VoIP's Security Vulnerabilities 117
garzpacho writes "Experts predict that attacks on VoIP systems could be right around the corner, and are calling for preemptive security measures. The BusinessWeek article compares the current state of voice-over-IP to the pre-spam email era and suggests that spammers could be the first to exploit the system. From the article: 'Here's what VoIP security breaches could mean for consumers. For starters, it's a big channel for spammers. Think of the Viagra ads that flood your e-mail inboxes now. They work because the cost of e-mailing thousands of people at once is so low, only 1% to 3% or so need to respond for it to be worth it, Ingevaldson says. Comparable economics apply to VoIP calls, he says. Then there are potential phishing attacks, where fraudsters posing as banks lead consumers to fake sites. Those and other attempts at identity theft could spring up via VoIP accounts too, experts say. Imagine the messages from relatives of deposed Nigerian dictators -- only this time they're on voice mail, too.'"
Leave Grandma alone (Score:1)
Spam in her voice mail box? Yuck. My poor grandma.
Re:Leave Grandma alone (Score:2)
Re:Leave Grandma alone (Score:2)
Re:Leave Grandma alone (Score:3, Insightful)
Only problem is.. (Score:1)
this time a sweet female voice will make me buy it... Oh Shit. Where are you taking me today?
Re:Only problem is.. (Score:2)
You'll need an answering machine with flailing arms that says "Danger Will Robinson, Danger, messaage may be grabbled without a CSS2 compliant user agent, Danger Will Robinson, Danger."
From theoretical to real (Score:4, Insightful)
Of course, there is a difference between potential threats and ones VoIP consumers are actually facing today. So far, much of this is theoretical--much like fears of mass viruses on mobile phones and disastrous phishing attacks over instant-message systems (see BusinessWeek.com, 1/5/06, "IM Security Is One Tough Sell"). VoIP attacks remain rare, although Gartner says Skype has made four big patches to vulnerabilities in the last 18 months.
And while it is all just theoretical, you know someone will eventually get their jollies figuring out how to hack VoIP and create a lane for spammers in the process. Going to VoIP removes a lot of the natural barriers that protect us from telemarketting calls now, and creates new vulnerabilities. There will be a lot more Caller ID spoofing; I can even conceive of someone creating malware that would be planted on your system and track the numbers you frequently call, to build spam call trees and more importantly to get ids and numbers you might trust so you would actually answer the calls. The possibilities are staggering.
Re:Real? (Score:1)
But the rest of it I just don't understand. How would your doomsday scenario work? A user needs either a soft or hardware sip telephone and probably a voip aware firewall.
If they just use the phone, I'm unclear where the payload comes from. In packets? Maybe, but it would require a PC to use.
Re:From theoretical to real (Score:2)
figuring out how to hack VoIP and create a lane for spammers in the process
a lane on the... INFORMATION SUPERHIGHWAY?! oh noes!
Technology isn't always so great. (Score:1)
Re:Technology isn't always so great. (Score:3, Informative)
This solution work for me for a while to. But, after wearing out three keyboards in as many months, I realised that it was just not cost effective.
Re:Technology isn't always so great. (Score:2)
>This solution work for me for a while to. But, after wearing out three keyboards in as many months, I realised that
>it was just not cost effective.
Well, then I'd recommend remapping your keyboard settings because it seems your 'o' is worn out, as you misspelled 'to' in "a while to". I was going to recommend message rules filters to save your fingers, but then I realized you should invest in a good spell-checker as you also
Re:Technology isn't always so great. (Score:3, Funny)
Re:Technology isn't always so great. (Score:2)
Thanks for deleting your account. Saved those mail admins some work, you sure did.
Anyone else see the irony... (Score:1)
Re:Anyone else see the irony... (Score:1)
I even had an [discussion] with a salesman with Charter a couple months back. He was trying to tell me that the telephone service they sell isn't VoIP. If it walks like a duck and talks like
I must sound like a broken record (Score:5, Informative)
Yet Again, I say: use public key crypto and a web-of-trust to authenticate that a call is from somebody who has a reputation to lose.
