Dial ‘D' for DoS; VoIP's hidden security threat
Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected.
The Communications Research Network (CRN), an organization of industry experts and academics funded by a joint venture between Cambridge University and the Massachusetts Institute of Technology, believes that VoIP applications could provide excellent cover for launching denial of service (DoS) attacks because VoIP runs continuous media over IP packets.
The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making it almost impossible to trace the source of an attack, the research body claims. In addition, proprietary protocols, used by a number of VoIP applications, inhibit the ability of ISPs to track DoS activity, whilst encryption, peer to peer and a superpeer system to assist with call routing and NAT/Firewall traversal further obscure the traffic.
"While the security measures [of VoIP] are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," said the CRN's Jon Crowcroft, who is heading up the research.
"Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation," he added.
The CRN believes that if left unresolved, the security issues surrounding VoIP will not just decrease the likelihood of DoS detection but could also undermine consumer confidence in VoIP, which is already seen as a controversial technology.
Although the group acknowledged that there has yet to be a recognized instance of a VoIP coordinated DoS attack, the CRN said it is only a matter of time before the technique becomes mainstream. Crowcroft suggested that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. The latter would not only allow legitimate agencies to track criminal misuse of VoIP, but according to Crowcroft, there is also a clear business case for their implementation.
If VoIP applications were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share, Crowcroft believes. While if routing specifications were to be more transparent, ISPs supporting VoIP usage could offer a better quality of service to VoIP users.