To understand the significance of voice over IP (VoIP), it’s useful to travel back in time. Specifically, go to 4.45am on Sunday, September 3, 1967. If you happened to be in a car in Sweden at that moment, you had to stop the car and do nothing for five minutes. Then at 4.50am you had to move your car from the left side of the road to the right, and then stop again. Finally, at 5am, you could proceed, on the right. In those 15 minutes, the entire country changed a 300-year-old custom of vänstertrafik, left-side driving, to högertrafik, right-side driving.
In fact Dagen H, or H Day as it was called (the H for Högertrafik), began earlier than 4.45 that morning. It began in 1963, when the Riksdag (Swedish parliament) voted to switch in order to simplify border crossings with right-side driving Norway, and to reduce accidents associated with Sweden’s use of left-hand-drive cars on the left, which puts the driver at the edge of the road instead of the middle.
It was an epic cultural and infrastructural shift. Sweden created the Högertrafikkommission (HTK) — an entire bureaucracy to manage the massively complex project. Bus stops jumped sides of the street, traffic lights moved, roads got new lines and signs, one-way streets went the other way. And, of course, people had to figure out how to drive on the right, so an education programme started that included psychologists.
Even the day itself was more complex than a 15-minute square dance of Saabs and Volvos. In fact, non-essential vehicles were banned from the roads until 6am, an hour past the official 5am crossover. Stockholm extended its ban until 3pm. A picture taken of a street in Stockholm right before the switch shows vehicles comically strewn across a street, like someone bumped a table full of Matchbox cars. Still, it worked. No fatalities were reported on Dagen H, and over the long term it seemed to have the desired effect, or at least no measurable negative effect, on road safety.
Similar to Dagen H, the change-over from plain old telephone service, POTS, to VoIP will deeply challenge ingrained customs. For 100 years, tele-communications has been carried on closed proprietary networks, highly stable but limited in their applications, and connected to tens of millions of cheap appliances, dumb terminals called phones. A utility.
As voice over IP and voice over the internet grow, telcos will change to become open and extensible, capable of supporting limitless new applications, often traversing an insecure and unstable public network and connected to complex and vulnerable multitasking end-points called computers. An enterprise.
Unlike Dagen H, though, VoIP is switching over organically, driven by market forces, not a bureaucracy. There is no four-year plan and no education programme preceding its rollout. No choreographed crossover on some target date. VoIP is just kind of happening.
This would seem to create security concerns and, yes, VoIP is following IT tradition by being rushed to market before its security implications have been thought through. But this story isn’t another lecture to CIOs on the need to secure VoIP. Regardless of how well the protocol is secured, security executives have a far more substantial challenge: mapping the new threat-landscape of voice communications when their organisations decide to shift from closed to open, from dedicated to shared, from utility to enterprise.
With VoIP, phone conversations move around the world in the same way — sometimes on the same fibre-optic cable — that email, spam, World Cup video highlights, IM conversations and malicious software attacks all move around the world, as little packets of 0s and 1s.
It is a cultural and infrastructural shift as epic as Dagen H. Soon, in a very real way, voice will no longer be voice. It will be data.
“We have this inherent belief in a certain quality of service and security with phones, of what the system can do for us,” says Andrew Graydon, the chair of the VoIP Security Alliance. “Most of that is pure speculation; we don’t know for real, but it doesn’t matter. It’s what people believe.”
Just what people believe, without ever really thinking about it, is quite specific and detailed. People believe that their phones will work, perhaps even in a blackout; that the number they dial will connect to the phone assigned to that number, and the number that caller ID identifies is where that call comes from. They believe the call is not being surreptitiously recorded; that people taking advantage of the system, like telemarketers, can be controlled; and that breaking into the system is difficult enough to make it an undesirable criminal vector, which in turn pushes vulnerability elsewhere (to, say, computer communications).
People believe all this because of voice communications’ heritage as a utility. That heritage is due in part to regulation of the technology, but also because of the limitations of the analog technology itself. It was analog, copper wires carrying electrical pulses into microphones and out of speakers, that led to a dedicated, closed network because that’s all the technology could handle, really.
Today, most of the PSTN, public switched telephone network, is digital, not analog. But the so-called last mile — the part of the connection from home or office phone across tall wooden poles along the street and into the exchange — remains predominantly analog. As long as that’s part of a phone call, some of those inherent beliefs about the security and availability of the phone can remain.
Users of VoIP will have to adjust their expectations. Most VoIP calls completed today sidestep the first (or, if it’s an incoming call, last) mile. In the consumer setting, VoIP usually comes as an internet service, such as Skype. In a corporate setting, most VoIP deployments to date have been as internal corporate voice networks. It’s early on, especially in the corporate setting, where customers are starting by using it just as a (potentially) less expensive voice line and easing into the advanced applications VoIP services promise.