Nothing to lose? Then the call is lowest priority, probably the bit bucket unless you're expecting an unverified call, or you're just bored and feel like risking a talk with a telemarketer.
(Sorry, it's not my fault that so many current topics are related to problems that PK happens to solve. Really, I do know that there is more to life than spreading-the-gospel-of-openpgp.)
Re:I must sound like a broken record (Score:2)
1) Until someone has called you once before, or you've talked to them in some out-of-band way, you have no way of knowing what your friends/relatives/etc keys are. So, unless everyone who might contact you is quite technical, you will likely *always* be accepting unsigned calls. If you're accepting unsigned calls anyway, why bother setting up the keys?
2) Given peoples propensity to re-build systems (sometimes forced by bit-rot), personal keys will rotate rather often. When
Re:I must sound like a broken record (Score:2)
True, unless you use web-of-trust, in which case it's sufficient that they've talked to someone you've talked to etc.
Or unless there's some server you trust enough that you'll take thats servers word for the link between a certain email-adress and a certain public-key, and you know the email-adress of your friends/relatives/etc.
Setting up a se
Re:I must sound like a broken record (Score:1, Insightful)
Currently it goes..
Step 1: Infect PC
Step 2: Extract email addresses from email client
Step 3: Propogate!!
With PK it becomes..
Step 1: Infect PC
Step 2: Compromise keys through passphrase capture
Step 3: Extract email addresses
Step 4: Propogate!!
Heck, if you used the same key to sign your emails as your VOIP headers (not a bad idea under a Grand Unified PK Scheme) then getting bitten by an email worm means your friends are open to
Re:I must sound like a broken record (Score:1)
Re:I must sound like a broken record (Score:2)
Instead of telling people who matter, you're just posting it on Slashdot. No matter how many times you sound like a broken record, you're not going to get anything done here, buddy.
In any case, how do you know about somebody's key before they've called you first? With your system, every time a new person got a VOIP phone, I'd have to go though my "low priority" calls anyway, and your system has solved nothing.
Re:I must sound like a broken record (Score:2)
Noted. I have tried explaining this stuff to my hippie non-geek (but still somewhat-suspicious-of-government) girlfriend, and it's harder than I thought it would be. I don't have a clue how to get the message out to Joe Sixpack.
Web of Trust. There are tens of thousands of nerds [cs.uu.nl] whom I have never met or communicated with in any way, whose PGP keys
Filter unsolicited international calls (Score:3, Informative)
I would imagine that the "do not call" registry will still apply to VOIP and that national companies will still have to abide by it.
If this is the case, could not a VOIP inbox be set to filter unsollicited international calls to a spam-inbox?
Yes, I understand that there is still the possibility that an unsolicited, international call may be warrented for some or even many - but this seems like at least one way of combating the enevitable deluge of voice advertisement.
Re:Filter unsolicited international calls (Score:2)
and ofc you can always call from out of country while sticking within the same voip provider (generally making the call both free and hard to identify as international)
Re:Filter unsolicited international calls (Score:2)
proxy
*bzzz* Wrong (Score:2)
Turing test! (Score:2, Insightful)
Obviously it's no concern here. If they have to make it cheap, they'll use no operator and revert to pre-recorded messages. You will know right away if the person is "human" or a "recorded message"... as long as machines fail the Turing test
There is nothing new about it. Junk calls existed before VOIP.
Re:Turing test! (Score:1)
When they do the compertition don't they have an award for the most computerlike human aswell as most human computer?
Re:Turing test! (Score:2)
Mobile networks? (Score:1)
Re:Mobile networks? (Score:2)
Not really (Score:4, Insightful)
VoIP, like IM, is a medium that does not lend itself to spam. What can they do, hire telemarketers? You can't very well robot a voice system. And because each system, like IM, is closed within a company, unless that company itself is spamming, they will quickly close down the accounts of anyone who spams because it's easy for them to track.
