Is Security Holding VoIP Back?

phoneboy writes "Voxilla is running a piece I wrote on security issues present in Voice over IP. While an increasing number of people are ditching their ILEC in favor of using Voice over IP from companies like Vonage, VoicePulse, Packet8, and Broadvox Direct, there are a number of potential security issues to be aware of. Is VoIP secure enough to replace the PSTN as we know it?"

As opposed to the security of PSTN?

[bc90021]

Considering we've been using PSTN for about a hundred years, and we've had absolutely no security whatsoever, something based on IP should be better. There are workarounds, at least, for the lack of security in IP; there aren't as many (if any) for PSTN.

Security? Not a problem for home users

[Anonymous Coward]

Just look at how many unsecured wireless networks are out there. And most cordless phone users had no problem speaking of easily listenable frequencies for many years.

PSTN? Secure?

[Heartz]

Whoever said PSTN was secure? All you need to sniff is a wire and the right equipment. And it's easy to do.

I don't wnat VoIP

[Anonymous Coward]

I don't want VoIP. Depending on the Internet for all communications (e-mail, IM, and phone) is just a bad idea.

Security isn't the problem.

[danitor]

As usual, Michael's title is misleading.

Security is not holding VOIP back.

Security is just one layer that needs to be implemented, particularly when VOIP becomes more widespread. It has very little to do with adoption- just look at how analog cellphones prospered. We all know how easy those were to listen to.

Landline isn't technically secure either.

[Anonymous Coward]

Nobody said landlines were particularly secure either. Anyone can tap a phone line or phone box for that matter and listen in on your conversations. There's few encrypted landlines around. It's also easy to listen in on cellular or wireless handsets with relatively inexpensive equipment. So for security, neither are very. If you want security you need fiber optic (VoIP or not) that measures light passing through the fiber and can detect if some of it is being diverted to listen in. Only the military and the Illuminati needs something like that.

What landlines ARE, though, are more reliable. I don't want to have my VoIP phone crash on me or have packet loss when I'm trying to call 911 because of a heart attack. You don't get two chances at that to call again, reboot, or whatever.

Marketing and Brand

[firstadopter.com]

I think the main thing holding VOIP back is the Baby Bells, who have a lot to lose if they keep pushing it. SO it's up to the startups like Vonage to publicize the benefits and the low cost. Unfortunately that will take a LONG time as people just don't know about it.

Re:As opposed to the security of PSTN?

[Mysticalfruit]

I would think that this would be a perfect situation for public/private key encryption.

When you connected to someones VOIP device, it would merely pass you their public key.

insecure network - insecure services

[UnderAttack]

regular phone service is secure (and does not need encryption) since the network it is using is considered secure. Climping up on phone poles is not only a lot of work, but gets you easily arrested as well.

On the internet on the other hand, you can take your pick of about 500k ready to use backdoored hosts at any day. Just pick one close enough to your target. If you are desperate, buy one of the routers in the path on IRC for a few stolen CC numbers.

What we need is a simple and fast encryption method for VoIP. Similar to the phone network, it doesn't have to be 'Fed prove'. This may make it possible to come up with something simple that will not cause excessive latency.

Of course, one issue with VoIP is that its kind of stretching the limits of current infrastructure. So any added overhead may break it.

Re:PSTN? Secure?

[vrmlknight]

Sniffing VoIP traffic still requires some physical access, you need to be able to intercept the packets either be on a router in-between the points or have root'ed a box in between them, or in the case of wireless be physically close to them and have a week or so to crack what ever encryption they are running on the wireless network...

Re:As opposed to the security of PSTN?

[jayminer]

IP security would be easy to provide using many of the decent implementations of IPSec, but the most important problem of VoIP is that it is vulnerable to any kind of DoS attack.

The PSTN/POTS service is also on a publicly switched network, but controlled by central authorities. However, noone will try a DoS attack by constantly ringing your phone and making it busy.

The question is.....

[invisik]

..is the internet ready for the mass migration from PSTN?

With all the lag and overloading on the internet, is it really ready to handle a jillion voice streams running over it with the expectation of quality and reliability of PSTN?

As a geek type, I'd love to see it come together to widescale use. But as a business type, it seems to unreliable for official use yet. Most businesses can tolerate their internet connection being down for a period of time, but I don't know any business who can tolerate a phone outage short of sending everyone home.

-m

Re:As opposed to the security of PSTN?

