Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

VoIP's Security Vulnerabilities

Posted by Zonk on Tue Jun 13, 2006 10:26 AM
from the is-your-refridgerator-running dept.
The Internet Security Communications
garzpacho writes "Experts predict that attacks on VoIP systems could be right around the corner, and are calling for preemptive security measures. The BusinessWeek article compares the current state of voice-over-IP to the pre-spam email era and suggests that spammers could be the first to exploit the system. From the article: 'Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers. Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says. Comparable economics apply to VoIP calls, he says. Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites. Those and other attempts at identity theft could spring up via VoIP accounts too, experts say. Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.'"
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

VoIP's Security Vulnerabilities 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Of course, there is a difference between potential threats and ones VoIP consumers are actually facing today. So far, much of this is theoretical--much like fears of mass viruses on mobile phones and disastrous phishing attacks over instant-message systems (see BusinessWeek.com, 1/5/06, "IM Security Is One Tough Sell"). VoIP attacks remain rare, although Gartner says Skype has made four big patches to vulnerabilities in the last 18 months.

    And while it is all just theoretical, you know someone will eventually get their jollies figuring out how to hack VoIP and create a lane for spammers in the process. Going to VoIP removes a lot of the natural barriers that protect us from telemarketting calls now, and creates new vulnerabilities. There will be a lot more Caller ID spoofing; I can even conceive of someone creating malware that would be planted on your system and track the numbers you frequently call, to build spam call trees and more importantly to get ids and numbers you might trust so you would actually answer the calls. The possibilities are staggering.

  • I must sound like a broken record (Score:5, Informative)

    by Sloppy (14984) on Tuesday June 13 2006, @10:38AM (#15524408) Homepage Journal

    Yet Again, I say: use public key crypto and a web-of-trust to authenticate that a call is from somebody who has a reputation to lose.

    Nothing to lose? Then the call is lowest priority, probably the bit bucket unless you're expecting an unverified call, or you're just bored and feel like risking a talk with a telemarketer.

    (Sorry, it's not my fault that so many current topics are related to problems that PK happens to solve. Really, I do know that there is more to life than spreading-the-gospel-of-openpgp.)

    • A few thoughts to the contrary:

      1) Until someone has called you once before, or you've talked to them in some out-of-band way, you have no way of knowing what your friends/relatives/etc keys are. So, unless everyone who might contact you is quite technical, you will likely *always* be accepting unsigned calls. If you're accepting unsigned calls anyway, why bother setting up the keys?

      2) Given peoples propensity to re-build systems (sometimes forced by bit-rot), personal keys will rotate rather often. When
      • Until someone has called you once before, or you've talked to them in some out-of-band way, you have no way of knowing what your friends/relatives/etc keys are.

        True, unless you use web-of-trust, in which case it's sufficient that they've talked to someone you've talked to etc.

        Or unless there's some server you trust enough that you'll take thats servers word for the link between a certain email-adress and a certain public-key, and you know the email-adress of your friends/relatives/etc.

        Setting up a se

  • Filter unsolicited international calls (Score:3, Informative)

    by w33t (978574) on Tuesday June 13 2006, @10:39AM (#15524417) Homepage
    Am I correct in assuming much of this spam will originate internationally (meaning outside the US and major European countries)?

    I would imagine that the "do not call" registry will still apply to VOIP and that national companies will still have to abide by it.

    If this is the case, could not a VOIP inbox be set to filter unsollicited international calls to a spam-inbox?

    Yes, I understand that there is still the possibility that an unsolicited, international call may be warrented for some or even many - but this seems like at least one way of combating the enevitable deluge of voice advertisement.
  • What is bad about email is that it's not always obvious to know whether some email is spam or not. And there is also the risk of phising.

