It took e-mail spam almost 10 years to tie our inboxes in knots. It took just a year for instant-message spam, or spim, to clutter our computer screens. Will Voice-over-IP, or VoIP follow the same path with an even more dramatic impact?
Users of VoIP grew eight-fold between 2003 and 2004, according to researchers at the Yankee Group. In the enterprise, VoIP has made its way into 40 percent of large enterprises and a third of smaller companies, according to In-Stat/MDR research.
The reasons for VoIP’s popularity is clear: routing telephone calls through the Internet is inexpensive. However, VoIP could come with a hidden price-tag of increased security worries. VoIP security problems could negate those savings and demand increased resources if not managed properly, says Martin Roesch. CTO of Sourcefire and creator of snort, a popular intrusion detection tool.
Roesch is speaking of lost productivity, business deals not closed, and the need for another layer of consultants and advisors due to a logjam of voicemail.
What is VoIP spam?
VoIP spam would come in the form of voice messages. Unlike e-mail, which can be filtered, voice mail has to be dealt with in real time: you listen to a message, decide what if any action to take, then proceed to the next voice mail.
Now imagine your company’s voice mail system overwhelmed by thousands of messages from spammers offering everything from male enhancements to second mortgages.
What should be done for this potential threat? Opinions are mixed—some say it’s too early to act; others believe it’s never too early.
On one side are the voices saying VoIP is still in its infancy and presents little danger at its current stage. Pierce Reid, vice president of marketing for Qovia, a VoIP management firm, draws a comparison between e-mail and VoIP.
There are 30 to 40 million e-mail users compared to around 600,000 VoIP subscribers, says Reid. While an estimated 1.2 billion unwanted e-mails flooded computers in 2004, no actual VoIP security problems have so far reached public notice.
Another reason for the absence of reported security trouble is that VoIP simply is not available to black hats to the degree e-mail or IM is now. “Accessibility is lacking,” according to David Endler, CTO of intrusion prevention firm Tipping Point and chairman of the recently created VoIP Security Forum. The alliance, with members from the VoIP industry, government, and academia, hopes to identify and avert attacks.
“People aren’t going to be sending spam to your phone soon,” says Ron Gula, CEO of Tenable Network Security and member of the VoIP Security Alliance.
Only the tip of the iceberg?
While the spam threat may not loom large in VoIP’s immediate future, there are other worrisome areas. “The real risk now is not spam, per se; the concern is denial of service,” says Reid. Although VoIP spam could prove a practical annoyance, it would, in effect, create a denial-of-service attack where an enterprise’s vital operations are slowed or even brought to a halt.
Imagine a flood of VoIP spam choking the lines of a 911 call center, for example. “That’s the worst case scenario,” says Endler.
Answers for whenever . . .
“We were able to create an algorithm” that distinguishes voice mail left by a machine, says Qovia’s Reid. “If packets are identical, they are not random enough to be human.”
Another tool, “fuzzor,” tests for SIP security holes. Kevin Kealy, the AT&T Labs computer security expert who coined the term SPIT, helped develop a way for AT&T to rid its network of VoIP spam; he calls the tool the spittoon.