Re:Not really (Score:2)
Re:Not really (Score:2)
Hi, this is Super Annoying Incorporated. We sell V14gr/\! Press 1 to buy (forwards to waiting agent), or visit our website at superannoying.com!
Might be easier for annoyed callees to DDOS, and the requirement to have a short URL might be difficult to meet, but it's certainly possible to advertise by an automated system. Stock pumping spams would also be very easily automated.
Re:Not really (Score:1)
While your response is definitely funny, several co-workers and I just got a call a few days ago exactly like this from Comcast in Philadelphia. I consisted of a 2-3 minute recorded message letting us know how Comcastic they were and allowing us to press 1 to hear their new cable offers, or press 2 to hear about their new overpriced VoIP phone service...etc. Sad.
Re:Not really (Score:2)
I get a spam IM about once every few months, if not rarer, and all it contains is an obfuscated link to some camgirl website or something (I haven't clicked, I'm just guessing).
I'll agree that I very rarely get IM spam --- and I subscribe to five different accounts, including ICQ --- but have you visited a Yahoo chat room recently? It's... unfortunate. Rooms will contain 30 bots (usually spamming in 48pt blink red) and, if you're lucky, maybe three actual people. They're practically unusable.
Re:Not really (Score:2)
We're talking about:
for i in do
dial i
done
It's as simple as that for most purposes. Even easier if you have access to a list of usernames (In the sa
Re:Not really (Score:2)
I use AIM, the IM system with the worst reputation, and yet I avoid spam. The few occasions that I've been hit with real spam come from joining a public chat room where half the chatters are lurking bots harvesting screen names - other than that, almost never.
Attacks on VoIP systems? (Score:1)
Re:Attacks on VoIP systems? (Score:1)
Get them out of office 2006.
They've got some nerve! (Score:2)
Filtering (Score:2)
Re:Filtering (Score:2)
VoIP prices are too low for any serious support infrastructure to exist as well. If you ever talk with anybody who works for Vonage or any other large VoIP proider in a technical ca
Re:Filtering (Score:2)
- The VoIP provider could decide it's enough of a feature to implement, and even devote some GUI space to.
- Hackers could reverse engineer the VoIP provider's protocol and implement their own client, which would almost certainly have that feature.
- The VoIP provider, to cut costs, uses an open source solution that already has a good client with this feature and merely rebrands the client, at most.
Really, requiring a particular VoIP client is much like requiring
Re:Filtering (Score:2)
Re:Filtering (Score:1)
And I'm Okay with That (Score:3, Insightful)
E-mail brought us basically free international communication with text and images and attachments. Having to filter spam is a very small price to pay, especially since my off the shelf bayesian filtering (combined with temporary accounts for commercial transactions) lets through one or two "maybes" a year. If I can have basically free voice/video communication around the world, I'll gladly put up with having to secure that as well. Anything off my white-list can go to the "maybe" pile and be routed to voicemail unless I feel like taking random calls. ISPs are already implementing security to prevent spoofing. And I already use voice and video communication without any problems. Really, this is a minor inconvenience that comes with a major advance.
Whitelist Only (Score:3, Interesting)
Maybe the time is now to start this. If they have your #, they should have your email, IM, and there should be a web address with a captcha that gives 24 hour access or something? Maybe that's what it should do instead of infinite ring, "To access my phone, please go to www.whatever.com and type in the number you are trying to dial, and follow the instructions. Thank You."
Re:Whitelist Only (Score:1)
Kool. So I route all my voice spam to that bitch? Where do I sign? How much? (Not that I care, I just need to note it down.)
