Is VOIP vulnerable to attack?

We were up to visit with my folks on Sunday to correct a couple of small problems their PCs were having and while we were there the topic of my pending lack of employment came up. Dad asked if I had considered dropping my traditional phone service in favor of keeping my broadband connection and signing up for VOIP via Vonage or some similar company, something I have kicked around from time to time even before my employment became an issue. About the only reason I haven’t given it a shot so far has been my lack of a cell phone which would mean that if the broadband went out for some reason then I’d be without phone service at all. Of course, if I can’t afford to pay the current phone bill then the result may essentially be the same.

Now the folks at Wired have an article on the potential vulnerabilities of VOIP including such potential aggravations as “SPIT” (Spam over Internet Telephony):

“It is really just a matter of time before it is as widespread as e-mail spam,” said Michael Osterman, president of Osterman Research.

Spammers have already embraced “spim” (spam over instant messaging), say the experts. Dr. Paul Judge, chief technology officer at messaging-protection company CipherTrust, says 10 percent of instant-messaging traffic is spam, with just 10 to 15 percent of its corporate clients using IM. “It is where e-mail was two and a half years ago,” said Judge.

To put that in perspective, according to another messaging-protection company, FrontBridge Technologies, 17 percent of e-mail was spam in January 2002. It put that figure at 93 percent in November 2004.

So the inference is that “spit” (spam over internet telephony) is just around the corner. Certainly, the ability to send out telemarketing voicemail messages with the same ease as blanket e-mails makes for appealing economics.

Additional potential threats being debated include hackers eavesdropping on conversations, rerouting or answering other people’s calls, interfering with or capturing the audio streams, and so on. Concerns such as this have prompted the formation of the VOIP Security Alliance (VOIPSA) which launches today with the goal of educating consumers and collaborating on means of securing VOIP for the future. Current VOIP providers such as Vonage and Skype question whether this new organization is attempting to solve a problem that doesn’t really exist as of yet. They cite measures they’ve already taken to help offset some of the risks (such as end-to-end encryption of data streams) as showing that they are already being proactive in making VOIP as secure as it can be.

It does seem that the VOIPSA folks might be hyping some of the potential problems a bit much, but given the known history of email and instant messaging in being a conduit of spam and scams on an unprecedented scale it wouldn’t be wise to write them off as alarmist. We should learn from our mistakes in those two arenas and start looking now at any potential problems emerging technologies like VOIP may hold. Otherwise we could end up with a similar conundrum where email is difficult to fix because the standard has been so widely adopted that the changes needed to eliminate the problem are impractical to undertake.

At the very least, it gives me something else to consider and research before jumping into VOIP with both feet.

5 thoughts on “Is VOIP vulnerable to attack?

  1. I’ve been having some of the same thoughts.  Right now I only have a cell phone but am seriously considering VOIP when I move into the new house.  It’s $39.95 a month no matter how long you talk to anyone in the US.

    It’s hard to pass up the price and the way I figure, I can always switch over to conventional line if things start to go the way of IM.

  2. Another thing to consider.  911.  People don’t think about this until it happens.  Most VoIP will charge you $15 per month (more or less) for 911e and even then, the calls are routed through a central 911 station that is located usually in Ohio.  There was a news report in NY where someone called 911 and got the 911 cafeteria in Ohio.  Being a telephone company employee, I may be jaded.  But, other than the problems with spit and everything else you voiced, you also have to check into emergency services.  Especially if you have kids.

  3. I completely agree that security is a major concern for residential VOIP.
    I took the other route and built my own VOIP system.
    I make the majority of calls via my broadband connection.
    The quality has been great.
    Much better than I expected.
    I have both hard sets and soft phone running
    For 911 calls I set the system to dial out of my fax line so the local 911 service will get the call.
    I am saving money on POTs lines and if your buddies have a similar system you talk a long as you as you want for the cost of your broadband connection.
    If you like to tinker with LINUX or MacOSX check out this app: http://www.asterisk.org
    Regards,
    Rob_

  4. I was thinking of this myself, although I’ve never seen SPIM since the old days of ICQ.  The last spam I received was back in 2000 or so.

    With SPIT, it seems that the “problem” is that the cost of calls is going down.  Naturally that has its benefits, but as you’ve mentioned it has the obvious drawbacks that it makes it just as cheap for people who want to abuse it.

    But like email, there are ways to fix it.  For email, the best solution is possibly TMDA, which relies on challending the sender of an email to make sure they’re legitimate.  It sends them an email back, and if they don’t reply, they’re assumed to be spammers.

    And with VOIP, your end is running on a computer again.  I don’t see why your client, or some proxy, couldn’t ask a series of questions in a computerised voice, challenging the user at the other end.  Supposing the SPITbot was asked what five times six is equal to, it would then need to reply with the right answer.  I’m sure it could get quite foolproof. grin

    But like TMDA, this sophisticated stuff doesn’t even need to happen soon.  It’s quite possible that there are other, simpler ways to confirm that there is a human on the other end, before resorting to voice recognition. wink

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.