Dial ‘D' for DoS; VoIP's hidden security threat

Share this article:

Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected.

The Communications Research Network (CRN), an organization of industry experts and academics funded by a joint venture between Cambridge University and the Massachusetts Institute of Technology, believes that VoIP applications could provide excellent cover for launching denial of service (DoS) attacks because VoIP runs continuous media over IP packets.

The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making it almost impossible to trace the source of an attack, the research body claims. In addition, proprietary protocols, used by a number of VoIP applications, inhibit the ability of ISPs to track DoS activity, whilst encryption, peer to peer and a superpeer system to assist with call routing and NAT/Firewall traversal further obscure the traffic.

"While the security measures [of VoIP] are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," said the CRN's Jon Crowcroft, who is heading up the research.

"Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation," he added.

The CRN believes that if left unresolved, the security issues surrounding VoIP will not just decrease the likelihood of DoS detection but could also undermine consumer confidence in VoIP, which is already seen as a controversial technology.

Although the group acknowledged that there has yet to be a recognized instance of a VoIP coordinated DoS attack, the CRN said it is only a matter of time before the technique becomes mainstream. Crowcroft suggested that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. The latter would not only allow legitimate agencies to track criminal misuse of VoIP, but according to Crowcroft, there is also a clear business case for their implementation.

If VoIP applications were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share, Crowcroft believes. While if routing specifications were to be more transparent, ISPs supporting VoIP usage could offer a better quality of service to VoIP users.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.