    Obviously it's no concern here. If they have to make it cheap, they'll use no operator and revert to pre-recorded messages. You will know right away if the person is "human" or a "recorded message"... as long as machines fail the Turing test :)

    There is nothing new about it. Junk calls existed before VOIP.
    • So when you've just been hauled out of the shower, been called away from your favourite tv prog, interrupted in your meal, it will be OK because you'll know as soon as you answer it.

  • Not really (Score:4, Insightful)

    by Geoffreyerffoeg (729040) on Tuesday June 13 2006, @10:47AM (#15524500)
    VoIP is more like the pre-spam IM era than the pre-spam e-mail era. And guess what. We're past the pre-spam IM era and it isn't even close to a problem. I get a spam IM about once every few months, if not rarer, and all it contains is an obfuscated link to some camgirl website or something (I haven't clicked, I'm just guessing).

    VoIP, like IM, is a medium that does not lend itself to spam. What can they do, hire telemarketers? You can't very well robot a voice system. And because each system, like IM, is closed within a company, unless that company itself is spamming, they will quickly close down the accounts of anyone who spams because it's easy for them to track.
    • I get spam on Y!Messenger, on myspace, on ICQ on the rare occasion that I connect to that network... It's not a problem or anything, outside of occasionally viewing a NSFW profile.
    • You can't very well robot a voice system

      Hi, this is Super Annoying Incorporated. We sell V14gr/\! Press 1 to buy (forwards to waiting agent), or visit our website at superannoying.com!

      Might be easier for annoyed callees to DDOS, and the requirement to have a short URL might be difficult to meet, but it's certainly possible to advertise by an automated system. Stock pumping spams would also be very easily automated.

    • I get a spam IM about once every few months, if not rarer, and all it contains is an obfuscated link to some camgirl website or something (I haven't clicked, I'm just guessing).

      I'll agree that I very rarely get IM spam --- and I subscribe to five different accounts, including ICQ --- but have you visited a Yahoo chat room recently? It's... unfortunate. Rooms will contain 30 bots (usually spamming in 48pt blink red) and, if you're lucky, maybe three actual people. They're practically unusable.

      • You apparently have not used an ICQ transport on jabber lately.

        I use AIM, the IM system with the worst reputation, and yet I avoid spam. The few occasions that I've been hit with real spam come from joining a public chat room where half the chatters are lurking bots harvesting screen names - other than that, almost never.
  • and are calling for pre-emptive security measures.
    Hey, you! ...Yes, you, with the fancy "pre-emptive security mesures!" DO you know where you are? This is the Internet, darnit, and we just don't do that sort of thing around here! We've got a reputation to protect, after all. Now, get outta here kid, ya bother me.
  • Fortunately, VoIP is also more like e-mail than like the traditional phone system in that filtering should be a lot easier. Ever tried to get a traditional phone company to block a phone number from calling you? Some companies will charge you extra for the privilege, while others (especially cell phone companies) will refuse to do so at all. On the other hand, VoIP companies have no excuse - the request is rather obviously implementable in software, perhaps even programmable into the user's phone, and ca
    • Except that VoIP providers are just as unlikely to give you administrative access to your endpoint (your Cisco, Sipura, Telco, or whatever box). So, they would have to set it up for you. And they will (more than likely) be just as unresponsive and unwilling simpy because they don't have the support staff to handle the request.

      VoIP prices are too low for any serious support infrastructure to exist as well. If you ever talk with anybody who works for Vonage or any other large VoIP proider in a technical ca
      • There is a method around this. A few, actually.

        - The VoIP provider could decide it's enough of a feature to implement, and even devote some GUI space to.
        - Hackers could reverse engineer the VoIP provider's protocol and implement their own client, which would almost certainly have that feature.
        - The VoIP provider, to cut costs, uses an open source solution that already has a good client with this feature and merely rebrands the client, at most.

