Dial ‘D' for DoS; VoIP's hidden security threat

Share this article:

Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected.

The Communications Research Network (CRN), an organization of industry experts and academics funded by a joint venture between Cambridge University and the Massachusetts Institute of Technology, believes that VoIP applications could provide excellent cover for launching denial of service (DoS) attacks because VoIP runs continuous media over IP packets.

The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making it almost impossible to trace the source of an attack, the research body claims. In addition, proprietary protocols, used by a number of VoIP applications, inhibit the ability of ISPs to track DoS activity, whilst encryption, peer to peer and a superpeer system to assist with call routing and NAT/Firewall traversal further obscure the traffic.

"While the security measures [of VoIP] are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," said the CRN's Jon Crowcroft, who is heading up the research.

"Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation," he added.

The CRN believes that if left unresolved, the security issues surrounding VoIP will not just decrease the likelihood of DoS detection but could also undermine consumer confidence in VoIP, which is already seen as a controversial technology.

Although the group acknowledged that there has yet to be a recognized instance of a VoIP coordinated DoS attack, the CRN said it is only a matter of time before the technique becomes mainstream. Crowcroft suggested that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. The latter would not only allow legitimate agencies to track criminal misuse of VoIP, but according to Crowcroft, there is also a clear business case for their implementation.

If VoIP applications were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share, Crowcroft believes. While if routing specifications were to be more transparent, ISPs supporting VoIP usage could offer a better quality of service to VoIP users.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Adobe exploit used to spread Dyre credential stealer

Adobe exploit used to spread Dyre credential stealer

Users running vulnerable Adobe software could be in danger of having credentials for Bitcoin websites stolen.

Staples is investigating a potential issue involving credit card data

Staples is investigating a potential issue involving credit ...

The company said it is investigating a potential issue involving credit card data and that customers are not responsible for fraudulent activity on cards if an issue is discovered.

Skills set a priority over legacy prejudices, experts say

Skills set a priority over legacy prejudices, experts ...

Cybersecurity expert Winn Schwartau and Robert Clark, a cyber law attorney at the Army Cyber Institute, discussed issues around hiring in the information security industry.