With every new technology come new threats and security risks. With Voice over IP (VoIP), however, the threats and security risks are well known; they're much the same as with the Internet itself. So it didn't surprise me to read last week that a new buffer overflow vulnerability was found within the very popular Skype VoIP service. But what will make or break VoIP will be how this very young industry handles emerging security issues and whether the public eventually puts its trust in the new technology. Judging by the way Skype has handled its recent vulnerabilities, I think the prognosis is good for VoIP in the long run.
What is Skype?
| It didn't surprise me to read last week that a new buffer overflow vulnerability was found within the very popular Skype VoIP service. |
The current flaw in Skype involves buffer overflows. Briefly, a programmer allows a certain amount of memory space with the code for the input of data. If more data than the expected gets inputted, the new data simply spills over the space provided and begins to overwrite existing programming code. If the buffer overflow is executed correctly (not always a given), the overwritten portion of code could allow a remote attacker to gain full control of your PC.
According to Secunia, the current Skype flaws within Windows are considered critical; Mac and Linux versions are not vulnerable. If an attacker creates a special URL, one using callto:// or skype://, a buffer overflow may occur. The same would be true if an attacker presented a vulnerable system with a specially coded vCard. This is similar but not related to a buffer overflow flaw reported within Skype about a year ago.
Fast response is appreciated
In both cases, Skype responded quickly and appropriately by disclosing the flaw and patching it. Current users should have been prompted to download a new version of Skype 1.4. I admire the agility demonstrated by Skype and the Mozilla organisation; when new flaws are discovered, it responds quickly and responsibly. I only wish the same were true of Microsoft. There are some flaws within Internet Explorer that have been known for more than a year, with no patch in sight.
But isn't VoIP itself vulnerable to attack?
But because VoIP depends on the Internet, the technology itself is vulnerable to Internet-type attacks. To address that, the Voice over IP Security Alliance (VoIPSA) authored a report on VoIP Security and Privacy Threat Taxonomy. This draft report addressed fellow industry members and shed light on potential VoIP problems ahead, problems not currently experienced when using wired telephone connections.
First of all, there's call pattern tracking, or unauthorised traffic analysis that could lead to theft, extortion, and even phishing attacks. There's traffic capture, where unauthorised recordings of VoIP traffic are made for later reconstruction, whether it be of conversation, voicemail, fax, video, or text. And there's number harvesting, which includes the capture of numbers, e-mail addresses, and URLs, which could lead to identity theft.
But wait, there's more...
There's also call blackholing, where someone can drop, absorb, or otherwise refuse to pass IP, either preventing or terminating communication. There are legitimate reasons why a network might refuse VoIP traffic. Blockage for commerce reasons is already happening in the Middle East where state-owned telecoms in Saudi Arabia and Eqypt have started blocking VoIP-specific traffic on their networks. Telecom Saudi Arabia and Egypt Telecom are using technology from Narus, an IP management and security company whose clients include AT&T, Korean Telephone, U.S. Cellular, and T-Mobile. But the Internet is vast, with multiple routes available from point A to point B.
Which brings us to call sinkholing, where VoIP communication is diverted. Again, there may be legitimate reasons to reroute a call; it might be a defensive measure against a known attack. But call sinkholing is also an opportunity for a man-in-the-middle attack, where a call is routed through an attacker's IP for the purposes of collecting and later reconstructing communications. Finally, there's conversation degrading or a quality of service (QoS) attack, where the call is delivered, but the quality is so poor as to render the connection virtually useless.
Other attacks outlined in the document, such as impersonating someone else, or false caller ID, can occur today with current wired telephony. And it should be noted that the VoIPSA draft document is prescriptive: by defining what could go wrong, they encourage members to work toward common dialogue in fixing these problems.
| At present, many corporations are already using VoIP systems--and saving big bucks. As long as they use current network security defenses, many of the VoIPSA-listed threats can be mitigated. |
Brave new world
Skype recently commissioned Anagram Laboratories to evaluate the service's security. It'll be nice to see some independent evaluations, but Skype appears to be talking the talk, if not walking the walk. Also, eBay is experienced with locking down its services against attack, having been knocked off the Internet briefly back in February 2001.
At present, many corporations are already using VoIP systems--and saving big bucks. As long as they use current network security defenses, many of the VoIPSA-listed threats can be mitigated. It's home users, however, who will have to be very careful. Without a network IT department on call, home users are at the mercy of their provider, be it a paid service or Skype. So if Skype or Vonage or any of the other providers prove sloppy, they could expose their customers to nightmares such as those mentioned, then probably go out of business themselves.
Finally, I do see the world moving in the direction of VoIP. With talk of Google entering the wireless ISP business (at least in San Francisco), I can envision someday severing my very expensive home connection. But before that happens, I want to see more security in place.
Are you currently using VoIP for personal use? If so, which service?
Like this article? Click below to send it to your mobile for free!
Paul
27/07/2007, 09:34 AM
rating
2/10
I'm using Skype 3.0.0 for SkypeIN, voicemail and SkypeOUT. Quality of incoming and outgoing calls to regular phones is terrible 90% of the time. People on other end constantly complaining about echoes, and calls are frequently dropped. If I can find a better quality alternative to Skype I will definitely switch.
Pros: SkypeOUT and SkypeIN are inexpensive.
Cons: Quality is terrible on 90% of incoming and outgoing calls, and about 20% of my calls are dropped.
Report offensive comment
20/10/2006, 01:59 AM
rating
9/10
Excellent value, very good clarity
Pros: Have not dropped a call yet. Very simple to use from desk top computer with cable modem.
Cons: Does not support wireless broadband card, killing mobility.
Report offensive comment
L.Deprost
11/10/2006, 03:44 PM
rating
10/10
Excellent Communication Quality
Pros: cristal clear communcation between Australia and Tahiti - French Polynesia
Report offensive comment
da
07/10/2006, 10:06 PM
rating
9/10
works for me
Report offensive comment
17/09/2006, 02:11 AM
rating
7/10
Very very good application will pass word on
Report offensive comment
BV
17/08/2005, 05:37 PM
This is a killer app!
Report offensive comment