December 2005 Issue There isn’t much trouble with VoIP security … yet. By Jim Barthold Want to understand the seriousness of a voice over Internet protocol (VoIP) security threat? Just listen to the terminology. Worms and viruses threaten IP data; spam over Internet telephony (SPIT) and voice over misconfigured Internet telephones (VOMIT) dump on VoIP. The value of attacking a VoIP network-or just the thrill of it-has raised the ante for attackers and made it more imperative that those under attack develop VoIP-specific defenses. Only the immaturity of the market has kept things to the point where “there aren’t huge worms out there causing all kinds of havoc yet,” says Eric Rosenfeld, director of PacketCable architecture at CableLabs. Ironically, that may be providing a false sense of security. History’s lessons “If people don’t start looking at some of this technology in terms of taking security from the data world and applying it to VoIP, they’re going to be behind the curve,” warns John Kimmins, executive director of the computer and network security solutions organization at Telcordia. “VoIP’s going to be a wonderful thing, but if it’s not done right, it’s going to be a nightmare.” History teaches that a security attack will happen. “It’s just a question if you’re going to be ready with the correct mousetrap when the mouse shows up,” says Ben Legault, marketing vice president at Ellacoya Networks. “Do cable operators need to put measures in place in their networks to protect their voice over IP? Absolutely, yes.” Cable, Rosenfeld emphasizes, “isn’t in any different environment than anybody else. There’s always an arms race: Come out with good security, and somebody comes out with a way to break it. I think we’re going to see the same thing with VoIP.” The first step is to anticipate the direction from which the attacks will come. Worms and viruses Every computer user knows about worms and viruses, the slimy products of fetid minds. A properly placed virus or worm, running through an IP phone, could disrupt the entire telecommunications space or at least mess up a phone call. “A lot of people are expecting a virus or worm will someday affect VoIP components,” says David Endler, chairman of the Voice-over-IP Security Alliance, an organization formed by vendors and service providers to answer fundamental VoIP security questions. “The reality is they’re already affecting VoIP components.” A small market has veiled these attacks so “there has not yet been a compelling event in the VoIP space to make end users worry about security,” says Endler, who’s also director of security research for 3Com’s TippingPoint division. “Most of the time, security is about how big the target is,” agrees Rosenfeld. “Until the target is big enough, you’re not going to get the really, really big guys going after it.” SPIT Spam, the annoying plethora of junk dumped into email accounts, is another data constant. The disagreeably named SPIT takes spam one step further and dumps those messages into VoIP voice mail. Session border controllers (SBCs) can help combat SPIT, said Dan Dearing, vice president of marketing at NexTone Communications, because “the SBC is a pretty robust platform doing a lot of things, (and) security is definitely one aspect of that. Today, the SBC enables that for normal firewalls and into the future will go beyond that and happen at each layer of the attack.” But voice mail isn’t email, and “the problem with SPIT is many of the same techniques we use for email can’t work,” adds Seamus Hourihan, vice president of marketing and business development at Acme Packet. “There’s a whole new industry here on virus protection as it relates to voice over IP calls.” DPI Deep packet inspection (DPI) of voice traffic, too, throws a security blanket over VoIP attacks, and “a lot of providers are now going to put those kinds of capabilities into their networks so they can do a deep dive and see what’s really going on and who’s using the network … and if there’s something happening, detect it early, shut if off,” says Telcordia’s Timmins. DPI, like firewalls and other security built on existing IP data applications, creates a new set of problems within the VoIP space, says Bogdan Materna, CTO of VoIPshield. “The existing security devices and security applications impact the quality of service (QoS),” Materna says. “If you use encryption, it will introduce so much delay that you can’t have voice quality. Firewalls are not dealing very well with SIP (session initiation protocol) or any off those specific VoIP protocols … so they have to be changed. All these deep packet inspection processes will introduce delays.” Theft of service “Stealing service will be very attractive,” says Endler. The VoIPSA chairman predicts that VoIP theft of service will use the same methods that helped fishing and spyware ransack IP data, including “tools that automate sending emails, crafting emails, the ability to easily form a fake bank site. As soon as some of these same types of attacks become lucrative in the VoIP world, once the tools are there to automate them, you’ll see a huge rise.” Called script kiddies, these tools let someone download a hacking device from the Internet and run it without much technical expertise or understanding of the security issue being exploited. Script kiddies haven’t yet emerged in VoIP security, and that has VoIPSA worried, Endler admits. “There are a few out there, such as VOMIT, which can actually reassemble a sniffed VoIP conversation. It’s a foregone conclusion that these tools will emerge and be available,” he says. Theft of service has been around as long as there have been college students with fertile minds and empty pockets. VoIP may be a less attractive target than traditional telephony because it’s so cheap. “The telephone network has always been tapped, (but) there are so many services today that are so affordable-in some cases almost free to hold a voice conversation-that this might mitigate some of that,” says Rafael Fonseca, vice president of product evolution and system engineering at Cedar Point Communications. VoIP has also learned lessons from the old public switched telephone network (PSTN) world. “If you do a comparison between the PSTN and VoIP, I think there are far less number of known vulnerabilities than there were in the PSTN,” says Rosenfeld. “VoIP is in a good space in general with all the tools available to providers; it’s just a matter of how they choose to deploy and use those tools.” DoS and doomsday Sometimes, and this is a wild card, there is no logical reason for an attack. VoIP can be cheap, and a hacker can still damage the network by denying service or disrupting a call as a byproduct of a data attack. “That’s happening today,” says Endler. “That may mean a VoIP-enabled call center is not getting calls in or out, or the phone calls are just unintelligible to the point where they can’t be heard.” While preparing for and defending against individual, localized attacks is a good start, providers have to be prepared to fight on a system-wide battlefield. “As VoIP gets rolled out across residential networks, it’s creating a personal sandbox for potential security enthusiasts to start poking around, finding issues, finding bugs,” Endler says. “Quite frankly, there’s a lot of low-hanging fruit for an attacker. If you really wanted to do some harm, there are tons of things you can look for and target.” Including the sacrosanct telephone network, says Materna, because “if your gateways are not properly designed and they don’t do specific checks on the passing SIP packets, you can use them to attack the PSTN.” The doomsday VoIP security scenario is, to paraphrase Pink Floyd, the worms could eat into the brain of the entire IP-based residence or office, entering via the VoIP network and slithering through the IPTV box, the IP modem, the computer, the stereo and the Web-enabled refrigerator. “IP is going to become the backbone controlling a lot of aspects of what we rely on to live,” says Telcordia’s Kimmins. “We’ve had problems with that in the past, and I don’t think that’s all been thought out.” It’s been thought out, but that scenario is probably such a reach that it hasn’t been given serious consideration. That, in itself, might be a positive dredged from a negative, suggests Dearing. “You really haven’t seen people worried about these types of issues because voice over IP is in the early stages of adoption,” Dearing says. “One little nasty case, I don’t see IP stopping because of that. I think that becomes a case that people can use to justify the need for security software running in the home. I think that actually spells opportunity.” Fighting fires In the end, security will mean more than stamping out brushfires; it’s going to take an across-the-network effort to drench what could become a wildfire, says Fonseca. Firewalls, authentication and encryption all provide some security; and components (routers, CMTSs, VoIP switches, media gateways, voice mail platforms) guard against “very specific kinds of attacks,” says Fonseca. “The most important thing is to have a holistic approach where you are in constant vigilance so that the devices not only stay up when there’s an attack, but a person in the network will address this as soon as alarms start sounding. And that’s not in place today.” Jim Barthold is a contributor to Communications Technology. Reach him at firstname.lastname@example.org.