        Really, requiring a particular VoIP client is much like requiring

  • And I'm Okay with That (Score:3, Insightful)

    by 99BottlesOfBeerInMyF (813746) on Tuesday June 13 2006, @10:52AM (#15524551)

    E-mail brought us basically free international communication with text and images and attachments. Having to filter spam is a very small price to pay, especially since my off the shelf bayesian filtering (combined with temporary accounts for commercial transactions) lets through one or two "maybes" a year. If I can have basically free voice/video communication around the world, I'll gladly put up with having to secure that as well. Anything off my white-list can go to the "maybe" pile and be routed to voicemail unless I feel like taking random calls. ISPs are already implementing security to prevent spoofing. And I already use voice and video communication without any problems. Really, this is a minor inconvenience that comes with a major advance.

  • Whitelist Only (Score:3, Interesting)

    by bahwi (43111) <incoming@josephguhlin. c o m> on Tuesday June 13 2006, @10:53AM (#15524561) Homepage
    I know wish Asterisk it should be possible to set up a database centric version of a whitelist, and only allow those calls in. All others are given infinite rings, or route-to-ex.

    Maybe the time is now to start this. If they have your #, they should have your email, IM, and there should be a web address with a captcha that gives 24 hour access or something? Maybe that's what it should do instead of infinite ring, "To access my phone, please go to www.whatever.com and type in the number you are trying to dial, and follow the instructions. Thank You."

    • I hate challenge/response systems with a burning passion. Every time I get a C/R email it might as well have Subject: My Time Is More Valuable Than Your Time. I would be pretty incensed if businesses I had to call implemented this -- its bad enough that I have to deal with menu heck to get to an actual human being if I dial the generic tech support line, but if I'm dialing Mr. I Have Your Business Card then I had darn well better get him or his voice mail as soon as the phone picks up. If the matter were
  • would they?
  • Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.

    I'm not saying I would want hundreds of these calls, but I would love to hear at least one of them. I seem to always put a voice to these poorly-worded emails, as I sit wondering how someone could send out tens of millions of copies of a letter without having someone first proofread the text.

    I guess if there's money in it, the spammer could hire a good voice to make the call that much more appealin

  • Reliability is lower too (Score:5, Informative)

    by cecom (698048) on Tuesday June 13 2006, @11:10AM (#15524717) Homepage Journal
    All high-speed Internet providers that I have ever had (Comcast, Yahoo/SBC/AT&T) suffer outages periodically - say, about once every two months for several hours on the average, and this is only the outages that I know about, since I don't use my home computer all the time. Happens at work too - at one time our business DSL was out for two days (thank you "new" AT&T). The electrical power has also been out several times. At the same time I don't remember a single problem with my land line. Note that I live in the San Francisco Bay Area, so this is a relatively high-tech place.

    You end up depending on both consumer-grade Internet service and electrical power, neither of which is completely reliable. Which is probably OK, esp if you have your cell phone, so I am not advocating against Vonage.

    However it strikes me that people generally do not realize that the Internet connection (as the Internet itself) is not completely reliable. At a trade show a sales person was trying to convince of the benefits of their credit card authorization software, which resides on their own server and is accessible as a web service. The idea is that the consumer pays for a service (e.g. in a hair salon) in advance and then gets to use it for a period of time. Not bad stuff, actually, but that is beside the point. When I told her that I am worried about reliability in case the internet connection is down and the customer will not be able to be authorized for the service they already paid for, she looked at me silly and said: "Ihe Interned connection down ? Does that ever happen?" Duh! It happens!
    • "All high-speed Internet providers that I have ever had (Comcast, Yahoo/SBC/AT&T) suffer outages periodically - say, about once every two months for several hours on the average, and this is only the outages that I know about, since I don't use my home computer all the time. Happens at work too - at one time our business DSL was out for two days (thank you "new" AT&T). The electrical power has also been out several times. At the same time I don't remember a single problem with my land line. Note tha
  • E-mail can be presented in a much more convincing manner than voice mail. Spamming on VOIP would be more akin to telemarketing on traditional phones. E-mail spam is sent en masse and is impersonal.
  • There is a huge difference.
    How much is avg email? about 1kb
    How much would a prerecorded voice msg be?
    You gonna need a lot of bw to send a lot of voice messages and it will take too long...
    Targeted phishing could happen on the other hand.

