Careful with that call

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Short-term rentals and state legislation for local governments
Presented By Granicus
Download Now
The Way Forward: Essential Steps for Strategic Planning Success
Presented By Euna Solutions
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

It's only a matter of time until IP telephony is hit by spam and malware, experts say.

E-mail was the killer app for the Internet, the tool that made global network connectivity a must-have in every office and home. But vulnerabilities in the Simple Mail Transfer Protocol have made e-mail a primary source of malicious code and unwanted messages.

Today, 90 percent of e-mail messages are spam, said Chris Rouland, chief technology officer at IBM Internet Security Systems. Another 5 percent is phishing, and 3 percent is viral.

Many of the vulnerabilities that have made e-mail a headache are spreading to voice-over-IP systems, raising the specter of a new generation of security threats.

'SMTP is a failure,' Rouland said. 'It is not tenable for our telephone system to devolve to that level.' So far, it hasn't. 'We haven't seen widespread threats yet,' he said.

But now is the time to begin defending systems, before hackers and thieves start exploiting VOIP vulnerabilities, say a growing number of security experts.

'There is no reason to believe the bad guys will not exploit this,' said Mustaque Ahamad, professor of computer science and director of Georgia Tech's Information Security Center.

As the Internet and other packet-switched networks have become more tightly integrated into business enterprises, voice has been added to the applications handled by IP networks.

Growth in available bandwidth and improvements in service delivery have made Internet telephony comparable in quality and reliability with traditional public switched telephone networks (PSTNs), and VOIP's increased efficiency and functionality have led to a steady growth in its adoption in recent years.

A primary reason Internet telephony has not yet been targeted by hackers is that e-mail and a growing number of Web applications provide well-known and successful avenues for breaching information technology systems and stealing data, said Ahamad, who is researching trust mechanisms for telephone systems. But as the security bar is raised on traditional data systems, VOIP could become more attractive to hackers.

'When does this become the path of least resistance?' Ahamad asked. 'We have learned that we don't want to be blindsided.'

VOIP inherits all the vulnerabilities of the operating systems and other platforms on which it is built in addition to those of VOIP server software and endpoint applications.

But interest in the security implications has been late in coming.

'In 2003, some Finnish researchers created the first fuzz tests for VOIP,' Rouland said, referring to a type of brute-force vulnerability testing in which random data is put into applications to look for failures. 'There were a lot of vulnerabilities in the products because they were new.'

In addition to exploiting technical vulnerabilities, bad guys might also use VOIP to deliver unwanted messages that resemble e-mail spam (sometimes called spit ' spam over Internet telephony) or phishing (vishing). The relative security of the PSTN phone systems we grew up with makes the VOIP trust issue even more critical, Rouland said.

'We know not to trust e-mail,' he said. 'But we have learned to trust caller ID.'

Three years ago, before IBM acquired Internet Security Systems, the company began looking at threat models for VOIP.

'We don't want to be spreading fear, uncertainty and doubt,' Rouland said. 'But given the vulnerabilities and the reality of fraud, it is unrealistic to think it won't happen.'

IBM ISS is not the only company addressing VOIP insecurity. VoIPshield Systems published a list in April of 44 discrete vulnerabilities in VOIP systems sold by Avaya, Cisco Systems and Nortel Networks.

VoIPshield was founded in 2005, and 'a lot of our energy has gone into this research,' said Rick Dalmazzi, the company's president and chief executive officer.

Avaya, Cisco and Nortel were chosen for the initial round of research because of their products' wide adoption in the North American market. VoIPshield notified the vendors of its findings before it released them to the public. Under its disclosure policy, VoIPshield works with vendors to help them re-create vulnerabilities in their test labs and offers remediation assistance.

'The research is not an end in itself but a means to an end,' which is developing secure VOIP products, Dalmazzi said.

The company is selling VoIPaudit, a vulnerability assessment tool, and VoIPguard, an intrusion-prevention system. The initial market for the products has been in the more heavily regulated sectors, including financial and health care institutions, insurance companies and government agencies.

'We're dealing with the leading edge,' Dalmazzi said. 'We do a lot of evangelizing. The entire [VOIP] industry is not taking security seriously enough'because no one has felt any pain yet.'

