VoIP has been an unmitigated success, once Vonage and Skype sorted out basic business models that their predecessors (remember SpeakFreely, PGPFone?) did not get right. And everyone loves a story of connivery and hacker attacks. Now the security industry is ramping up to create Fear, Uncertainty and Doubt - better off known as FUD - in the VoIP industry.
"As VoIP is rolled out en masse, we're going to see an increased number of subscribers and also an increased number of attackers," says David Endler, chairman of the VoIP Security Alliance (VOIPSA), a recently formed industry group studying VoIP security.
Consider FUD as the enabler for a security tax. We can't of course collect the revenues we deserve unless the public fully understands what dangers they are in, surely? Right? Consider these past disastrous precedents:
The VoIP experience could parallel the Wi-Fi example. As Wi-Fi began to gain momentum a few years ago, an increasing number of vulnerabilities came to light. For example, unencrypted wireless traffic could be captured and scanned for passwords, and wireless freeloaders took advantage of many early networks that would let anyone sign in. At first, Endler says, only the technological elite could take advantage of security holes like these. But before long the "script kiddies"--those who lack the skills to discover and exploit vulnerabilities on their own, but who use the tools and scripts created by skilled hackers--joined in.
Kick me for being asleep, but that's another FUD case right there. The Wi-Fi evolution has been one of overwhelming benefit to the world, and even in the face of all these so-called vulnerabilities, actual bona fide verified cases of losses are as rare as hen's teeth.
In all seriousness, we've been through a decade of Internet security now and it's well past time to grow up and treat security as an adult subject. What's the threat? Someone's listening to your phone call? Big deal, get an encrypted product like Skype. Someone's DOSing your router? Wait until they go away.
There just doesn't seem to be an economic model to threats. We know that phishing and spam are fundamentally economic. We know that cracking boxes was for fun and education, originally, and now is for the support of phishing and spam. Regardless of the exception to the economics motive found in hacking and cracking there has to be a motive and listening in to random people's phone calls just doesn't cut it.
Addendum. Ohmygawd, it gets worse: Congress is asked to protect the Internet for VoIP. Hopefully they are busy that day. Hmm, looks like the wire services have censored it. Try this PDF.
Hello. Do you know the story of how the electromechanical phone switch was invented?
The inventor, Strowger, laid the foundations for the automatic switchboard because he believed corrupt phone operators were diverting people who tried to call his business over to his competitors.
There's an economic motive to interfere with phone switching. It's just rumor, but persistent rumor, that someone has taken over telco switches in Vegas and rerouted some escort service phone numbers.
The other way for a crook to make money would be to send VOIP calls to the overseas equivalent of 900 numbers. Then there's extortion: "we'll shut down your order taking call center unless you send $40,000 by Western Union to Belarus".
You're right that there's no point in eavesdropping on random people, but what about targeted attacks? Could papparazzi get a few bucks from tabloids by selling Paris Hilton's phone calls?
I haven't built a complete threat model (nobody's hired me to) but those are a few things that come to mind easily.
Posted by: Fred Wamsley at May 11, 2005 11:36 AMThere is no point in attacking the end-points in IP telephony, but having worked with a couple of the largest VOIP deployments in the world, I can say that the "switching infrastructure" (gatekeepers, SS7 equipment, etc) was a target, and was secured very heavily.
At this point, in fact, VOIP has a substantially higher level of security than SS7 does. SS7 has zero authentication functionality of any consequence, and therefore trust is nearly absolute. This is the more interesting place to attack a phone call, even if it traverses the VOIP world.
Posted by: petrilli at May 11, 2005 03:52 PMUnlike Fred, I *am* being paid to think about this stuff right now as part of the deployment of a global (6 continents, hundreds of facilities, many tens of thousands of phones) VOIP network. This is a private network, but the fundamental threats remain the same. It's the ease-of-mitigation that's different.
I agree that there simply aren't many signifcant threats and what network-level threats exist can be mitigated by existing best practices for building defensible networks. Nearly every risk we're addressing is just an existing network security risk that will now apply to the phone system. The scary stuff isn't even new FUD, it's just recycled network security FUD.
If I were Vonage or (especially) Skype, however, I might be a little worried. Skype uses a couple of currently-known authentication servers which are potential DOS targets. The client is designed to be able to shift authentication servers, however, and we don't know how many alternative servers they have on hot standby, but I'll guess it's at least one or two.
Perhaps the mafia are waiting until Skype(In|Out) gets sorted out (lots of card processing horror stories about that right now) or the suppliers are flowing positive cash, but given that people don't expect dialtone-grade reliability from Skype, I think that Skype & Vonage can safely, as Ian says, "Wait until they go away."
Posted by: Chandler Howell at May 15, 2005 10:07 AM