  • Spit (Voip Spam) will never attain spam ubiquity (Score:3, Insightful)

    by OlivierB (709839) on Tuesday June 13 2006, @11:23AM (#15524824)
    Yes sending millions of emails is "free", and so is making unlimited VoiP, but Voip is less unlimited than emails, here's why.

    When you decide to send an email to a group of people from domains A, B and C, where you have multiple recipients in domains A, B and C you only need to send server A one copy of the message with a list of the recipients it handles. The server then spawns copies of this message to all the mailboxes. Theoretically, you only need to make as many connections are there are domains in your distribution list.
    Moreover Spam scales well with bandwith. Meaning a large message will arrive faster with more bandwith, not so much with Voip where you have real-time delivery; i.e. think of Voip as a VCR vs downloading your TV shows as files.

    What this means for Spit is that they need to make individual connections for each recipient (although I know of some email like systems, but that's another story). Also they need to connect with each recipient's server or terminal as long as the message is.
    What this means is that twice as many recipients will cost you twice as much in time and in bandwith for your spit message.

    This fondamental difference is in my opinion a deterrent for any spammer worth his salt willing to reach thousands of recipients.

    Spit doesn't scale well, spammers know that and will not pursue this activity as agressively as spamming.
  • The current policy at credit card companies is retarded. More than once, I've come home to an answering machine message saying "This is Discover's Anti Fraud unit. We'd like to discuss some recent activity on your card. Please call us at 1-800-555-1212". As soon as you call, they start asking for personal information. ...How the hell am I supposed to know I'm actually talking to Discover? I'd much rather have them send me to a URL (discover.com/fraud) that lists the number, since I at least have *some*
    • AMEN! I had the same experience with a different company, and when I called the 800 number their IVR system didn't even bother to indicate that you had called the right company - it just immediately went in to prompting me to enter my credit card number.

      I must've hung up a dozen times before deciding to simply #, * and 0 my way through their menu system until it finally dumped me to a human being with whom I could ask a question (or two, or three...) before giving any personal information.

      And the kicker

  • Voice spam is impractical (Score:3, Informative)

    by Norbert_05 (982191) on Tuesday June 13 2006, @12:30PM (#15525584)
    The way SIP works makes voice spam impractical. Basically, a call is set up in two steps. 1) The calling party sends an INVITE message to your provider's PBX / main server / whatever. This would be vonage, or whoever your VOIP provider is. This 'call' connects, and an audio path is established between your provider and the calling party. From the caller's perspective, he has a live, answered, call at this point. 2) your provider sends an INVITE message to your phone. This establishes an audio path from your phone to the carrier. At this stage, the carrier either connects the two audio streams internally, or can use another pair of INVITE messages to direct the audio streams of the two phones to each other. There's no way for the calling party to identify when that second audio stream has been established; from their perspective, the call exists as soon as the provider accepts the initial INVITE message. Obviously, you could start playing audio at that stage, but there's no guarentee someone's actually on the other end of the line. If you're doing a recorded audio play, you're faced with either loosing part of the message, or playing dead air for a while. The only way around this is to dial the direct SIP extension of the customer's phone, but you need know their userext (which is different than their actual phone number) and the IP address of the user's phone, which is highly unlikely since the end user doesn't even have those bits of information (usually) Furthermore, filtering is easy. An INVITE message has to specify a valid IP for the audio stream to be set up. It's trivial to simply block INVITE's from certain IP's in software, if your carrier / phone supports that. Spoofing an IP at this stage is impossible, since that would just prevent the RTP stream from working, and it also makes it easy to figure out who's actually calling you, since you have the IP of the server the audio is coming from. (assuming your provider did the reinvite bit, which virtually all SIP implementations do) That's totally ignoring the much higher bandwidth requirements of transmitting that many audio streams and associated problems with that.
  • If you would like to better understand this case, the US Department of Justice has made the information available online:

    They do make for interesting reading and outline how Edwin Pena put his scam together.

