VoIP security wake-up call

Staff Writer | August 01, 2006

A recent high-profile hacking case involving VoIP operators has once again focused attention on security issues. How widespread the problem becomes, however, could be dictated by service providers' attention to IP security in general

Warnings about inherent vulnerabilities in VoIP services are not new, but until recently they were more theoretical than 'in the wild'. That all changed in June, however, when two alleged high-tech thieves were charged with defrauding unwitting service providers of more than a million dollars.

One of the two, Edwin Andrew Pena, was the owner of a seemingly legitimate VoIP wholesaler, Fortes Telecom, which would illegally route calls, up to 10 million minutes' worth, through service providers including Net2Phone and then bill for those calls. The hack involved finding a compromised corporate IP-PBX to disguise where the traffic was coming from - actually an IP variation of a similar scam involving company PBXs from years ago.

(For full details of the incident and charges, the court documents are available here)
While the incident has gained attention because it's the first large-scale VoIP fraud to be made public, the more important question is, was it an isolated incident or does it point to a growing trend of attacking VoIP services now that there is a critical mass of users‾ Opinions differ.
VoIP pioneer Jeff Pulver, one of the co-founders of Vonage, believes there is too much hype surrounding the incident. 'I think the theft of minutes from Net2phone was a straight steal and the fact that it was IP minutes is once again getting too much attention,' he told Telecom Asia.
However, there are plenty of experts who believe that there are serious problems that will only grow if security issues related to VoIP are not addressed. David Piscitello, president of network and security consulting firm Core Competence and co-author of the recently published book 'Understanding Voice over IP Security', has noticed a rise in incidents reported through security mailing lists and other forums.

'Increasingly, more VoIP product vulnerabilities are being reported and more inquiries are made about how to penetrate networks through VoIP protocols and SIP/IPBX configurations,' Piscitello said. 'This tells me that VoIP is large enough and there is a financial motivation (eg, toll fraud) to make it a serious target.'

Of course media hype and security do go hand-in-hand, as evidenced by scaremongering about viruses for mobile phones and IM (which is not to say the industry shouldn't pay attention to these platforms). In the case of VoIP, the media focus could also be on the wrong areas, according to David Endler, chairman of the Voice Over IP Security Alliance (VOIPSA) and director of security research for 3Com's TippingPoint security division.

'Lately there seems to be an explosion of press hype around the possibility of hackers exploiting voice over IP networks and services,' Endler said, pointing to areas such as caller ID spoofing, toll fraud, eavesdropping and call hijacking. However, there is less attention given to the threats that can hit any IP data network, including VoIP services, such as denial-of-service attacks, worms, viruses and hacker exploitation.

Facebook