Careful with that call
It's only a matter of time until IP telephony is hit by spam and malware, experts say<@VM>Sidebar: Bringing VOIP vulnerabilities to light
- By William Jackson
- May 02, 2008
E-mail was the killer app for the Internet, the tool that made global network connectivity a must-have in every office and home. But vulnerabilities in the Simple Mail Transfer Protocol have made e-mail a primary source of malicious code and unwanted messages.
Today, 90 percent of e-mail messages are spam, said Chris Rouland, chief technology officer at IBM Internet Security Systems. Another 5 percent is phishing, and 3 percent is viral.
Many of the vulnerabilities that have made e-mail a headache are spreading to voice-over-IP systems, raising the specter of a new generation of security threats.
'SMTP is a failure,' Rouland said. 'It is not tenable for our telephone system to devolve to that level.' So far, it hasn't. 'We haven't seen widespread threats yet,' he said.
But now is the time to begin defending systems, before hackers and thieves start exploiting VOIP vulnerabilities, say a growing number of security experts.
'There is no reason to believe the bad guys will not exploit this,' said Mustaque Ahamad, professor of computer science and director of Georgia Tech's Information Security Center.
As the Internet and other packet-switched networks have become more tightly integrated into business enterprises, voice has been added to the applications handled by IP networks.
Growth in available bandwidth and improvements in service delivery have made Internet telephony comparable in quality and reliability with traditional public switched telephone networks (PSTNs), and VOIP's increased efficiency and functionality have led to a steady growth in its adoption in recent years.
A primary reason Internet telephony has not yet been targeted by hackers is that e-mail and a growing number of Web applications provide well-known and successful avenues for breaching information technology systems and stealing data, said Ahamad, who is researching trust mechanisms for telephone systems. But as the security bar is raised on traditional data systems, VOIP could become more attractive to hackers.
'When does this become the path of least resistance?' Ahamad asked. 'We have learned that we don't want to be blindsided.'
VOIP inherits all the vulnerabilities of the operating systems and other platforms on which it is built in addition to those of VOIP server software and endpoint applications.
But interest in the security implications has been late in coming.
'In 2003, some Finnish researchers created the first fuzz tests for VOIP,' Rouland said, referring to a type of brute-force vulnerability testing in which random data is put into applications to look for failures. 'There were a lot of vulnerabilities in the products because they were new.'
In addition to exploiting technical vulnerabilities, bad guys might also use VOIP to deliver unwanted messages that resemble e-mail spam (sometimes called spit ' spam over Internet telephony) or phishing (vishing). The relative security of the PSTN phone systems we grew up with makes the VOIP trust issue even more critical, Rouland said.
'We know not to trust e-mail,' he said. 'But we have learned to trust caller ID.'
Three years ago, before IBM acquired Internet Security Systems, the company began looking at threat models for VOIP.
'We don't want to be spreading fear, uncertainty and doubt,' Rouland said. 'But given the vulnerabilities and the reality of fraud, it is unrealistic to think it won't happen.'
IBM ISS is not the only company addressing VOIP insecurity. VoIPshield Systems published a list in April of 44 discrete vulnerabilities in VOIP systems sold by Avaya, Cisco Systems and Nortel Networks.
VoIPshield was founded in 2005, and 'a lot of our energy has gone into this research,' said Rick Dalmazzi, the company's president and chief executive officer.
Avaya, Cisco and Nortel were chosen for the initial round of research because of their products' wide adoption in the North American market. VoIPshield notified the vendors of its findings before it released them to the public. Under its disclosure policy, VoIPshield works with vendors to help them re-create vulnerabilities in their test labs and offers remediation assistance.
'The research is not an end in itself but a means to an end,' which is developing secure VOIP products, Dalmazzi said.
The company is selling VoIPaudit, a vulnerability assessment tool, and VoIPguard, an intrusion-prevention system. The initial market for the products has been in the more heavily regulated sectors, including financial and health care institutions, insurance companies and government agencies.