[ComputerSlicer23]

Ever heard of "man in the middle". Never trust a public key, just because it is public.

You should get signed keys, or keys directly from the person you want to be talking with. If the somebody wanted to break your security, all they have to do, is be upstream from your ISP. Capture the broadcast of the public key, send you a different one they have the private key for.

Now there are exchange methods that you can use in public, but just passing a key in the clear isn't a good idea. Normally there is some type of key exchange before hand, a trusted third party, or a web of trust used to establish identity, and the trustworthyness of a public key.

Kirby

Re:Security isn't the problem.

[phoneboy]

The title of the news story is the title of the article on Voxilla. If you disagree with the premise of the article, fair enough, but don't attack Michael over it. He wasn't responsible for choosing it -- I was.

-- PhoneBoy

No.

[Anonymous Coward]

Is VoIP secure enough to replace the PSTN as we know it?

No.

Thanks to the acceptance of less than end to end secure encryption similar to ssh or ssl, and thanks to Voip providers willingly/being forced to provide snooping access thanks to their man-in-the-middle position, this will end the requirements for a judge to oversee and ensure snooping is justified in a small number of cases, and open everything up to massive snooping, and massive insecurity.

There is no judicial oversight for cordless phones. Why? Because in the words of past court decisions, when using a cordless phone, it is not secure (whatever your beliefs) as an end-to-end switched telephone call. Others can eavesdrop, and so can the government.

You accept using VOIP without end-to-end ssh/ssl/whatever security? Then you can't demand privacy and judicial oversight over snooping requests.

And you open up all telephone calls everywhere to being snooped on by not only the government, but anyone with the computing power and knowledge to snoop packets/save packets/grep packets. As computing power goes up, it gets easier to set grep cron jobs for key words when you go to bed, and then wake up ready to really go to work in the morning.

I'm no computer expert. Just a Monday morning half back. So maybe the experts can answer why I can't plug a VOIP phone into my network switch, and call up Cowboy Neal on his VOIP phone on his network switch, and we can talk with an ssl or ssh connecton bypassing Vonage and Ma Bell altogether.

Why isn't there an effort on Sourceforge (is there?) to enable this? Why are we letting Ma Bell continue to control our conversations when we have broadband connections and the equivalent of supercomputers from just a few years ago sitting on our desktops?

Anyone?

Why do we even need VoIP though?

[nial-in-a-box]

• It doesn't really do anything that is currently needed.
• It is more complicated than it needs to be.
• Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.
• It's going to be regulated as hell sooner or later.
• It's not a satisfactory long-term solution.

What annoys me the most is that cell phones still are not treated as "normal" phones by the key places where it matters, such as credit cards, etc. If I pay a monthly bill on a cell phone, and I need a positive credit rating to even get that service plan in the first place, why is that not good enough to establish credit? It annoys me that even though it seems like something that has been overlooked, it also looks like we're just giving extra business to land-line providers. I have no need for such a telephone line, but I will probably have to get one the next time I move as it still is a requirement for many things.

Re:Marketing and Brand

[phoneboy]

I think the Baby Bells have a lot to gain if they start implementing VoIP instead of burying their head in the sand and trying to fight it.

-- PhoneBoy

Re:As opposed to the security of PSTN?

[iminplaya]

Maybe that's the deal. VOIP is too secure for the FBI to allow to become widespread. Am I paranoid enough?

Not lack of security

[mobileone]

Security is just one of the issues why VoIP has not caught on as an end user technology:

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

Device type While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.

Incoming calls In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.

Availability A normal landline telephone is usually available 99.98 % of the time. If your ADSL reaches 99.7% you should consider yourself lucky. Furthermore normal phones work during power outages. In some countries this is a regulatory requirement for emergency services.

Billing It would be nice if it was possible to make "free" VoIP calls. In most of the world however, it is the calling party who pays for the call. This means that a VoIP call terminated at a Spanish GSM phone will be charged backwards: The spanish GSM operator charges the VoIP "operator" for "terminating" the call, and the VoIP operator subsequently charges the VoIP "customer". The world has more than 1 billion GSM subscribers. In order to be able to call these you need the billing infrastructure in place even for VoIP. This requirement makes VoIP just as expensive to produce as traditional telephony.

Only a land line solution The world is moving voice calls to mobile phones. So far it has not been shown that VoIP is technically or economically feasible on mobile phones?