Dalmazzi speculated that we are in the reconnaissance phase of VOIP threats, with hackers watching and cautiously poking around the edges. Evidence of exploits so far is mostly anecdotal. 'We don't really know how much of this is going on,' he said.

But the stakes could be high, said Bogdan Materna, chief technical officer at VoIPshield.

There are an estimated 800 million PCs worldwide but about 1.2 billion telephone landlines and another 2 billion wireless handsets.

Vulnerabilities found so far in VOIP systems are similar to those in other applications: They can allow the execution of arbitrary code on an endpoint such as a telephone handset or a laptop PC running a softphone client, allow malicious code to be planted, or siphon off sensitive information. Exploits could allow the theft of service by establishing unauthorized accounts on an IP switch or gateway, create denial-of-service attacks, or allow eavesdropping on conversations.

If voice services run on the same network that carries an enterprise's data ' one of the efficiencies that can make VOIP attractive ' such exploits could put the entire data network at risk.

'When your laptop becomes your phone,' the risk is carried over, Dalmazzi said.

Although VOIP vulnerabilities have received little attention, companies are responding well to VoIPshield's disclosures, Dalmazzi said.

'Cisco is a little more familiar with the process, so they have been more proactive,' in fixing problems, he said. Avaya and Nortel do not have the same history in IP networking.

But all three companies have released security alerts based on the disclosures, and their incident response teams have worked well with VoIPshield, he said.

Georgia Tech's Information Security Center began working on ways to add security to VOIP protocols and services about two years ago with support from IBM and Bell South, Ahamad said. Several grad students and faculty members are working on vulnerability analysis and response, and they have found flaws that would allow execution of code on VOIP handsets.

'We were able to very easily compromise them in ways that could have serious consequences,' he said.

Although underlying bugs and implementations that create vulnerabilities are essentially the same for VOIP as for other applications, blocking exploits and spam poses a problem.

'It's a lot harder to deal with than e-mail,' Ahamad said. Phone calls typically are answered as they are received, but e-mail collects in an inbox before it is viewed. Because voice calls are sensitive to latency, filtering at a gateway is more difficult. The problem is compounded by the fact that 'we don't have a lot of real data about VOIP spam.'

The Information Security Center has been studying signals and signatures in audio packets to get a better understanding of what they can reveal about their content. Researchers also are working on so-called soft credentials that could assign a level of trust to voice calls based on social-networking techniques and circles of trust. If one user trusts a caller, a second user who trusts the first user could probably also trust the caller. One drawback of the circles of trust is that they cannot be extrapolated very far. The larger the community they apply to, the less precise they are likely to be.

Levels of trust can be assigned by studying who talks to whom, under what circumstances and for how long. A number that is called frequently and with long connections is likely to be trusted. The technique is less precise than signatures or black lists but more dynamic and better suited to phone calls. It requires a learning period while the system studies the user's calls to determine patterns of trust, Ahamad said.

'It builds pretty quickly,' he said. 'After a learning period, it is very effective.'

The trust system is still an academic project rather than a product. But with the attention being given to VOIP security today, Ahamad said he believes users will be able to protect themselves when exploits begin to appear. 'I think we're going to be ready.'

VoIPshield
Systems recently released the results of vulnerability research on the most
widely used voice-over-IP systems. Researchers found more than 100 design or
implementation flaws in products from Avaya, Nortel Networks and Cisco Systems
that could allow outsiders to execute code on handsets, PCs or servers;
compromise systems; block service; or steal accounts.



The
results have been published as 44 discreet vulnerabilities at www.voipshield.com/research.
VoIPshield has worked with the vendors to find fixes for the problems and is
incorporating the information into its VOIP vulnerability analysis tool and
intrusion-prevention system.






















VOIP vulnerabilities



A study by VoIPshield
Systems identified 44 vulnerabilities in three vendors' voice-over-IP
systems.



By vendor



By severity



Patches



● Avaya: 12



● Nortel: 5



● Cisco: 27



● Critical: 15



● High: 9



● Medium: 11



● Low: 9



● Available: 17



● Being developed: 27




NEXT STORY: Revised tables for PIV unique identifiers released

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.