VoIP's Security Vulnerabilities

garzpacho writes "Experts predict that attacks on VoIP systems could be right around the corner, and are calling for preemptive security measures. The BusinessWeek article compares the current state of voice-over-IP to the pre-spam email era and suggests that spammers could be the first to exploit the system. From the article: 'Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers. Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says. Comparable economics apply to VoIP calls, he says. Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites. Those and other attempts at identity theft could spring up via VoIP accounts too, experts say. Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.'"

Whitelist Only

[bahwi]

I know wish Asterisk it should be possible to set up a database centric version of a whitelist, and only allow those calls in. All others are given infinite rings, or route-to-ex.

Maybe the time is now to start this. If they have your #, they should have your email, IM, and there should be a web address with a captcha that gives 24 hour access or something? Maybe that's what it should do instead of infinite ring, "To access my phone, please go to www.whatever.com and type in the number you are trying to dial, and follow the instructions. Thank You."

e-mail is different.

[just_forget_it]

E-mail can be presented in a much more convincing manner than voice mail. Spamming on VOIP would be more akin to telemarketing on traditional phones. E-mail spam is sent en masse and is impersonal.

solved that problem

[gstovall]

I solved this problem years ago. I programmed my (VoIP) phone service to respond to all anonymous calls with a message requesting them to put this number on their DO NOT CALL list. Then dropped them immediately into voice mail in case there really WAS something they wanted to say. In the initial voice mails, I heard lots of background noise, and people saying, "Hey! Listen to this!" to their coworkers, but they all got the hint.

Re:Reliability is lower too

[aonic]

"All high-speed Internet providers that I have ever had (Comcast, Yahoo/SBC/AT&T) suffer outages periodically - say, about once every two months for several hours on the average, and this is only the outages that I know about, since I don't use my home computer all the time. Happens at work too - at one time our business DSL was out for two days (thank you "new" AT&T). The electrical power has also been out several times. At the same time I don't remember a single problem with my land line. Note that I live in the San Francisco Bay Area, so this is a relatively high-tech place."

Note that the San Fransisco Bay Area (I'm from San Jose myself) was one of the first markets with a huge demand for broadband. Our infrastructure is TERRIBLE (partially because of the TCI->AT&T->Comcast mess). On the other hand, in areas that didn't have a giant push for broadband immediately, such as Boulder, CO (where i'm going to school), Comcast was able to, given an extra four or five years, completely revamp its infrastructure. We have almost flawless broadband in CO (a relatively low-tech place, at least in some areas), whereas at my parents house in CA, the internet STILL goes down for an hour or so every other day at around 2am.

The population density also makes a difference, too. DSL in the bay area is terrible because you might have 20 houses multiplexed onto a given local loop where in most cities there would be four or five. The cable network is only able to support somewhere around the lines of 38 megabits per cable head-end, and when you have something like five million people in the south bay alone, each one running at six megabits, that's a lot of cable sub-networks.

Someone tried this on me...

[Anonymous Coward]

Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites.

I don't remember this word for word, but this is the gist...

Years ago, someone called me (with an Indian accent) and told me they were from my bank, specifically from the fraud investigation unit of my bank. They told me that some suspect activity with my credit card account had been detected and asked if I had made a purchase of x dollars at y vendor. I told them that I had not, so they said that they needed to confirm that I was the rightful card holder and that my card was in my possesion. To do this, they wanted to know my personal information (name, address, DOB, mothers maiden name, etc) and the details of the card, being number, card holder name as printed on the card, expiry and the special "security" [cough cough] number on the back.

At this stage, alarm sirens suddenly became deafening in my head.

I informed this caller that I could not be sure that they are really from my bank or calling officially and that I would not provide those details to them. I told them that I would however be happy to call my bank (supposedly them) back on a number I know to be genuine and then provide the details if need be. At this stage, the fellow on the other end of the phone sounded like he was becoming annoyed. He insisted that he was from my bank and that calling back would not be required. I insisted and then asked for a call number, so that when I ring back I could get it all done as quickly as possible. He said "ahhhh... 57". I found this odd, since usually the call numbers they give were longer. So I hung up and called my bank on the regular number which I use...

Call number "57" meant nothing to them and they told me that the call numbers they provide are longer. They told me that they had no record in their system showing that they had contacted me or needed to contact me regarding possible fraudulent activity on my credit card. They also told me that there was no record of a purchase of x dollars at y vendor.

Somehow, someone got at least the following personal information about me, to attempt this attack:

What bank my credit card was with.
Card type (VISA, MCRD, AMEX, etc).
My name.
My phone number.

For me, the scariest thing about this is that that info is actually really easy to get. All I need to do is use my credit card with human interaction and at least some of those details will be divulged to a potential criminal. With a face to face transaction, the other person will at least get bank, card type, card number, my name, expiry and security code. They will possibly get much more than that, if I am expected to fill anything out for warrantee details, or marketting, etc. With over the phone purchases, the other person will at least get my card type, card number, name and expiry, which is more than enough to go on a mail order spending spree.

So, do you trust every single schmuck you have ever had to pull your credit card out for?

Now, I wonder how safe it really is for our financial institutions to be outsourcing their staff to very poor countries. It's like "here very poor person, please handle our customers and their personal and financial information while we pay you per week what our customers would get in an hour". Oh yeah, that's a great idea. Somehow I imagine all those savings gained by exploiting very poor people in other countries, will be eaten up and then some by all the added fraud which the financial institutions must eat by law when they can't catch the "criminals".

(I put criminals in quotes not because I don't consider the fraudsters to be criminals, but rather because I consider the financial companies to be the biggest criminals of all).

Challenge/Response Sucks

[patio11]

I hate challenge/response systems with a burning passion. Every time I get a C/R email it might as well have Subject: My Time Is More Valuable Than Your Time. I would be pretty incensed if businesses I had to call implemented this -- its bad enough that I have to deal with menu heck to get to an actual human being if I dial the generic tech support line, but if I'm dialing Mr. I Have Your Business Card then I had darn well better get him or his voice mail as soon as the phone picks up. If the matter weren't urgent enough so that I wouldn't mind going to a website and waiting for a reply I would have sent a bloody email.

And C/R capchas will be circumvented the exact same way its circumvented for email and registrations -- if it takes 5 seconds to get through the capcha then your callcenter in China (hidden behind 45 proxies to appear that it originates in your compromised American box) can send 1200 spams per operator per hour. That costs, lets see, about a quarter for a thousand spams.