Quality It is pretty hard to beat the delay characteristics of a normal landline phone! VoIP has severe delay problems on thin access lines such as ADSL. Usually OK for 2Mb/s and up.

After all VoIP is only a matter of changing layer 3 and 4 in the protocol stack. Why would end customers care?

The places where VoIP is used today it is mostly invisible to the end-user: It is used as a cost cutting technology by a large number of long distance carriers. The service however is sold as normal "high quality" telephony. It is also used in a corporate setting for branch-to-branch calls as well as for PABX replacements. VoIP also makes a lot of sense sense as computer-telephony-integration in call centers.

The next majer breakthrough for VoIP will be VoADSL. VoIP all the way to the customer premises. The interface to the customer however will be a normal POTS jack, full customer service and the associated billing!

Re:As opposed to the security of PSTN?

[Rick the Red]

Am I paranoid enough?

As long as John Ashcroft and his ilk are in charge, you're not paranoid at all. They really are out to get us!

less security than what? causing what problem?

[bcrowell]

I switched from telco to Vonage a couple of months ago, and this article has exactly zero correlation with the pros and cons of the transition as I experienced it.

First of all, if VOIP is supposed to be less secure, what is it less secure than? Less secure than telco service? That doesn't really make sense, because essentially all the people who I call and who call me have telco service. There's no such thing as a 'VOIP call' or a 'telco call.' If you stay with the telco because you think it's more secure, and then you call me, guess what -- your call went through my VOIP provider, so you're not any more secure. Likewise if I got a VOIP box that did encryption on the voice data, it still wouldn't guarantee my security if the person I was calling was using an unencrypted wireless connection on their end. And BTW, even if you're a telco customer calling another telco customer, many of your calls probably go through the internet on part of their journey.

It's also not clear to me what real problems they're claiming the lack of security would cause. The beginning of the article seems to imply that the threat is unreliability due to attacks by hackers. Well, that just isn't the real reliability issue faced by actual VOIP users. The only real reliability issue I've encountered is that when my cable modem service isn't working, my phone stops working. (But so far it's always cured the problem if I just power cycle the cable modem.) It's also worth noting that one of the main reasons we switched from telco to VOIP was the poor reliability of the telco service. We went through a period of about two weeks recently where there were telco guys working continuously all up and down the street, all our neighbors had no telco service (or patchy telco service), and we were the only ones on the block who could actually make a phone call. According to the telco worker I talked to (the big green box is right in front of my house), the issue is just that the equipment is getting really old.

They also seem to imply that there's some sort of a threat of identity theft, or that someone may steal your service. Well frankly, I'm taking a bigger risk every time I let a waiter in a restaurant see my credit card number.

I need VoIP

[gad_zuki!]

>It doesn't really do anything that is currently needed.

I don't want to pay for a POTS line and expensive long-distance.

>It is more complicated than it needs to be.

That can be said of a lot of things. It happens to work, and well.

>Cell phones accomplish the exact same thing for the same cost and at a sadly higher reliability level.

My cell phone goes out all the time, my VoIP works all the time. My cell phone has limited minutes and when in use it pushes a few watts of energy at my head t'boot. It also sounds more like a POTS phone than the crap that a cell-phone delivers. You can speakly quietly, listen to real human sounds like quiet sighs and other things cell-phones fail at delivering. No finger in the other ear using VoIP.

>It's going to be regulated as hell sooner or later.

Defeatist much? Even regulated that doesn't mean it will be unafforable or even more expensive. The last round of complaints have more to do with calling your local 911 service and many VoIP proviers already have that function working.

>It's not a satisfactory long-term solution.

Says you. Only the five richest kings of Europe will be able to afford computers too.

Two things holding it back.

[Anonymous Coward]

1) Cell Phones.
Why do I need another phone? I get excellent coverage and my calling plan is flexible.

2) Crappy ISP's
I would not be willing to deal with the latency/bandwidth issues. Until you have QoS from point A to point B, VOIP will be an annoyance.

Security is not the big problem...

[Zed2K]

I'd say reliability of ones high speed internet connection is the major problem. With a normal phone you know its always going to work. Whens the last time you've had a phone problem with the line coming into your house. You can even use the phone when the power is out. But with voip, power outage or your provider going down takes out your phone too. Until they get reliability up on par with a normal phone line I'm staying away from it.

Re:Not lack of security

[justMichael]

+5 Insightful or -1 Uninformed?

