Voice over Internet Protocol (VoIP) (define - news -alerts) services are clearly gaining popularity in both the consumer and enterprise markets, and with good reason. New peer-to-peer and independent service providers, such as Vonage and Skype, offer the opportunity for users to reach out and touch someone for a fraction of the price of a phone call using the traditional public services telephone network (PSTN). In fact, adoption of VoIP as an alternative to PSTN is growing so quickly that the Yankee Group forecasted the number of users at the end of 2005 to be 3.2 million people, which is triple the number at year-end 2004. Recent forecasts from Atlantic-ACM, a telecommunications industry research firm, show the enterprise VoIP market is expected to grow
at a CAGR (2003-2009) of 47 percent, with consumer VoIP revenues poised for triple digit growth.
The potential profits for those service providers offering VoIP services, and the opportunity for consumers to take advantage of inexpensive international and domestic long-distance phone calls sounds like a win-win. But, with the increased use have also come scams and security concerns. Unfortunately, todays Internet reality is that when a new service grows in popularity, there are those who endeavor to exploit the service for personal gain, or to disrupt legitimate services for others, and VoIP is no exception.
Todays VoIP Makes Fraud Easy.
Imagine sitting down at the local coffee shop with your favorite mocha and deciding to catch up with a good friend in Europe. To save on a costly cell phone bill, you connect your laptop up to the wireless hotspot and log into your VoIP softphone to make the call for pennies a minute. Unbeknownst to you, a casual onlooker checks out your username and password as you login. That person doesnt just have a few free phone calls in mind, instead they send your information to their friends and acquaintances to use with their freely downloaded VoIP phone software from the same provider. The number is eventually shut down, but not before a number of calls and a huge phone bill is rung up. Without better security for VoIP, this technique is so easy to reproduce that it will become an all too common scenario. But does the consumer or the service provider pay the bill?
Not only is this abuse case easy to recreate, but the array of alternative methods is overwhelming. For example, instead of peering over your shoulder, anyone sitting just outside the coffee shop with a laptop and a wireless card can easily monitor all of the network traffic and record your call, as well as gain detailed connection and account information. Many VoIP services dont enable encryption or authentication, opening up the opportunity to acquire account credentials entirely from monitoring the WiFi hotspot.
Then there is the reported case of fraud thats recently been in the news where an Austrian retail business entity resold VoIP minutes from a service provider here in the United States. The European business was billed for usage to the tune of $20,000, but what the U.S. VoIP provider did not know was that those calls were to a European equivalent of a fee-based 1-900 number service. By the time the U.S. VoIP provider received invoices for $450,000 from the 1-900 phone services, the European business entity was nowhere to be found.
How Do We Make VoIP Safe?
Many experts agree that this is going to get worse before it gets better. IP Telephony has inherited all of the potential for exploit that both the telephone systems and IP data services have traditionally possessed. But while wireline and wireless telephony services and IP data services have had many years to be hardened against abuse, VoIP is relatively new with characteristics that require protection beyond that for standard telephony and IP data services.
There are three main areas of fraud in VoIP being observed today, and some very specific ways that service providers can protect themselves.
Identity theft and account cloning
Identity theft has been on the rise in recent years, but nowhere is it more prominent than on the Internet. To combat identity theft and verify users, stronger authentication systems can be put in place. With strong authentication, just because someone knows a users phone number and possibly their password, they would still not be able to access their account. To strengthen an authentication system, service providers could modify softphone client software by embedding user information into the application before download, making it unique to that user. Alternatively, service providers could require users to declare unique hardware details for computers they intend to run softphones on, such as MAC addresses. If the user wasnt calling from a registered address, VoIP service gateways mechanisms could block usage by user. While it may take away the some network roaming freedoms, it could be an optional safeguard and may even contractually identify whether un-authorized use is the service provider or
the consumers burden. The wireless industry has spent millions to protect cell phones from being cloned; VoIP phone cloning has few protections today.
Enabled by the borderless nature of the Internet, a VoIP caller can use unauthorized billing or credit card details from anywhere in the world. To combat billing fraud at the service provider level, even though the location specifics of the caller arent known, call authorization can be enforced and verified at gateways. This can include identifying which called numbers have fees associated with them versus which do not, and whether or not the provider is willing to pay that fee. Additionally, service providers can block calls to and from services where there is no prior agreement in place and certain providers can be blacklisted until they work out a billing agreement. Gateway systems exist that can sit in front of the VoIP switching infrastructure, track each call set up and tear down and validate destination/origination authorization in real-time. And VoIP service policy gateways are equally applicable between the client-to-service provider link and between wholesale providers at a peering
Vulnerabilities in the SIP protocol used in most VoIP services today enable hackers to inject control signals and hijack calls. Most VoIP phone systems have sophisticated call control mechanisms such as three-way calling and call transfer. By leveraging these features, someone outside of the calling parties can monitor a call in progress and hijack the session by transferring both ends of the call. Since commands are often sent un-encrypted without authorization for each command, this is an easy technique to carry out. Simple call hijacking, and even call eavesdropping, can be avoided by encrypting VoIP communications. By encrypting data, the hijacker isnt able to gather information about the call itself to determine how to inject the control message. Encrypting calls can introduce a cost and performance burden on the service provider and the end user equipment, but some promising alternatives exist. A less intrusive method is for service providers to introduce active VoIP policy controls in front of
their call session control function (CSCF). This gateway solution can block or challenge call control messages for authenticity before passing them along to the CSCF. Since most consumer VoIP services dont require call transfers, this technique can effectively resolve a large problem with no change to the call servers or consumer software.
As weve discussed, remedies to some of the more common fraud practices in VoIP do exist, with some being more burdensome for the service provider than others. In most cases, the remedy with the least impact on service provider cost and network performance is a high-speed VoIP service policy gateway. Suitable service policy gateways analyze VoIP control signaling and media traffic at very high speeds, actively enforce required VoIP service security policies, and can protect against a wide range of fraudulent activity. Additionally, service policy gateways must be able to adapt their methods to constantly changing techniques and security threats. Positioned at peering points and/or in front of VoIP call session control infrastructures, these VoIP service policy gateways can protect both subscribers and service providers.
VoIP has a lot of promise, and offers a great new world, but it is inheriting known issues from previous technologies, so service providers would be wise to relearn old lessons. Now is the time to do that. VoIP is in a rapid adoption phase and there is little doubt its use will continue to increase.
Inconsistent implementations by different vendors and protocol vulnerabilities will be resolved with time, and services will become hardened as a result. Right now however, the vulnerabilities are like a neon sign for hackers. Lucky for all of us solutions do exist to stave off some of the fraudulent practices at work on todays VoIP networks. IT
Peder Jungck is founder and CTO of CloudShield Technologies, a provider of multi-gigabit, multi-function, programmable deep packet inspection (DPI) platforms targeted at large network operators. For more information, please visit www.cloudshield.com (news - alerts).
If you are interested in purchasing reprints of this article (in either print or PDF format), please visit Reprint Management Services online at www.reprintbuyer.com or contact a representative via e-mail at firstname.lastname@example.org or by phone at 800-290-5460.