Is VoIP Service the Next Big Target for Hackers?
WASHINGTON--Internet telephone service's appeal as a cutting-edge technology for cutting phone costs is convincing more and more people to ditch their landlines and go hi-tech with Voice over Internet Protocol.
VoIP companies like Vonage are growing rapidly, with their promise of nifty new features and lower monthly phone bills. Vonage, one of many Internet telephone service providers, says that about 1500 people sign up for its service alone per month. But some computer security experts say that, just as with wireless networking, VoIP's rapid-fire adoption will be closely followed by revelations of security vulnerabilities and electronic attacks.
"As VoIP is rolled out en masse, we're going to see an increased number of subscribers and also an increased number of attackers," says David Endler, chairman of the VoIP Security Alliance VOIPSA, a recently formed industry group studying VoIP security.
The VoIP experience could parallel the Wi-Fi example. As Wi-Fi began to gain momentum a few years ago, an increasing number of vulnerabilities came to light. For example, unencrypted wireless traffic could be captured and scanned for passwords, and wireless freeloaders took advantage of many early networks that would let anyone sign in. At first, Endler says, only the technological elite could take advantage of security holes like these. But before long the "script kiddies"--those who lack the skills to discover and exploit vulnerabilities on their own, but who use the tools and scripts created by skilled hackers--joined in. If VoIP use follows the pattern set by Wi-Fi network adoption, then there is good news. We may still be in those giddy early stages where the benefits of the new technology have not yet been tarnished by attacks.
VoIP Users, Get Ready
But the quiet period may not last long, says Rick Kuhn, coauthor of a recent government report (which you can read here in PDF format) that analyzes security flaws in VoIP. Kuhn works in the Computer Security Division of the National Institute of Standards and Technology (NIST). "Anytime you've got something that's becoming very popular, there's going to be attacks coming," he says.
Of the many potential threats, two may be of particular concern to VoIP users at home: having your call digitally intercepted and having your network made useless for Internet telephony by a type of network flooding called denial-of-service (DoS).
In the first instance, someone intercepts your call by tapping into the data stream at any point as it travels across the Internet. That could mean your home network, your ISP's network equipment, or your VoIP company's servers, for instance. The attacker could pull personal information--such as a credit card number--from an intercepted call.
A DoS attack, on the other hand, sends a large and steady flood of meaningless information to a network or server in an attempt to overload it. Many high-profile Internet attacks, such as one targeted against Microsoft's update servers in 2003, used DoS.
Old Attacks, New Approach
Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping. One program called Cain and Able, already used to listen in on network traffic, has been specifically adapted to intercept VoIP calls.
Also, because VoIP depends on reliable and speedy broadband, a DoS attack against your home network could easily wreck your ability to make an Internet phone call. Your connection might just slow rather shut down during an attack, which might not be so bad for Web browsing. But your Internet phone service would be out of commission until the attack ended.
Shashi Phoha, director of the Information Technology Laboratory at NIST, says that DoS attacks are relatively easy to pull off and well within the reach of the "script kiddies." Networks generally recover quickly after an attack, though.
How Much Should You Worry?
VoIP does have security risks. But there are plenty of vulnerabilities with traditional phone service that we all tolerate.
Louis Mamakos, chief technology officer for Vonage, and others say it's relatively simple for most anyone to take a pair of alligator clips and tap your phone line at the nearest wire box outside. And the ubiquitous cordless phones make invading your privacy especially easy (remember the hoopla over Prince Charles' and Princess Diana's cordless phone calls?). Anyone nearby can listen in using a commercially available scanner if they find the right frequency.
Additionally, if someone really wants to steal credit card numbers, there may be easier or more efficient methods than breaking into a network to sift one number from your voice calls. ID thieves recently stole a whopping 1.4 million numbers from a DSW Shoe Warehouse database, for instance.
"You need to balance what all the relative threats are," says Mamakos.
What's Being Done?
Endler says that the "Internet" part of Internet phone service means that VoIP is subject to all of the security risks that affect data networks--risks that typically haven't been of concern with traditional phone networks. To protect your call as it speeds out of your home and through the Net, you'll have to rely on the security used by your ISP and VoIP providers.
ISPs often have tight security, but policies and equipment vary from company to company. One ISP may use top-notch firewalls and other security measures, while another's security might be much easier to compromise.
VoIP companies are taking precautions, but VOIPSA's Endler says, "It's too soon to tell what the most secure environment is going to look like." The security alliance's goal is to try to figure out what the security holes are and how to close them before they become major problems: "To get ahead of that curve as soon as possible," he says.
Mamakos says Vonage uses firewalls to protect against attackers and intrusion detection for quick alerts if someone does break in. He says using encryption is "in the concept stage at this point," with no definite plans for implementation.
What Can You Do?
For your home network, your best protection may be simple anonymity.
Kuhn, of the federal government's Computer Security Division, says that unless there's some reason you might be targeted specifically, you probably don't have much to worry about. Most attackers don't have much incentive to go after a random person's phone calls.
But if security by obscurity isn't good enough for you, make sure you have a firewall at home. Whether or not you use VoIP, it's still a good idea to use a firewall to protect against Internet intruders. Most broadband routers offer some degree of protection for your home network.
Some routers have Stateful Packet Inspection firewalls, or SPI, which help protect against DoS attacks. The Linksys phone adapter shipped by Vonage as part of its service is also a broadband router and SPI firewall.
However, you'll need to provide your own router for some VoIP services, like Verizon's VoiceWing.
Also, Kuhn recommends against using "softphones" that use your computer to make a VoIP call. "It wouldn't be that hard to make a Trojan horse that keeps a record of the VoIP calls that are sent out on your computer," he says. Instead, Kuhn suggests using an Internet telephony setup with a hardware adapter that lets you use a regular phone instead of your computer to make a call.
Kuhn doesn't have Internet phone service. But that's because his broadband connection isn't reliable enough, he says. If it were, he says, he would give the technology a try despite all he knows about the risks.
"I would be interested in looking at it," he says. "I'd be careful about how I set it up, but if there's a cost savings, I'd look at it."