Challenge/Response Sucks (Score:3, Interesting)
I think this is a little different (Score:1)
"VoIP calls are often routed over the public Internet, and details of those transactions can be spied on by outsiders"
It compares voip to email and talks of spam and phishing. Intercepting email is not how spammers get email addresses. They get addresses posted online and lists of addresses gotten from people who have used the addresses to sign up for shit. I have an old email acct. that is loaded with spam because I have had it posted online and signed up for stuff. I also have an acct. that is o
I almost forgot the voip benefit (Score:1)
Algerath
Re:I think this is a little different (Score:1)
I am, however, surprised that the email address you use for people you know gets no spam. I set up a few of these and they all get some spam, just not nearly as much as my "public" ones. A lot of spam comes from having your friends' PCs become
Already a problem (Score:1)
solved that problem (Score:2, Interesting)
Those experts wouldn't happen to work for ATT... (Score:3, Insightful)
the Nigerian phone call (Score:2)
I'm not saying I would want hundreds of these calls, but I would love to hear at least one of them. I seem to always put a voice to these poorly-worded emails, as I sit wondering how someone could send out tens of millions of copies of a letter without having someone first proofread the text.
I guess if there's money in it, the spammer could hire a good voice to make the call that much more appealin
Reliability is lower too (Score:5, Informative)
You end up depending on both consumer-grade Internet service and electrical power, neither of which is completely reliable. Which is probably OK, esp if you have your cell phone, so I am not advocating against Vonage.
However it strikes me that people generally do not realize that the Internet connection (as the Internet itself) is not completely reliable. At a trade show a sales person was trying to convince of the benefits of their credit card authorization software, which resides on their own server and is accessible as a web service. The idea is that the consumer pays for a service (e.g. in a hair salon) in advance and then gets to use it for a period of time. Not bad stuff, actually, but that is beside the point. When I told her that I am worried about reliability in case the internet connection is down and the customer will not be able to be authorized for the service they already paid for, she looked at me silly and said: "Ihe Interned connection down ? Does that ever happen?" Duh! It happens!
Re:Reliability is lower too (Score:2, Interesting)
Re:Reliability is lower too (Score:2)
It also seems to me that regardless of the infrastructure, consumer Internet connections are not treated with the same importance as phones, yet. So the provider will not jump through hoops to avoid a service interruption. Unless it is their own VOIP service
e-mail is different. (Score:2, Interesting)
Spam Filtering (Score:1)
Voip Vs Email Spam is very different (Score:2)
How much is avg email? about 1kb
How much would a prerecorded voice msg be?
You gonna need a lot of bw to send a lot of voice messages and it will take too long...
Targeted phishing could happen on the other hand.
SIP cloning, international calls, huge bills? (Score:1)
Spit (Voip Spam) will never attain spam ubiquity (Score:3, Insightful)
When you decide to send an email to a group of people from domains A, B and C, where you have multiple recipients in domains A, B and C you only need to send server A one copy of the message with a list of the recipients it handles. The server then spawns copies of this message to all the mailboxes. Theoretically, you only need to make as many connections are there are domains in your distribution list.
Moreover Spam scales well with bandwith. Meaning a large message will arrive faster with more bandwith, not so much with Voip where you have real-time delivery; i.e. think of Voip as a VCR vs downloading your TV shows as files.
What this means for Spit is that they need to make individual connections for each recipient (although I know of some email like systems, but that's another story). Also they need to connect with each recipient's server or terminal as long as the message is.
What this means is that twice as many recipients will cost you twice as much in time and in bandwith for your spit message.
This fondamental difference is in my opinion a deterrent for any spammer worth his salt willing to reach thousands of recipients.
Spit doesn't scale well, spammers know that and will not pursue this activity as agressively as spamming.
Re:Spit (Voip Spam) will never attain spam ubiquit (Score:1)
I'm pretty sure that on the voicemail systems I've used it's possible to forward stored voicemails to multiple recipients.