'We're dealing with the leading edge,' Dalmazzi said. 'We do a lot of evangelizing. The entire [VOIP] industry is not taking security seriously enough'because no one has felt any pain yet.'
Dalmazzi speculated that we are in the reconnaissance phase of VOIP threats, with hackers watching and cautiously poking around the edges. Evidence of exploits so far is mostly anecdotal. 'We don't really know how much of this is going on,' he said.
But the stakes could be high, said Bogdan Materna, chief technical officer at VoIPshield.
There are an estimated 800 million PCs worldwide but about 1.2 billion telephone landlines and another 2 billion wireless handsets.
Vulnerabilities found so far in VOIP systems are similar to those in other applications: They can allow the execution of arbitrary code on an endpoint such as a telephone handset or a laptop PC running a softphone client, allow malicious code to be planted, or siphon off sensitive information. Exploits could allow the theft of service by establishing unauthorized accounts on an IP switch or gateway, create denial-of-service attacks, or allow eavesdropping on conversations.
If voice services run on the same network that carries an enterprise's data ' one of the efficiencies that can make VOIP attractive ' such exploits could put the entire data network at risk.
'When your laptop becomes your phone,' the risk is carried over, Dalmazzi said.
Although VOIP vulnerabilities have received little attention, companies are responding well to VoIPshield's disclosures, Dalmazzi said.
'Cisco is a little more familiar with the process, so they have been more proactive,' in fixing problems, he said. Avaya and Nortel do not have the same history in IP networking.
But all three companies have released security alerts based on the disclosures, and their incident response teams have worked well with VoIPshield, he said.
Georgia Tech's Information Security Center began working on ways to add security to VOIP protocols and services about two years ago with support from IBM and Bell South, Ahamad said. Several grad students and faculty members are working on vulnerability analysis and response, and they have found flaws that would allow execution of code on VOIP handsets.
'We were able to very easily compromise them in ways that could have serious consequences,' he said.
Although underlying bugs and implementations that create vulnerabilities are essentially the same for VOIP as for other applications, blocking exploits and spam poses a problem.
'It's a lot harder to deal with than e-mail,' Ahamad said. Phone calls typically are answered as they are received, but e-mail collects in an inbox before it is viewed. Because voice calls are sensitive to latency, filtering at a gateway is more difficult. The problem is compounded by the fact that 'we don't have a lot of real data about VOIP spam.'
The Information Security Center has been studying signals and signatures in audio packets to get a better understanding of what they can reveal about their content. Researchers also are working on so-called soft credentials that could assign a level of trust to voice calls based on social-networking techniques and circles of trust. If one user trusts a caller, a second user who trusts the first user could probably also trust the caller. One drawback of the circles of trust is that they cannot be extrapolated very far. The larger the community they apply to, the less precise they are likely to be.
Levels of trust can be assigned by studying who talks to whom, under what circumstances and for how long. A number that is called frequently and with long connections is likely to be trusted. The technique is less precise than signatures or black lists but more dynamic and better suited to phone calls. It requires a learning period while the system studies the user's calls to determine patterns of trust, Ahamad said.
'It builds pretty quickly,' he said. 'After a learning period, it is very effective.'
The trust system is still an academic project rather than a product. But with the attention being given to VOIP security today, Ahamad said he believes users will be able to protect themselves when exploits begin to appear. 'I think we're going to be ready.'
Systems recently released the results of vulnerability research on the most
widely used voice-over-IP systems. Researchers found more than 100 design or
implementation flaws in products from Avaya, Nortel Networks and Cisco Systems
that could allow outsiders to execute code on handsets, PCs or servers;
compromise systems; block service; or steal accounts.
results have been published as 44 discreet vulnerabilities at www.voipshield.com/research.
VoIPshield has worked with the vendors to find fixes for the problems and is
incorporating the information into its VOIP vulnerability analysis tool and
A study by VoIPshield
Systems identified 44 vulnerabilities in three vendors' voice-over-IP
● Avaya: 12
● Nortel: 5
● Cisco: 27
● Critical: 15
● High: 9
● Medium: 11
● Low: 9
● Available: 17
● Being developed: 27