The VoIP industry has been preoccupied with making things work right, adding
polish and functionality, expansion, and keeping customers happy. So there hasn’t
been a lot of talk about security issues. But the wise admin remains current
on potential security problems; being surprised by nasty stuff is dreadfully
unpleasant. So we’re going to review some looming security threats, and see
what we can do about them.
This goes at the top of my list because of the name, and because I think spammers
are the lowest forms of life, or at least in the bottom five. SPIT is “SPam
over Internet Telephony.” Nothing is immune from spammers, or their close cousins,
idiot unscrupulous marketers.
Let’s talk about what constitutes good marketing, and what defines evil horrid
spammers. One definition of e-mail spam is unsolicited bulk messages.
Another one is unsolicited commercial e-mail. Spam afflicts all forms
of electronic communication: phone spam, junk faxes, instant messaging, forums,
chat rooms, text messaging, cell phones, blog comments, you name it, spammers
will exploit it.
Spam can also include unwanted communications like chain e-mails (don’t believe
any of them, and for gosh sakes don’t forward them), multiply-forwarded dumb
jokes you’ve already seen a hundred times, and excessive cross-postings. The
common denominator in all of these is the spammer does not bear the cost of
sending out their crud; the costs are shifted to the recipients and intermediaries.
Some estimates claim that every Internet account carries an additional monthly
cost of $5–$10 because of spam, due to wasted bandwidth, storage, abuse
desks, and malware. Something like 90 percent of all e-mails are spam; that’s
a huge amount of wasted resources.
These days, most spam is hardly about selling things anymore; it is funded
by organized crime with the goal of conscripting your (mainly Windows) computers
into the worldwide botnet. These are then used for extortion via distributed
denial-of-service attacks, identity theft, spewing yet more spam and malware,
DNS hijacking, data theft, and future as-yet-unknown exploits.
But the old-fashioned varieties of spam, which are intended to sell some kind of actual junk or another, are far from extinct. My fellow science fiction fans have seen the future in decades-old stories: intrusive advertising everywhere—impossible to escape from. We pay a mint for cable or satellite TV, and not only do we still have commercials shouting at us, we have commercials popping up during the programs. Shopping carts carry little billboards. Stores are full of TVs bellowing commercials at us. Professional athletes are branded from head to toe; in team sports the team logos are barely allowed. My favorite horrid example is certain HP inkjet printers from a few years ago had a “feature” that allowed HP to send ads directly to your printer, to be printed out in full color. Using your inks and your paper.
I apologize for perhaps ranting on excessively, but I still encounter too many folks who don’t take security threats seriously. We’re all on same Internet, so we’re all affected.
Marketing itself isn’t evil; it’s how it’s done that rates a “good” or “evil” label. For most of us product marketing doesn’t carry a life-or-death imperative; we’re so bombarded we just plain don’t care. We’re numb. Indifferent. Get off our lawns. In the United States especially there are so many redundant products and services, with little to differentiate them, that I doubt the average person would notice if half of them disappeared overnight. An amazing amount of marketing is obnoxious; loud, intrusive, and completely unattractive. Sometimes it’s so bad I wonder if it’s done by competitors.
The magic words, in the context of electronic communications, are Opt-In.
We don’t pay for cell phones and e-mail and Internet access and VoIP services
just to provide marketers with free pipelines into our lives. Potential customers
don’t want to be assaulted—we wish to be wooed.
Is SPIT a real threat?
I have not been able to find any reports of confirmed SPIT attacks. But I’ll bet money it’s just a matter of time. You know those nice powerful iPBX systems we talk about here on Enterprise VOIP Planet, the ones that make call centers and automated calling so easy and inexpensive? Well, that works for everyone, not just us honest decent folk.
The old-fashioned way of spamming the PSTN
is done with predictive dialers. Phone spammers don’t bother with keeping anything
resembling a clean database of phone numbers, but call all of them in a range.
So it doesn’t matter if the numbers are unlisted, or on a Do Not Call list—they’ll
still get hit. The inherent limitation of PSTN spamming is the cost; outside
of the local calling area it gets expensive. This is still the bottleneck for
VoIP calls as well; anything that touches the PSTN will cost.
But what if you bypass the PSTN, which has been the big promise of VoIP for
lo these many years anyway? Then it’s just like e-mail—a potential worldwide
audience for dirt-cheap, and potential for all the usual Internet abuses such
as malware, DDoS attacks, and so forth. An excellent
post on the VoIP Security Alliance mailing list sums it up:
“So essentially VoIP deployments are still all islands connected
together through the PSTN…But once you start allowing connections to your
SIP trunk from other *random* SIP endpoints, now you open yourself up to potential
of the automated attacks that make good headlines (i.e., script kiddies can
make a script that goes and floods a SIP server with SIP INVITE messages and
then starts streaming RTP to whatever endpoints answer) and generally automate
the PSTN war-dialing of today…Whether or not that potential for automated
attacks becomes a reality will probably largely depend on how well standards
evolve for assuring identity…”
The fun is just beginning; come back next week to learn more scary VoIP threats!
VOIPSA.org is an excellent resource for staying on top of VoIP security issues