Eventually, VoIP phone companies want to eliminate the last mile of POTS that runs into houses and offices to open up a huge potential consumer and business market for VoIP. They want “pure” IP voice for two reasons. One: cost. It’s cheaper for them to carry voice over public and private IP networks than it is to transmit over proprietary networks, so they can charge less. And two: it opens new applications. The open protocols that are used to support a pure VoIP phone call can support countless new services. To get an idea of what kind of services, one can look to the cellphone world where email, web access, games, photos and video are all getting mashed up with phone calls. A so-called killer app for businesses would be combining voice with documents, collaboration software and presentation materials to get many people located in several places talking and working together. Still other applications will come, many not yet imagined, all of which promise to generate new revenue.
But that openness and application-rich environment, as the vendors would call it, also mean that all of that inherent, culturally ingrained faith in the phone goes away.
“Dedicated protocols give you control,” says Robert Garigue, chief security executive and VP for information integrity at Bell Canada Enterprises. “The reality of living on open protocols [like IP] is that the complexity is beyond the imagination of the designers. As you extend them, you realise there are new points of concern. We have a baseline service. How it can be extended, plugged in or mashed up to other applications — it’s just the start. The bad guys are going to find new opportunities with VoIP that will turn into business models.”
The deeply philosophical choice to switch voice platforms (though it probably won’t be thought of in such lofty terms) up-ends a system that was limited to a few manageable concerns that generally required dedicated, knowledgeable attackers to exploit, to one that has innumerable unmanageable risks capable of being exploited. Threats easily mitigated against before on the PSTN suddenly reach new levels of uncertainty: service outages, quality of calls (which could drop to something closer to cellphones rather than landlines), a lack of emergency availability and, worst of all, exploitation of the phone for theft, fraud and other malfeasance. To be sure, these risks existed before. But VoIP makes them harder to control. VoIP opens up voice communications to these risks in two ways. First, VoIP is easier to hack than POTS.
“Once telephony goes over IP, it’s no longer eavesdropping on voice, it’s eavesdropping on data, and that’s so much easier,” says Bruce Schneier, founder and CTO of Counterpane Internet Security.
“It’s like the difference between intercepting a handwritten note versus an SMS message. It’s the difference between a letter and an email.”
If you wanted to eavesdrop on an analog phone call, Graydon of the VoIP Security Alliance likes to note, you could. But you’d have to go to your local box store, pick up a box phone, two crocodile clips, a reflective vest and a helmet. Then you would have to learn some simple but arcane ways to tap the line. And when you scurry up the pole, try not to look too conspicuous. Fake credentials, like logos on the helmet, help.
If you want to eavesdrop on a VoIP call, though, you won’t need to climb a pole. You’ll still need some arcane knowledge to locate the data stream, but once you have that, all you need is a packet sniffer and software that converts the data into a WAV audio file (tools like Cain & Abel, a software program that can locate and record VoIP streams, are freely available on the internet). Think of virtually any threat to data, whether it’s malicious, accidental or a nuisance, and it will threaten VoIP in a way that it couldn’t have easily threatened POTS. For example:
• Good old-fashioned power failures.
• Denial-of-service attacks and other non-malicious network congestion that affects phone availability. This is especially problematic if firewalls can’t recognise voice traffic as distinct and requiring a higher quality of service; this immediately and severely disrupts voice availability.
• Eavesdropping and wiretapping: These are used to log voice and keyed-in data, such as account numbers.
• Spoofing. Used in VoIP phishing, where a call will be ID’d as from your bank but is really being collected by baddies (doubly bad since it’s a hack that preys on our inherent trust of the phone network; where most people have learned to distrust email, the same is not true for the phone).
• Viruses and bots. Used to either destroy data or the device or to co-opt the phone into some other activity such as fraud-charging toll calls to other numbers, which Graydon says is “a lot easier on VoIP than the PSTN.” It will be easier to place these viruses and bots into telephony because of the mix of devices interacting with the VoIP networks such as phones, cellphones, BlackBerrys, computers and whatever other potentially vulnerable or infected application data happens to be on the network.
The second form of risk is that with VoIP, there are simply more threats to exploit than there are on the phone. The openness — of protocols like IP and of infrastructure like the internet — that makes VoIP application-rich also makes it unimaginably hard to control, since it’s open to everyone, including those who want to exploit it. As anyone who uses email will tell you, along with the good — instant, cheap communications — you have to accept the bad — spam and malware. Bringing more applications to voice may increase its power and usefulness but it also opens up more threats, and that has to be balanced against the potential gains in productivity or efficiency. New threats include:
• SPIT, or spam over internet telephony. An offshore alternative to telemarketing that could sidestep any national “Do Not Call” registry. Graydon notes that a computer overseas could deliver 20,000 phone calls with a recorded sales pitch in five seconds.
• Logging. Privacy concerns abound for a technology that’s far easier to capture, log and mine (maliciously or as a marketing tool) than analog voice.
• Unsanctioned use. Internet voice services, such as Skype, can be downloaded and used by individuals as easily as an instant messenger, introducing all the threats of internet voice without any of the controls.
• More computers. Advanced voice applications require advanced phones, and VoIP phones are essentially small computers.
“IP phones are trickier than PBX digital phones,” says Bob Litterer, information security manager at Genzyme, noting that IP phones constitute an additional burden to the telco administrators who must adequately provision and configure network resources and maintain IP phone firmware and software.
