Dial ‘D' for DoS; VoIP's hidden security threat

Share this article:

Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected.

The Communications Research Network (CRN), an organization of industry experts and academics funded by a joint venture between Cambridge University and the Massachusetts Institute of Technology, believes that VoIP applications could provide excellent cover for launching denial of service (DoS) attacks because VoIP runs continuous media over IP packets.

The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making it almost impossible to trace the source of an attack, the research body claims. In addition, proprietary protocols, used by a number of VoIP applications, inhibit the ability of ISPs to track DoS activity, whilst encryption, peer to peer and a superpeer system to assist with call routing and NAT/Firewall traversal further obscure the traffic.

"While the security measures [of VoIP] are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," said the CRN's Jon Crowcroft, who is heading up the research.

"Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation," he added.

The CRN believes that if left unresolved, the security issues surrounding VoIP will not just decrease the likelihood of DoS detection but could also undermine consumer confidence in VoIP, which is already seen as a controversial technology.

Although the group acknowledged that there has yet to be a recognized instance of a VoIP coordinated DoS attack, the CRN said it is only a matter of time before the technique becomes mainstream. Crowcroft suggested that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. The latter would not only allow legitimate agencies to track criminal misuse of VoIP, but according to Crowcroft, there is also a clear business case for their implementation.

If VoIP applications were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share, Crowcroft believes. While if routing specifications were to be more transparent, ISPs supporting VoIP usage could offer a better quality of service to VoIP users.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Hackers grab email addresses of CurrentC pilot participants

Hackers grab email addresses of CurrentC pilot participants

Although the hack didn't breach the mobile payment app itself, consumer confidence may be shaken.

Operators disable firewall features to increase network performance, survey finds

Operators disable firewall features to increase network performance, ...

McAfee found that 60 percent of 504 surveyed IT professionals prioritize security as the primary driver of network design.

PCI publishes guidance on security awareness programs

PCI publishes guidance on security awareness programs

The guidance, developed by a PCI Special Interest Group, will help merchants educate staff on protecting cardholder data.