Pricing People think that VoIP is cheap compared to normal telephony. Average people spend around USD 200 per year on land line telephony. While VoIP might seam "free" you still have to pay around USD 300 for an ADSL connection.

If you are only getting a high speed internet connection to use VoIP, you deserve to part with your money. All of the people I know that use VoIP are doing so to avoid ugly long distance bills, if all you use the phone for is local calls to order pizza you really dont need VoIP.

Device type While it is technically feasible to install a VoIP client on a PC, it is not exactly the ideal device for a telephone. Also - remember that people usually have several phones in the house. To overcome this you would need VoIP "telephones" which look like a normal telephone. These are reletive expensive compared to normal phones, and requires a dedicated power supply.

Odd, sitting under my monitor stand and on top of a 5 port switch is this little box that I plug into my switch that I can plug any phone I want to into. Granted crappy phones do not work well, but I DO NOT need a special phone. Some people have actually piped the RJ11 out of their ATA186 into the house line effectively feeding the entire house.

Incoming calls In order to receive incoming calls you need to have you VoIP device turned on all the time and connected to the Internet.

See above.

Billing It would be nice if it was possible to make "free" VoIP calls. In most of the world however, it is the calling party who pays for the call. This means that a VoIP call terminated at a Spanish GSM phone will be charged backwards: The spanish GSM operator charges the VoIP "operator" for "terminating" the call, and the VoIP operator subsequently charges the VoIP "customer". The world has more than 1 billion GSM subscribers. In order to be able to call these you need the billing infrastructure in place even for VoIP. This requirement makes VoIP just as expensive to produce as traditional telephony.

Please follow the links provided in the original Story to the VoIP providers, this is not about using some free software you found on Freshmeat to talk to your friends.

Quality It is pretty hard to beat the delay characteristics of a normal landline phone! VoIP has severe delay problems on thin access lines such as ADSL. Usually OK for 2Mb/s and up.

I can not vouch for other providers, but on Vonage as long as you have ~95k up and no packet loss the quality is fine.

The next majer breakthrough for VoIP will be VoADSL. VoIP all the way to the customer premises. The interface to the customer however will be a normal POTS jack, full customer service and the associated billing!

Again I can not vouch for other providers, but Vonage provides online realtime usage stats, access to your voicemail from any web browser and you can actually call customer service and talk to a human when you have problems.

Sorry if I come of like a ass, but I have seen this same basic comment every time there is a VoIP story on slashdot and most of it is not true.

I have had Vonage service for roughly 2 years and the only time the quality sucked was when I was on Adelphia cable. I switched to DSL and it was fine, I am currently on Comcast/Attbi cable and it is fine.

Re:I don't wnat VoIP

[way-kun]

Why is depending on the internet for communications a bad idea? It's fault tolerant, a lot of back up ways. On the other hand other systems, just go down and you're stuck.

Yeah, it's really nice if you're multihomed AS.
I don't remember when was the last time that my phone line failed. As for the internet... three days back (for an hour).

I don't know if this is normal or it's just that .si ISPs tend to suck. I'd like to think that in a critical moment I'll be able to call emergency hotline (eg. 911 for americans) if I ever switch to VoIP.

Re:As opposed to the security of PSTN?

[iminplaya]

Business as usual. It's really no different than Nixon, J. Edgar Hoover, etc. Only then it wasn't Al Quaeda(el queso, whatever). It was the the Black Panthers.

"Meet the new boss
Same as the old boss..."

Re:I don't wnat VoIP

[dissy]

Don't assume IP == Internet

The Internet is just one IP network.
Phone companys have their own networks, they don't need to involve the Internet what so ever if they choose. Same as I don't need to plug my IP network into the Internet for things on my own network to talk to eachother.

Unfortunate Realities

[Saltation]

Hmm. Some related threads of a mere-practicalities-of-a-commercial-world nature.

• Any tech is crackable with physical access and special kit and special training. You will always have lots of people in a position to crack any technology, no matter which one you look at. [slashdot.org]
• It's not technical difficulty that matters, so much as how motivated people are to do it. [slashdot.org]
• International exposures from bored highly skilled low paid people in well resourced high-tech areas that your calls can pass through without you realising. [slashdot.org]
• Institutionalised Corruption in some regions your IP traffic can invisibly flow through [slashdot.org]
• It only takes one compromised box anywhere in the stream [slashdot.org]

--
Sal

Writings: saltation.blogspot.com [blogspot.com]
Wravings: go-blog-go.blogspot.com [blogspot.com]