The Sky(pe) is falling

With every new technology come new threats and security risks. With Voice over IP (VoIP), however, the threats and security risks are well known; they're much the same as with the Internet itself. So it didn't surprise me to read last week that a new buffer overflow vulnerability was found within the very popular Skype VoIP service. But what will make or break VoIP will be how this very young industry handles emerging security issues and whether the public eventually puts its trust in the new technology. Judging by the way Skype has handled its recent vulnerabilities, I think the prognosis is good for VoIP in the long run.

What is Skype?

It didn't surprise me to read last week that a new buffer overflow vulnerability was found within the very popular Skype VoIP service.

VoIP technology allows you to make telephone calls over the Internet; voice and data packets travel alongside each other. There are a number of paid VoIP providers, but the best-known one is free. Skype, originally created by Kazaa and recently purchased by eBay, uses peer-to-peer technology to link users worldwide and run VoIP over that link. As we've seen recently with Mozilla FireFox, with increasing market share comes the potential for online mischief.

The current flaw in Skype involves buffer overflows. Briefly, a programmer allows a certain amount of memory space with the code for the input of data. If more data than the expected gets inputted, the new data simply spills over the space provided and begins to overwrite existing programming code. If the buffer overflow is executed correctly (not always a given), the overwritten portion of code could allow a remote attacker to gain full control of your PC.

According to Secunia, the current Skype flaws within Windows are considered critical; Mac and Linux versions are not vulnerable. If an attacker creates a special URL, one using callto:// or skype://, a buffer overflow may occur. The same would be true if an attacker presented a vulnerable system with a specially coded vCard. This is similar but not related to a buffer overflow flaw reported within Skype about a year ago.

Fast response is appreciated
In both cases, Skype responded quickly and appropriately by disclosing the flaw and patching it. Current users should have been prompted to download a new version of Skype 1.4. I admire the agility demonstrated by Skype and the Mozilla organisation; when new flaws are discovered, it responds quickly and responsibly. I only wish the same were true of Microsoft. There are some flaws within Internet Explorer that have been known for more than a year, with no patch in sight.

But isn't VoIP itself vulnerable to attack?
But because VoIP depends on the Internet, the technology itself is vulnerable to Internet-type attacks. To address that, the Voice over IP Security Alliance (VoIPSA) authored a report on VoIP Security and Privacy Threat Taxonomy. This draft report addressed fellow industry members and shed light on potential VoIP problems ahead, problems not currently experienced when using wired telephone connections.

First of all, there's call pattern tracking, or unauthorised traffic analysis that could lead to theft, extortion, and even phishing attacks. There's traffic capture, where unauthorised recordings of VoIP traffic are made for later reconstruction, whether it be of conversation, voicemail, fax, video, or text. And there's number harvesting, which includes the capture of numbers, e-mail addresses, and URLs, which could lead to identity theft.

But wait, there's more...
There's also call blackholing, where someone can drop, absorb, or otherwise refuse to pass IP, either preventing or terminating communication. There are legitimate reasons why a network might refuse VoIP traffic. Blockage for commerce reasons is already happening in the Middle East where state-owned telecoms in Saudi Arabia and Eqypt have started blocking VoIP-specific traffic on their networks. Telecom Saudi Arabia and Egypt Telecom are using technology from Narus, an IP management and security company whose clients include AT&T, Korean Telephone, U.S. Cellular, and T-Mobile. But the Internet is vast, with multiple routes available from point A to point B.

Which brings us to call sinkholing, where VoIP communication is diverted. Again, there may be legitimate reasons to reroute a call; it might be a defensive measure against a known attack. But call sinkholing is also an opportunity for a man-in-the-middle attack, where a call is routed through an attacker's IP for the purposes of collecting and later reconstructing communications. Finally, there's conversation degrading or a quality of service (QoS) attack, where the call is delivered, but the quality is so poor as to render the connection virtually useless.

Other attacks outlined in the document, such as impersonating someone else, or false caller ID, can occur today with current wired telephony. And it should be noted that the VoIPSA draft document is prescriptive: by defining what could go wrong, they encourage members to work toward common dialogue in fixing these problems.

At present, many corporations are already using VoIP systems--and saving big bucks. As long as they use current network security defenses, many of the VoIPSA-listed threats can be mitigated.

Brave new world
Skype recently commissioned Anagram Laboratories to evaluate the service's security. It'll be nice to see some independent evaluations, but Skype appears to be talking the talk, if not walking the walk. Also, eBay is experienced with locking down its services against attack, having been knocked off the Internet briefly back in February 2001.

At present, many corporations are already using VoIP systems--and saving big bucks. As long as they use current network security defenses, many of the VoIPSA-listed threats can be mitigated. It's home users, however, who will have to be very careful. Without a network IT department on call, home users are at the mercy of their provider, be it a paid service or Skype. So if Skype or Vonage or any of the other providers prove sloppy, they could expose their customers to nightmares such as those mentioned, then probably go out of business themselves.

Finally, I do see the world moving in the direction of VoIP. With talk of Google entering the wireless ISP business (at least in San Francisco), I can envision someday severing my very expensive home connection. But before that happens, I want to see more security in place.

Are you currently using VoIP for personal use? If so, which service?