    Dan York
    Best Practices Chair, VoIP Security Alliance (VOIPSA) [voipsa.org]
    Producer & Co-host, Blue Box: The VoIP Security Podcast [blueboxpodcast.com]

  • From TFA:

    ... but not before the problem has succeeded in wreaking havoc. It happened with e-mail and is happening now with instant messaging and mobile devices ...

    From my brain:

    Really? Havoc? C'mon! Yes, spam is a problem, but my email has never been close to a state of "havoc" because of it, and filters came along pretty quickly. No, they don't work as well as I would like, but they work.

    From TFA:

    ... Here's what VoIP security breaches could mean for consumers. For starters, it's a big cha

  • Response percentages must be wrong (Score:3, Insightful)

    by Checkered Daemon (20214) on Tuesday June 13 2006, @02:19PM (#15526796) Homepage
    "Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says."

    That's gotta be a misquote or typo, or Ingevaldson is nuts. 1% to 3% is around the accepted minimum for dead tree spam. In an interview with a professional email spammer about a year ago (yeah, I'm too lazy to look it up) she said that she could make a good profit with a 1 in 10,000 response rate! Probably helps explain why I still get penile enlargement spam even though almost everyone on the planet who'd fall for it has undoubtedly already sent in the $50 and gotten the rock and the string.

    • Re:You can thank stupid people. (Score:5, Funny)

      by neonprimetime (528653) on Tuesday June 13 2006, @10:34AM (#15524370)
      To actually fall for that Nigerian one... my God!

      Stop stereotyping the Nigerians! We're taking donations to help fight the stereotyping of Nigerians ... please send donations to my paypal account : HelpTheNigerians ... or just send me your paypal id & password and I'll do the transfer for you.

    • Re:You can thank stupid people. (Score:4, Insightful)

      by kefoo (254567) on Tuesday June 13 2006, @10:39AM (#15524422)
      Never underestimate the power of money to overrule common sense. I saw it every day when I worked as a software engineer.
    • Exactly. VoIP phone spamming won't be any different than current telemarketing. Any landline not on the DO-NOT-CALL list gets hammered with spam, despite POTS being more expensive than VoIP.

      Within one week of activating a new POTS phone line, I started receiving about three or four calls per night. It got the point where I stopped answering my home phone unless I was expecting a call. I disconnected my answering machine and turned the ringer off for about a month and now the volume of calls have dropped s

      • ......Within one week of activating a new POTS phone line, I started receiving about three or four calls per night. It got the point where I stopped answering my home phone unless I was expecting a call. I disconnected my answering machine .....

        Caller ID in combination with an old Mac Classic used as an answering machine has solved our unwanted phone call problems almost perfectly.

        The Mac allows the audible, live monitoring of the first 10 seconds of any message coming in within which time we can decide to answer the phone or not. Any number we don't know or not listed is not answered live by us at all unless the caller leaves a message, which is also not answered unless we want to. A large display caller ID shows who is calling. The Mac answers all calls we don't recognize. We have not talked to a single phone solicitor in several years. Something like this should work even better for VOIP, since the computer can contain a list of callers the recipient is willing to talk to. The other calls go into the junk call bin, just as the spam junk e-mail does. The only calls that get answered live are the wanted ones. The do not call list is worthless anyway, but just as the spammers use technology, so, technology can also work against them. Fight fire with fire.
        • Skype has a nice swathe of privacy options for its voice calls. It also supports filtering for a SkypeIn number if you have one, so it only rings if the person is a 'known number' (ie on your contacts list) and everyone else is shoved to voicemail.

