November 9, 2005

VoIP Security Woes Within SPITTing Distance

By Jim Barthold

Here's this week's mindbender. What do camels, baseball players and hooligans with the potential to disrupt the nascent VoIP business have in common?

SPIT.

Camels, when they can't bite people spit at them. Baseball players, when they're not scratching their crotches, spit. And Internet hooligans, already having wreaked havoc with worms and viruses over IP, move to SPIT – Spam Over Internet Telephony. The more successful VoIP becomes, the more SPIT that'll hit it.

"As VoIP gets rolled out across residential networks this is creating a personal sandbox for potential security enthusiasts to start poking around this new technology, finding issues, finding bugs," said David Endler, the chairman of VoIPSA, an organization formed by vendors and carriers to keep ahead of just that sort of activity.

Almost everyone involved with VoIP security targets SPIT as the logical extension of spam – the garbage that's crammed into our e-mail on an hourly basis. Spam can slow down or destroy an IP network, often causing more than inconvenience when peppered with wormy attachments that are more infected than a chicken with bird flu. SPIT – and here's the really scary part – besides clogging voice mail boxes opens up a backdoor to solicitors who had millions of phone numbers shut off to them, thanks to the Do Not Call Registry.

Cousin Spyware

SPIT is a cousin to another IP aggravation – spyware. Using a script kiddie even a neophyte can download a hacking device from the Internet and use it to gather information from an IP connection. This kind of capability hasn't yet emerged for VoIP, but it's coming, experts say; and the ingenuity of those who wish to disrupt service for malice or personal gain is limitless.

VoIP security guys are finding that what worked to stifle (albeit never stop or control) Internet bandits won't work with VoIP.

"The problem with SPIT is many of the same techniques we use for e-mail can't work. You can't use access control limits. Content filtering? There's no content to filter here," said Seamus Hourihan, vice president of marketing and business development at session border controller vendor Acme Packet. "The call gets sent from a signaling perspective and someone starts to speak and only then will you know that it's somebody you don't want to talk to."

It could even be a spoof; someone who got hold of someone else's IP ID. In the traditional phone world "do not call" lists block unwanted solicitors. VoIP's too new to have those kinds of protections so VoIP phone numbers – when identified as such – are fertile ground. And with automation, it's not even necessary to be on the other line to make the call.

"It will be a big problem," said Hourihan.

The biggest positive is that VoIP has a foundation on which to build. Internet hooliganism was differed from the old attempts to steal phone or cable TV service. It was more malicious and frequently random. It also provided a base on which security experts can build a wall against movement into the VoIP space.

Inherit the Risk

"VoIP networks inherit all the same security risks that today's traditional data networks are plagued with," said VoIPSA's Endler, whose day job is director of security research for 3Com's TippingPoint division.

A VoIP second cousin, Wi-Fi, can also be helpful in the battle against SPIT and other VoIP malevolencies.

"A few years ago everyone jumped on the Wi-Fi bandwagon and in the beginning not a lot of people were worried about privacy; it was really more about convenience," Endler said. "Then, as research was done into the technology and the mass of script kiddies were released … there are tools out there today that let anyone with a laptop download a tool to sniff wireless connection. Those tools didn't exist a few years ago, but it's just a natural progression of technology."

Not all ingenuity is devious, and corrective tools tend to emerge to fill real needs. But it's a sure thing that VoIP security woes won't end with dried-up SPIT.

What comes after SPIT? How about VOMIT – Voice Over Misconfigured Internet Telephones)? But that's a subject for a later time, perhaps to read over the morning breakfast.

-Jim Barthold

Ringback Tones and/or VoIP Quality

One would think that just getting a good, secure VoIP call would be enough. In fact, the security experts who spat out their opinions in this week's lead story would almost certainly support that contention. For BayPackets, an IMS-compliant multi-network voice and data solutions provider for wireless, wireline and cable operators, it's not necessarily so.

The Fremont, Calif.-based vendor has introduced multimedia ringback tones, which let callers use recorded music, sounds or video clips – obviously with video phones – to replace the typical ring or busy sound callers hear when they dial in. "It could be for VoIP. It could be for mobile," said Sanjeev Chawla, BayPackets' CTO. "The media aspects of it would be managed by RealNetworks while we would take care of the softswitches, the whole control aspect of the application."

This, of course, leaves it for phone companies to insert Lily Tomlin's snickering, "We're the phone company," as their ringback tones while cable operators chime in with, "It's the cable guy."

Quality Implications

Ditech Communications, which approaches VoIP from another angle, has made available a Voice Quality Evaluation Program – a new network advisory program – that lets carriers identify and remedy network impairments that affect the sound quality of mobile and voice-over-IP calls, even as the telecom industry struggles to just complete the calls in a timely and efficient manner.

"I call it the crawl, walk and run strategy," said Chalan Aras, vice president of marketing at Ditech. "Right now voice-over-IP is in the crawl pace and just keeping up a call is considered success. That appears to be the benchmark. As voice-over-IP attempts to become more mainstream, quality is becoming an issue."

Ditech is "indirectly working with cable because some of our customers are the peering partners for cable companies." In other words, some of Ditech's non-cable customers might have better quality on their VoIP networks than the cable guys? "The cable networks are a set of constituents that would benefit from our voice-over-IP products," Aras said, making that implication pretty clear.

-Jim Barthold