Pharming and other security woes hector VoIP

Low-cost voice over Internet Protocol (VoIP) phone services now capturing the general public's imagination are indeed being targeted by online attackers, who have been known to eavesdrop on calls, deny customers access to their VoIP service and cause "clipping," or degraded service quality, on some accounts, say executives gathered here for Supercomm 2005, a major phone trade show.

VoIP's security problems only heighten concerns simmering since January, when a Harris Interactive poll found that 60 percent of all adults in the United States who are aware of Internet telephony but not using it believe it could be subject to security and privacy issues.

VoIP's security vulnerabilities both highlight the enormous potential of the service and threaten to derail the success of freely distributed VoIP software, which lets any Internet connection also serve as a home or business phone line. About 7.5 million out of 200 million homes and offices have traded in their traditional phone lines for VoIP. But research firm Gartner predicts there could be as many as 25 million VoIP-connected homes by 2008. Among the big draws: VoIP operators' $20-a-month unlimited calling plans.

One of VoIP's flaws is that it is inherently vulnerable to hackers because, like e-mail, VoIP calls find their way by locating an IP (Internet Protocol) address, a unique set of numbers assigned to each device connected to the Web. Yet while scores of commercial VoIP providers have quickly expanded to take advantage of the growing interest in the service, many have not implemented even basic security measures, such as encrypting phone calls.

While information about attacks on VoIP systems are mostly still the stuff of white papers, some businesses using the service are encountering attacks, according to corporate phone-systems integrator BearingPoint Institute, which didn't provide details.

"Security is crucial to broad acceptance of IP telephony," said Christian Stredicke, founder of Berlin-based Snom Technology and a speaker at a Supercomm security summit.

Time may be running out to completely contain VoIP security threats, however. In January, analysts at Gartner said it will be only two years before organized attacks begin on signaling networks, the portions of telephone networks that carry the routing instructions that ensure calls reach the right place.

"Not surprisingly, as many VoIP operators rush to capture new business, hackers are rushing too--to explore and exploit ways to steal or disrupt these services," Stephen Doty and Fred Hoffmann, two BearingPoint managers, wrote in a recently released white paper.

For their part, many VoIP service providers and equipment makers are turning to the relatively new Voice over IP Security Alliance. The alliance will define security requirements across a variety of VoIP deployments and address issues such as security-technology components, architecture and network design, network management, and end-point access and authentication.

New VoIP security threats seem to come every week, a brisk pace. One that recently surfaced is a VoIP version of pharming, one of the latest security scares for Internet users of all sorts.

Pharming exploits vulnerabilities in a piece of network equipment responsible for translating e-mail and Web addresses into IP addresses. Security experts speaking at Supercomm this week said that, by hijacking a domain-name system (DNS) server--a computer that stores and organizes IP addresses--pharmers get control of VoIP calls.

Without their knowledge, VoIP users' calls could then be redirected to IP addresses completely different from the ones the users dialed, warns Paul Mockapetris, the inventor of the domain name system.

The list of different VoIP attacks is growing and highlights the adaptibility of the attackers.

One of the earlist VoIP threats identified, Caller ID spoofing, substitutes someone else's Caller ID information as your own.

The security problem known as clipping, meanwhile, occurs when a cable modem is targeted with a huge flood of traffic, creating a "clipping" disruption on VoIP phone calls. Another type of attack, called V-bombing, occurs when thousands of voice mails are targeted simultaneously to a single VoIP mailbox.