashioned power failures.

” Denial-of-service attacks and other nonmalicious network congestion that affects phone availability. Especially problematic if firewalls can’t recognize voice traffic as distinct and requiring a higher quality of service, which immediately and severely disrupts voice availability.

” Eavesdropping and wiretapping. Used to log voice and keyed-in data, such as account numbers.

” Spoofing. Used in VoIP phishing, where a call will be ID’d as from your bank but is really being collected by baddies (doubly bad since it’s a hack that preys on our inherent trust of the phone

network; where most people have learned to distrust e-mail, the same is not true for the phone).

” Viruses and bots. Used to either destroy data or the device or to co-opt the phone into some other activity such as toll fraudcharging toll calls to other numbers, which Graydon says is “a lot easier on VoIP than the PSTN.” It will be easier to place these viruses and bots into telephony because of the mix of devices interacting with the VoIP networks such as phones, cell phones, BlackBerrys, computers and whatever other potentially vulnerable or infected application data happens to be on the network.

The second form of risk is that with VoIP, there are simply more threats to exploit than there are on the phone. The openness — of protocols like IP and of infrastructure like the Internet’s — that makes VoIP application-rich also makes it unimaginably hard to control, since it’s open to everyone, including those who want to exploit it. As anyone who uses e-mail will tell you, along with the good — instant, cheap communications — you have to accept the bad — spam and malware. Bringing more applications to voice may increase its power and usefulness but it also opens up more threats, and that has to be balanced against the potential gains in productivity or efficiency.

New threats include:

” SPIT, or spam over Internet telephony. An offshore alternative to telemarketing that could

sidestep the national Do Not Call Registry. Graydon notes that a computer overseas could deliver 20,000 phone calls with a recorded sales pitch in five seconds.

” Logging. Privacy concerns abound for a technology that’s far easier to capture, log and

mine (maliciously or as a marketing tool) than analog voice.

” Unsanctioned use. Internet voice services, such as Skype, can be downloaded and used by individuals as easily as an instant messenger, introducing all the threats of Internet voice without any of the controls.

” More computers. Advanced voice applications require advanced phones, and VoIP phones are essentially small computers. “IP phones are trickier than PBX digital phones,” says Bob Litterer, information security manager at Genzyme, noting that IP phones constitute an additional burden to the telecom administrators who must adequately provision and configure network resources and maintain IP phone firmware and software. “They require specific VLAN [virtual LAN] tagging in DHCP scopes, require tricky firmware upgrades, and they can crash at inconvenient times.” In other words, they’re as reliable (and risky) as PCs, not phones.

As a corollary to the problem of unlimited applications, combining voice and data on a single network creates a new opportunity for blended threats. That is, attackers can infiltrate voice through applications that previously weren’t connected to voice, and the other way around. They can use voice to get to the applications. A simple example is using a corporate presentation being shared over a VoIP system as an attack vector.

If all of this seems like doomsaying, consider that most of the above threats have already emerged in the real world, despite the fact that VoIP and voice over Internet are technological infants. One vendor documented four cases of VoIP phishing in which caller ID identifies the call as from your bank and the recorded message asks you to punch in account information, which is logged. (That vendor also sells anti-phishing software, so take its “research” with a grain of salt.) Vonage, a VoIP vendor, provided a notorious early proof of concept of VoIP spam when it planted in its customers’ voice mails a prerecorded advertisement for its upcoming IPO.

But the most notorious case of VoIP’s fallibility yet to come to light involved spoofing. A Florida man named Edwin Pena allegedly paid a hacker in Washington state $20,000 to exploit router vulnerabilities so he could spoof VoIP providers. Federal prosecutors allege Pena stole minutes of service — 10 million in total — and resold them at cut rates for pure profit, which turned out to be hundreds of thousands of dollars.

The type of attack used in the scheme was a “brute force” scan for router vulnerabilities, a simple old hack in the data world that’s not capable of affecting the PSTN. Is that because the PSTN is technically more secure? Not necessarily. “PSTN switches are all based on the same system as IP routers and switches,” Graydon says. “All that’s happened is we ourselves have more access to the routers and switches in the IP world.”

You’d be forgiven for thinking, “Here we go again.” The tech industry, notorious for rushing to market with “revolutionary” products only to have their lack of security and stability embarrassingly exploited, looks like it has just another case of putting the revenue cart before the security horse. (And then selling more products to secure the original product, at an additional cost: Already vendors are

marketing anti-SPIT software, VoIP firewalls, and VoIP monitoring and management software. These

costs will eat into any savings the VoIP offers over traditional phone service and add a layer of

complexity.) “It’s extremely frustrating,” Graydon says. “You sit there and go, ‘Guys, you’re doing it

again. Did you not learn the last time?'”

Only this time, the stakes are higher. If, say, instant messaging was rushed to satisfy market

demand without being properly secured or having its threats understood, that wasn’t good. But what

were the expectations and assumptions about chat’s security in the first place? Probably limited. With

voice, there are those culturally ingrained expectations. We even have a name for it: Dial-tone

reliability. Voice can’t fail, we’ve come to expect that, and yet here’s a technology rushing to market

that, so far, can’t meet the expectation.

In a sense, vendors offering VoIP service are pushing a cake-and-eat-it-too agenda. They want

voice to have the power of data with the security of POTS, even if such a platform doesn’t yet exist. So

they’re left selling voice as another data type but also acknowledging that voice is special. “I say voice is

not data,” says Lawrence Dobranski, the leader of product security architecture in the office of the CTO

at Nortel. “From a risk management perspective it has to be thought of differently. We’re sharing voice

on data infrastructure, and that means the threat landscape is opened.” That’s a core point of this story.

“People bring an awful lot of expectations with voice. We have to make sure we get the security of VoIP

right, and that won’t be easy; that will be difficult.”

Gus de los Reyes, a technology consultant for AT&T Labs developing security capabilities for

VoIP services, is more sanguine. De los Reyes says he and the other AT&T Labs technology experts

can prevent his company’s VoIP products from going to market if he feels a security control isn’t ready,

and he says he’s done that. He has the power to control the rush to market, so he doesn’t even see a

rush to market. “There’s a much greater awareness with VoIP than there was with things like e-mail.

Maybe too much awareness. People don’t want to make the same mistakes with VoIP.”

But it appears they are, as demonstrated by Pena’s alleged scheme, which involved no fewer than

15 VoIP companies, startups without the kinds of controls in place that an old telecom company like

AT&T might have, and the emergence of all the other datalike threats to voice that VoIP has

enabled.

De los Reyes does eventually acknowledge that some companies will rush to market, but that’s only

to sate demand coming from those who aren’t considering the risks up front. For, none of this would be

an issue if companies and individuals thought about the full threat landscape and the costs and risks

associated with that, instead of getting sucked in by the pure per-minute cost savings and neat

applications VoIP offers. “If security says you can’t do something, people just go around it,” he says.

“Users are going to do what they’re going to do, so we have to secure what they do. It’s gonna happen.

You can’t stop the flood of technology.”

That might be true, but you could hope to contain it. After all, Sweden didn’t just let people switch

to Högertrafik whenever and wherever it suited them. Imagine if it had. In fact, the one thing that

has prevented the new voice services from really flying out of control is the PSTN. In many cases the old

copper that remains in the first mile of phone connections has at least slowed the proliferation of VoIP,

both its great potential and its great threat.

If you’re focused on VoIP’s potential, then POTS is the last obstacle before a voice communications

revolution. If you’re focused on the threat, then the century-old analog technology has become, of all

things, a security control.

Reach Senior Editor Scott Berinato at sberinato@cxo.com

a>.