“They require specific VLAN [virtual LAN] tagging in DHCP scopes, require tricky firmware upgrades, and they can crash at inconvenient times.” In other words, they’re as reliable (and risky) as PCs, not phones.
As a corollary to the problem of unlimited applications, combining voice and data on a single network creates a new opportunity for blended threats. That is, attackers can infiltrate voice through applications that previously weren’t connected to voice, and the other way around. They can use voice to get to the applications. A simple example is using a corporate presentation being shared over a VoIP system as an attack vector.
If all of this seems like doomsaying, consider that most of the above threats have already emerged in the real world, despite the fact that VoIP and voice over internet are technological infants. One vendor documented four cases of VoIP phishing in which caller ID identifies the call as from your bank and the recorded message asks you to punch in account information, which is logged. (That vendor also sells anti-phishing software, so take its “research” with a grain of salt). Vonage, a VoIP vendor, provided a notorious early proof of concept of VoIP spam when it planted in its customers’ voicemails a prerecorded advertisement for its upcoming IPO.
But the most notorious case of VoIP’s fallibility yet to come to light involved spoofing. A Florida man named Edwin Pena allegedly paid a hacker in Washington state US$20,000 (NZ$30,000) to exploit router vulnerabilities so he could spoof VoIP providers. US Federal prosecutors allege Pena stole minutes of service — ten million in total — and resold them at cut rates for pure profit, which turned out to be hundreds of thousands of dollars.
The type of attack used in the scheme was a “brute force” scan for router vulnerabilities, a simple old hack in the data world that’s not capable of affecting the PSTN. Is that because the PSTN is technically more secure? Not necessarily. “PSTN switches are all based on the same system as IP routers and switches,” Graydon says. “All that’s happened is we ourselves have more access to the routers and switches in the IP world.”
You could be forgiven for thinking, “Here we go again”. The tech industry is notorious for rushing to market with “revolutionary” products only to have their lack of security and stability embarrassingly exploited. It looks like it has just another case of putting the revenue cart before the security horse. And then selling more products to secure the original product, at an additional cost: already vendors are marketing anti-SPIT software, VoIP firewalls, and VoIP monitoring and management software. These costs will eat into any savings VoIP offers over traditional phone services and add a layer of complexity. “It’s extremely frustrating,” Graydon says. “You sit there and go, ‘Guys, you’re doing it again. Did you not learn the last time?’”
Only this time, the stakes are higher. If, say, instant messaging was rushed to satisfy market demand without being properly secured or having its threats understood, that wasn’t good. But what were the expectations and assumptions about chat’s security in the first place? Probably limited. With voice, there are those culturally ingrained expectations. We even have a name for it: dial-tone reliability. Voice can’t fail, we’ve come to expect that, and yet here’s a technology rushing to market that, so far, can’t meet this expectation.
In a sense, vendors offering VoIP service are pushing a cake-and-eat-it-too agenda. They want voice to have the power of data with the security of POTS, even if such a platform doesn’t exist yet. So they’re left selling voice as another data type but also acknowledging that voice is special. “I say voice is not data,” says Lawrence Dobranski, the leader of product security architecture in the office of the CTO at Nortel. “From a risk-management perspective it has to be thought of differently. We’re sharing voice on data infrastructure, and that means the threat landscape is open.” That’s a core point of this story. “People bring an awful lot of expectations with voice. We have to make sure we get the security of VoIP right, and that won’t be easy; that will be difficult.”
Gus de los Reyes, a technology consultant for AT&T Labs who is developing security capabilities for VoIP services, is more sanguine. De los Reyes says he and the other AT&T Labs technology experts can prevent his company’s VoIP products from going to market if he feels a security control isn’t ready, and he says he’s done that. He has the power to control the rush to market, so he doesn’t even see a rush to market.
“There’s a much greater awareness with VoIP than there was with things like email. Maybe too much awareness. People don’t want to make the same mistakes with VoIP.”
But it appears they are, as demonstrated by Pena’s alleged scheme, which involved no fewer than 15 VoIP companies, startups without the kind of controls in place that an old telco company like AT&T might have, and the emergence of all the other datalike threats to voice that VoIP has enabled.
De los Reyes does eventually acknowledge that some companies will rush to market, but that’s only to sate demand coming from those who aren’t considering the risks upfront. None of this would be an issue if companies and individuals thought about the full threat landscape and the costs and risks associated with that, instead of getting sucked in by the pure per-minute cost savings and neat applications VoIP offers.
“If security says you can’t do something, people just go around it,” he says. “Users are going to do what they’re going to do, so we have to secure what they do. It’s gonna happen. You can’t stop the flood of technology.”
That might be true, but you could hope to contain it. After all, Sweden didn’t just let people switch to Högertrafik whenever and wherever it suited them. Imagine if it had. In fact, the one thing that has prevented the new voice services from really flying out of control is the PSTN. In many cases the old copper that remains in the last mile of phone connections has at least slowed the proliferation of VoIP, both its great potential and its great threat.
If you’re focused on VoIP’s potential, then POTS is the last obstacle before a voice communications revolution. If you’re focused on the threat, then the century-old analog technology has become, of all things, a security control.