Undoubtedly, by the time you’ve read this, you would have heard about the VoIP “crime of the century.” I’m referring to an incident in early June where a man was arrested for allegedly stealing minutes from numerous VoIP service providers over a period of a year and a half. The individual allegedly sold VoIP service to his customers and, rather than purchasing termination and origination services, found weaknesses in the networks of several VoIP providers and routed the calls illegally through them.

Certainly this is not the first time that there have been security weaknesses exposed in VoIP. (define- news- alert) In the summer of 2004, the big news was a bunch of folks that had used the Asterisk open source IP PBX to generate faked caller IDs, which were then routed into the Public Switched Telephone Network (PSTN).

Every time one of these incidents happens, there are invariably questions raised about the fundamental security of VoIP. Is VoIP secure? Is it as secure as the telephone network?

The short answer is that VoIP can be very secure — more secure than the PSTN, in fact. Unfortunately, the problem is the ‘can be’ part of that statement. The protocols behind VoIP, and SIP in particular, have been designed with extensive security measures, which have only improved over time. Unfortunately, only a small number of these have been implemented, and fewer still deployed. As such, weaknesses show up because vendors and providers choose not to implement the tools that can cover those weaknesses. Sometimes it takes attacks, like the ones we saw this past week, to drive providers to ask for these features, which in turn causes vendors to implement them, and ultimately results in deployment.

That said, what kind of security could SIP afford? Could it have prevented the theft of minutes and caller-ID spoofing that got press attention? The answer is yes. Absolutely.

The theft of minutes could have been prevented with SIP’s mutual Transport Layer Security (TLS) authentication feature. This feature allows two proxies to establish a secure link between each other, and using cryptographic techniques, securely determine the identity of the other side. If a termination provider, such as the ones who had minutes stolen, only accepts or sends calls over SIP links that are secured with TLS, every single call can be securely traced to a particular customer. This feature is actually mandatory to implement in order to be formally compliant to the SIP RFC (RFC 3261).

What about caller ID spoofing? Can it be prevented with SIP? Interestingly, the answer is that it depends. SIP supports a broad range of identifiers for users. These include telephone numbers and e-mail-style identifiers (such as sip:[email protected]). When e-mail-style identifiers are used with SIP, it is possible to prevent users in one domain from spoofing calls from another. Consequently, a call from sip:[email protected] could never be spoofed to look like it came from sip:[email protected]. This is done using a SIP extension called “SIP Identity,” which has been completed in IETF but has not yet been assigned its RFC number. The weakness in the mechanism, somewhat ironically, is the good old PSTN. With phone numbers, this mechanism doesn’t work quite as well.

VoIP security is much more than preventing these two types of attacks, of course. There are numerous threats against VoIP systems, with fraud and faked caller ID being two of the most basic. Far more complex are denial-of-service attacks, and in particular, ones that actually try and use SIP to launch attacks. One of my favorites is an attack I call the “voice hammer.” In this attack, an attacker can, by sending just a few dozen SIP requests to a server, cause any target host on the Internet to receive a flood of voice packets at hundreds of kilobits per second to megabits per second, depending on the voice codecs in use. This attack requires protocol extensions to fix. This attack in particular (which is possible with almost any VoIP protocol — it’s not specific to SIP) is prevented using a mechanism called Interactive Connectivity Establishment, or ICE. Many may be familiar with ICE as a NAT traversal technique. It has an interesting side effect of preventing this particular attack, and this benefit is described in some detail in the ICE specification.

The lesson from all of this is that there are lots of potential threats out there. However, the good news is that many of these attacks, such as theft of service, are totally preventable as long as providers of SIP services actually use the tools that have been designed to deal with them. I’m almost happy that this recent security issue got so much press. Hopefully it means that people will think twice before running a service without these security features enabled.

Jonathan Rosenberg is co-author of the original SIP specification (RFC 3261). He is currently a Cisco Fellow and Director of VoIP Service Provider Architecture for the Broadband Subscriber Applications Business Unit in the Voice technology Group at Cisco Systems (quote - news - alert)(http://www.cisco.com)