          I haven't seen options like this on any other VoIP service with a public phone number, anybody suggest any?
        • The do not call list is worthless anyway...

          Why do you say this? I have personally been VERY happy with the DNC list. Yes, market surveys, charitable organizations and political campaign calls still get through, but they are a very small quantity as compared to the "WASTE YOUR MONEY NOW!!" calls we used to receive. And you can still ask all of the orgs who can legal call you to put you on their DNC list, which keeps them from calling again.

      • Re:You can thank stupid people. (Score:4, Insightful)

        by Stellian (673475) on Tuesday June 13 2006, @01:10PM (#15526024)
        VoIP phone spamming won't be any different than current telemarketing.
        Wrong !
        That's just like saying email spam won't be any different than junk mail.
        VoIP spam is a nightmare in the making. A normal telemarketer needs to pay to have access to the phone network, and needs to be a business so it could be held accountable for any wrongdoings. It cannot operate from China or the long distance costs would kill it. There is only so much calls you can initiate per second from a normal telco trunk. You also need a human operator for each call, the costs per call tipically do not allow you to waste them with recorded message.
        Enter VoIP Telemarketing: anonymous Viagra kings, enjoying the anonymity and low cost of the Internet calls to make billions of robot calls from zombied machines. In my opinion, it's the worst threat facing VoIP today.
    • If Homer Simpson can get the AT-5000 Autodialer http://en.wikipedia.org/wiki/Professor_Frink#AT-50 00_Autodialer [wikipedia.org] for regular phones how long before we have the VOIP equivalent?
    • You're assuming Grandma figures out how to work the new Computer Telephone thingy. I'm all for consumer responsibility, but if companies would quit their marketing mumbo jumbo about every tech-based new idea and try to actually educated the masses as to how the thing works, be up front what it's strengths/weaknesses are, etc. (or if we as tech-based people would help out all those non-techies out there), we'd probably be in better shape. "What, I'm not supposed to just click OK? But everytime you fix my
      • but Grandma ... that's why I went to schoool ... to learn which OK buttons are OK to press!
        • Great point - as ridiculous as it may sound, it's like driving a car. You have to learn how to drive and then take a test to get a license (let's for the sake of argument not get into how effective the testing and licensing process is in ensure that you are actually a good, safe driver). We don't want children doing even menial household chores like operating the gas stove that could incinerate your entire house or the washing machine that could flood your entire basement without proper instruction. Why
    • I solved the spam problem a long time ago. It's called 'delete'.

      This solution work for me for a while to. But, after wearing out three keyboards in as many months, I realised that it was just not cost effective.
      • >>I solved the spam problem a long time ago. It's called 'delete'.

        >This solution work for me for a while to. But, after wearing out three keyboards in as many months, I realised that
        >it was just not cost effective.

        Well, then I'd recommend remapping your keyboard settings because it seems your 'o' is worn out, as you misspelled 'to' in "a while to". I was going to recommend message rules filters to save your fingers, but then I realized you should invest in a good spell-checker as you also
    • I solved this problem years ago. I programmed my (VoIP) phone service to respond to all anonymous calls with a message requesting them to put this number on their DO NOT CALL list. Then dropped them immediately into voice mail in case there really WAS something they wanted to say. In the initial voice mails, I heard lots of background noise, and people saying, "Hey! Listen to this!" to their coworkers, but they all got the hint.
    • with a sweet female voice saying "Hi Ambsoien Levoiitra VALlUqqM fzbrom ojwnly $hz1,2xp1 Xutanax Sorqma Meridpaia VlAdiGRA frmhom orpnly $vw3,3zx3 CzslALlS frlaom onlwly $xw3,7ww5 Prykozac"
      You'll need an answering machine with flailing arms that says "Danger Will Robinson, Danger, messaage may be grabbled without a CSS2 compliant user agent, Danger Will Robinson, Danger."

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.