VoIPowering Your Office: The Looming SPIT Threat
The conditions aren't yet right for massive IP-based phone spam; that's why now is the right time to deal with it.
The VoIP industry has been preoccupied with making things work right, adding polish and functionality, expansion, and keeping customers happy. So there hasn't been a lot of talk about security issues. But the wise admin remains current on potential security problems; being surprised by nasty stuff is dreadfully unpleasant. So we're going to review some looming security threats, and see what we can do about them.
This goes at the top of my list because of the name, and because I think spammers are the lowest forms of life, or at least in the bottom five. SPIT is "SPam over Internet Telephony." Nothing is immune from spammers, or their close cousins, idiot unscrupulous marketers.
Let's talk about what constitutes good marketing, and what defines evil horrid spammers. One definition of e-mail spam is unsolicited bulk messages. Another one is unsolicited commercial e-mail. Spam afflicts all forms of electronic communication: phone spam, junk faxes, instant messaging, forums, chat rooms, text messaging, cell phones, blog comments, you name it, spammers will exploit it.
Spam can also include unwanted communications like chain e-mails (don't believe any of them, and for gosh sakes don't forward them), multiply-forwarded dumb jokes you've already seen a hundred times, and excessive cross-postings. The common denominator in all of these is the spammer does not bear the cost of sending out their crud; the costs are shifted to the recipients and intermediaries. Some estimates claim that every Internet account carries an additional monthly cost of $5$10 because of spam, due to wasted bandwidth, storage, abuse desks, and malware. Something like 90 percent of all e-mails are spam; that's a huge amount of wasted resources.
These days, most spam is hardly about selling things anymore; it is funded by organized crime with the goal of conscripting your (mainly Windows) computers into the worldwide botnet. These are then used for extortion via distributed denial-of-service attacks, identity theft, spewing yet more spam and malware, DNS hijacking, data theft, and future as-yet-unknown exploits.
But the old-fashioned varieties of spam, which are intended to sell some kind of actual junk or another, are far from extinct. My fellow science fiction fans have seen the future in decades-old stories: intrusive advertising everywhereimpossible to escape from. We pay a mint for cable or satellite TV, and not only do we still have commercials shouting at us, we have commercials popping up during the programs. Shopping carts carry little billboards. Stores are full of TVs bellowing commercials at us. Professional athletes are branded from head to toe; in team sports the team logos are barely allowed. My favorite horrid example is certain HP inkjet printers from a few years ago had a "feature" that allowed HP to send ads directly to your printer, to be printed out in full color. Using your inks and your paper.
I apologize for perhaps ranting on excessively, but I still encounter too many folks who don't take security threats seriously. We're all on same Internet, so we're all affected.
Marketing itself isn't evil; it's how it's done that rates a "good" or "evil" label. For most of us product marketing doesn't carry a life-or-death imperative; we're so bombarded we just plain don't care. We're numb. Indifferent. Get off our lawns. In the United States especially there are so many redundant products and services, with little to differentiate them, that I doubt the average person would notice if half of them disappeared overnight. An amazing amount of marketing is obnoxious; loud, intrusive, and completely unattractive. Sometimes it's so bad I wonder if it's done by competitors.
The magic words, in the context of electronic communications, are Opt-In. We don't pay for cell phones and e-mail and Internet access and VoIP services just to provide marketers with free pipelines into our lives. Potential customers don't want to be assaultedwe wish to be wooed.
Is SPIT a real threat?
I have not been able to find any reports of confirmed SPIT attacks. But I'll bet money it's just a matter of time. You know those nice powerful iPBX systems we talk about here on Enterprise VOIP Planet, the ones that make call centers and automated calling so easy and inexpensive? Well, that works for everyone, not just us honest decent folk.
The old-fashioned way of spamming the PSTN is done with predictive dialers. Phone spammers don't bother with keeping anything resembling a clean database of phone numbers, but call all of them in a range. So it doesn't matter if the numbers are unlisted, or on a Do Not Call listthey'll still get hit. The inherent limitation of PSTN spamming is the cost; outside of the local calling area it gets expensive. This is still the bottleneck for VoIP calls as well; anything that touches the PSTN will cost.
But what if you bypass the PSTN, which has been the big promise of VoIP for lo these many years anyway? Then it's just like e-maila potential worldwide audience for dirt-cheap, and potential for all the usual Internet abuses such as malware, DDoS attacks, and so forth. An excellent post on the VoIP Security Alliance mailing list sums it up:
"So essentially VoIP deployments are still all islands connected together through the PSTN...But once you start allowing connections to your SIP trunk from other *random* SIP endpoints, now you open yourself up to potential of the automated attacks that make good headlines (i.e., script kiddies can make a script that goes and floods a SIP server with SIP INVITE messages and then starts streaming RTP to whatever endpoints answer) and generally automate the PSTN war-dialing of today...Whether or not that potential for automated attacks becomes a reality will probably largely depend on how well standards evolve for assuring identity..."
The fun is just beginning; come back next week to learn more scary VoIP threats!
VOIPSA.org is an excellent resource for staying on top of VoIP security issues