So:
- VoIP spammer records "LOL, \/\/e g0t \/!agra ch33p" voice message
- VoIP spammer saves voice message "for twenty days"
- VoIP spammer uploads list of skimmed voicemail numbers
- VoIP spammer automates sending of saved voice message to list of skimmed voicemail numbers
- profit!
The recipients phone need not ring, but their "message waiting" ligh
Cat and mouse. Not a new game. (Score:1)
You know folks, this isn't a completely alien concept. Why do you think residential phone subscribers can sign up for the federally enforced national "no-call list".
Just because it's a new technology doesn't mean it's a new idea. It's a shame that people completely overlook the obvious when dealing with new technologies (see Dot Com Bust [wikipedia.org].
Obviously we are aware there is a problem..Thank you TFA.. Now.. everyone run to your terminal to enterprise off the enterprising SOBs that are going to be haxoring my
The phishing threat is probably real. (Score:2)
Re:The phishing threat is probably real. (Score:2, Insightful)
I must've hung up a dozen times before deciding to simply #, * and 0 my way through their menu system until it finally dumped me to a human being with whom I could ask a question (or two, or three...) before giving any personal information.
And the kicker
Voice spam is impractical (Score:3, Informative)
Re:Voice spam is impractical (Score:1, Informative)
Re:Voice spam is impractical (Score:2)
If you are dialing from the internet, to a standard PSTN line (or vice-versa) then you are going through an SBC. Essentially, *both* the signalling and media paths get sent to/from the SBC. The SBC then establishes the "other side" of the call. Just to re-iterate, two calls are established, and then virtually joined through the SBC.
The majority of SBCs that I know of don't answer the local l
Re:Voice spam is impractical (Score:2)
Paragraphs, anyone?
FYI - The Dept of Justice complaints are online (Score:2, Informative)
They do make for interesting reading and outline how Edwin Pena put his scam together.
Dan York
Best Practices Chair, VoIP Security Alliance (VOIPSA) [voipsa.org]
Producer & Co-host, Blue Box: The VoIP Security Podcast [blueboxpodcast.com]
Please mod parent up... (Score:2)
Separating Hype From Reality (Score:2, Insightful)
From my brain:
Really? Havoc? C'mon! Yes, spam is a problem, but my email has never been close to a state of "havoc" because of it, and filters came along pretty quickly. No, they don't work as well as I would like, but they work.
From TFA:
Re:Separating Hype From Reality (Score:1)
Re:Separating Hype From Reality (Score:1)
I was, indeed, just looking at it from an end user point of view. I understand the "social" costs as well, but TFA seemed more focused on scaring the bejaysus out of me as an end user, rather than any reasoned analysis of the true ("social") problem.
And
the beauty of VoIP.. (Score:1)
Re:the beauty of VoIP.. (Score:1)
People put alot of time into these soundboards, there are some really good ones out there.
The Howard Stern soundboard is broken down into greetings, replies, insults, statements.. It is easy to hold somebody thinking they are on the radio for a bit.
Getting somebody to hold a conversation can be golden. Try a department store or your work. A
Someone tried this on me... (Score:1, Interesting)
I don't remember this word for word, but this is the gist...
Years ago, someone called me (with an Indian accent) and told me they were from my bank, specifically from the fraud investigation unit of my bank. They told me that some suspect activity with my credit card account had been detected and asked if I had made a purchase of x dollars at y vendor. I told them that I had not, so they said that they n
Re:Someone tried this on me... (Score:1)
Somehow, someone got at least the following personal information about me, to attempt this attack:
What bank my credit card was with.
Card type (VISA, MCRD, AMEX, etc).
My name.
My phone number.
Although they did indeed need your name and phone number (actually, maybe not even those, if they autodialed incrementally or randomly and just didn't bother to use your name, but that would have probably been too big a tipoff to the ripoff).
