Not Waiting for the Big One

Why your VoIP security efforts should start sooner rather than later.

Robert Poe on December 5, 2007

It's a blame game waiting to happen. Networks and services are vulnerable. Hacking tools are plentiful and increasing. User numbers are growing large enough to be inviting. It adds up to one certainty: Significant VoIP attacks will happen, and probably sooner rather than later. The only real question is whether the necessary preventive measures will come before or after the attacks do major damage to individuals, companies and careers.

Sachin Joglekar, vulnerability research lead at Sipera Systems Inc.'s VIPER Lab, said that hackers have plenty of interest in VoIP. He noted, for example, that the VoIP Security Alliance's Web site lists a number of tools freely available on the Internet that allow attacks of various types on VoIP networks and services. One, called Vomit, loads on a laptop and lets it emulate a wifi hotspot. An intruder thus equipped can sit at a coffee shop and capture VoIP conversations from wifi-enabled laptops or smartphones nearby. People wouldn't be developing and distributing such tools if other people didn't want to use them, Joglekar claimed.

In fact, VoIP will soon be irresistible to attackers, if it isn't already. Research firm TeleGeography forecasts that the number of consumer VoIP subscribers in the United States alone will reach 15.2 million by the end of 2007, representing approximately 13 percent of U.S. households, and will rise to some 25 million by the end of 2011. Europe will be even more inviting, with total consumer subscribers increasing from 29.9 million at the end of 2007 to 61 million, or 40 percent of total households, by the end of 2011. ABI Research projects 1.2 billion VoIP users of all types worldwide in 2012.

Big numbers, of course, always make for attractive targets. Hackers prefer Windows computers, Joglekar observed, for one reason: There are more of them. Indeed, a recent McAfee Inc. report predicted that VoIP attacks would double in 2008.

The attacks could come in a variety of forms. DoS (denial of service) assaults, although possible, would likely prove the least profitable to professional intruders, because all they could do is stop organizations or individuals from using their phones. That's not to say they won't happen: DoS attacks do, after all, have a distinguished history as an extortion method, as they can force companies to pay money to stop the attacks.

VoIP eavesdropping could prove lucrative for attackers who knew what to listen for. But the most valuable secrets are in large corporations, which typically use VoIP networks with substantial security protection. Trying to ferret out the occasional valuable secret from among huge numbers of residential or small-business VoIP calls would be largely a matter of luck for eavesdroppers. Still, the potential loss or embarrassment from a single incident is so large that even a small risk may be more than most small- to medium-size businesses want to accept.

Spoofing a VoIP user's or server's identity could pay off for hackers in two ways. First, it would let the intruder make free calls on the user's account. Second, it could allow "vishing" (using VoIP along with social- engineering techniques) to trick individuals into revealing personal or financial information that the intruder can then use to steal from them.

The most common and annoying problem will likely be the one everyone has already heard about: SPIT (SPam over Internet Telephony). Imagine getting unwelcome recorded messages all day long, as if do-not-call lists had never existed. With easily faked caller IDs, it will be hard to know whether a call is legitimate without answering it.

And if easily deleted email spam is profitable for its perpetrators, such hard-to-avoid voice spam should be even more so. That should make it hugely popular with hackers. If it catches on, in fact, SPIT could be at least as hard as spam to eradicate.

The only thing harder, in fact, would be finding someone to blame for not foreseeing and preventing it.