Don’t SPIT on VOIP

Internet Telephony, also known as VoIP, is picking up steam, as telcos wise up to the benefits of turning speech into packets and delivering them over the Internet. But some experts say that security efforts have fallen behind. SMBs need to be aware of all the issues before jumping on the VOIP bandwagon.

According to Frost & Sullivan analyst Jon Arnold, denial of service (DoS) attacks against VoIP networks are a real possibility — and there’s even a distant risk of spam over Internet telephony (SPIT).

“The proliferation of Voice over IP is so small right now, it’s not the kind of magnet for attacks that e-mail is,” Arnold says.

Frost & Sullivan forecasts a 15 percent penetration of VoIP in North America by 2008. That figure is for landlines only; wireless could have a major impact in the numbers, according to Arnold. But VoIP security threats are real.

“Spam is a small piece of the much bigger issue of voice security in the IP world,” Arnold says. “It’s come on the scene quietly, and the security industry hasn’t kept pace.”

VoIP providers are already on the lookout for DoS exploits.

“DoS attacks can happen to VoIP providers unless they implement security mechanisms,” says Louis Holder, executive vice president of product development for VoIP provider Vonage.

VoIP systems require every customer to have a terminal adapter at their locations.

“Each customer then becomes a node that could help launch a Denial of Service attack on a network,” says Brian Fowler, CTO of Voiceglo, a VoIP service provider that monitors its network for nonconforming packets, which are then filtered and extracted. “They can be turned against other networks.”

Still, Fowler is aware of the pervasiveness of SPIT. “We worry about it all the time,” he says. “We’ve been lucky at this point.”

Arnold says that VoIP hackers could do plenty of evil besides just disrupting networks. “You can find holes and drain financial resources out of companies,” he said. “You can start charging phone calls to them and make purchases over the phone. That’s the really scary stuff.”

More Than a SIP of Trouble
What worries Arnold most is Microsoft’s adoption of Session Initiation Protocol (SIP), a signaling protocol for Web conferencing, telephony, presence, events notification and instant messaging.

“Once you’re in a SIP environment,” he says, “you become vulnerable to the vulnerabilities of the public Internet. And if you’re a hacker, what market are you going for?”

In January 2003, CERT warned SIP was vulnerable to remote code execution and other cracks, while the U.K. National Infrastructure Security Co-Ordination Centre advised early this year that the H.323 networking protocol for transmitting audio-visual data supported by many VoIP networks put them at risk for DoS and buffer overflow attacks.

The viability of SPIT is less clear.

“That is not possible to do with Vonage’s voice-mail system” Holder said. “In order to get a voice message into our system, you have to stream real-time voice into it.”

In other words, if a spammer wanted to send someone a one-minute-long voice message, he would have to stream that message to the voice-mail system for a whole minute; he couldn’t just e-mail the message as a file into the system.

Even though the information is carried as data in Vonage’s system, Holder says, it starts and ends as voice. “Phones have IP addresses,” he says, “but the voice conversation still needs to be played in real time. And it’s converted back to voice in real time.”

But Qovia, a company that sells enterprise tools for VoIP monitoring and management, recently applied for a patent on technology to broadcast messages via VoIP — and another one for a method of blocking such broadcasts. The broadcast methodology only works on a pure VoIP network, while most of today’s services are hybrids of IP and traditional telephone lines.

“SPIT becomes an issue when you don’t have to go out over the traditional telephony lines,” says Qovia CEO Richard Tworek. “As soon as my VoIP system touches the Internet cloud, that’s when it starts to become interesting. We predict it’s going to happen, much as spam e-mail did. We’re trying to get ahead of the game.”

The company realized pretty quickly that where there’s a channel, there’s a pitchman, says Pierce Reid, Qovia vice president of marketing. “Someone is going to use VoIP for spam.” Since every other medium has been the conduit of unwanted marketing messages, from bulk faxes to telemarketing to IM spam, he says, Qovia engineers began to research whether it was possible to broadcast voice-mail. It was easy.

Qovia insists it would never allow the technology to be used for marketing, let alone spam.

“There are positive uses of the broadcast capability,” says Tworek. “And none of us would agree that unsolicited marketing is a positive use; that’s not in our future.”

However, he sees the broadcast capability being useful for public agencies — such as Homeland Security — that might need to reach people with vital messages.

Qovia will incorporate its SPIT-blocking technology in future releases of its security products, while enforcement of its patent on broadcasting, if granted, could be used to shut down VoIP spammers.

Adapted from

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.