For bank and card type,
*shudders* Now think of that with VoIP (Score:2)
Actually, this could be fun (Score:2)
Response percentages must be wrong (Score:3, Insightful)
That's gotta be a misquote or typo, or Ingevaldson is nuts. 1% to 3% is around the accepted minimum for dead tree spam. In an interview with a professional email spammer about a year ago (yeah, I'm too lazy to look it up) she said that she could make a good profit with a 1 in 10,000 response rate! Probably helps explain why I still get penile enlargement spam even though almost everyone on the planet who'd fall for it has undoubtedly already sent in the $50 and gotten the rock and the string.
Compared to IM? (Score:2)
Re:You can thank stupid people. (Score:5, Funny)
Stop stereotyping the Nigerians! We're taking donations to help fight the stereotyping of Nigerians
Re:You can thank stupid people. (Score:1)
Re:You can thank stupid people. (Score:4, Insightful)
Re:You can thank stupid people. (Score:1, Funny)
Anyone who ignores money in a business environment clearly lacks common sense. I saw it every day when I worked with software engineers.
Re:You can thank stupid people. (Score:2)
Within one week of activating a new POTS phone line, I started receiving about three or four calls per night. It got the point where I stopped answering my home phone unless I was expecting a call. I disconnected my answering machine and turned the ringer off for about a month and now the volume of calls have dropped s
Re:You can thank stupid people. (Score:4, Insightful)
Caller ID in combination with an old Mac Classic used as an answering machine has solved our unwanted phone call problems almost perfectly.
The Mac allows the audible, live monitoring of the first 10 seconds of any message coming in within which time we can decide to answer the phone or not. Any number we don't know or not listed is not answered live by us at all unless the caller leaves a message, which is also not answered unless we want to. A large display caller ID shows who is calling. The Mac answers all calls we don't recognize. We have not talked to a single phone solicitor in several years. Something like this should work even better for VOIP, since the computer can contain a list of callers the recipient is willing to talk to. The other calls go into the junk call bin, just as the spam junk e-mail does. The only calls that get answered live are the wanted ones. The do not call list is worthless anyway, but just as the spammers use technology, so, technology can also work against them. Fight fire with fire.
Re:You can thank stupid people. (Score:3, Informative)
I haven't seen options like this on any other VoIP service with a public phone number, anybody suggest any?
Re:You can thank stupid people. (Score:3, Informative)
Why do you say this? I have personally been VERY happy with the DNC list. Yes, market surveys, charitable organizations and political campaign calls still get through, but they are a very small quantity as compared to the "WASTE YOUR MONEY NOW!!" calls we used to receive. And you can still ask all of the orgs who can legal call you to put you on their DNC list, which keeps them from calling again.
Re:You can thank stupid people. (Score:2)
I've noticed that the radio market surveys are outsourced to India, based on the accent of the three people I spoke to last week.
Re:You can thank stupid people. (Score:2)
Re:You can thank stupid people. (Score:1)
Well, the prerecorded messages are fairly easy to deal with... just hang up. You most likely won't get the same message again. And remember that they generally run for a couple months prior to an election. However, if they TRULY bother you, wait until you hear the name of the candidate or the political party, then either contact their campaign manager (email, letter, phone) and tell them if you receive one more phone call, your
Re:You can thank stupid people. (Score:4, Insightful)
That's just like saying email spam won't be any different than junk mail.
VoIP spam is a nightmare in the making. A normal telemarketer needs to pay to have access to the phone network, and needs to be a business so it could be held accountable for any wrongdoings. It cannot operate from China or the long distance costs would kill it. There is only so much calls you can initiate per second from a normal telco trunk. You also need a human operator for each call, the costs per call tipically do not allow you to waste them with recorded message.
Enter VoIP Telemarketing: anonymous Viagra kings, enjoying the anonymity and low cost of the Internet calls to make billions of robot calls from zombied machines. In my opinion, it's the worst threat facing VoIP today.
Re:You can thank stupid people. (Score:2, Funny)