Alliance Tackles VOIP Security Threats
As the volume of phone calls carried over IP grows, so does the threat of voice spam. From the perspective of those who hold a stake in voice over IP, however, "social irritations" such as spam are the least of their worries.
According to the VOIP Security Alliance, the greatest threat to VOIP comes in the form of deceptive or fraudulent behaviors, such as unlawful monitoring of calls, DoS (denial-of-service) attacks, false caller ID and eavesdropping. This week, VOIPSA is unveiling a Taxonomy Threat Model as its preferred framework for addressing privacy and security policies surrounding VOIP deployment.
"Certainly, the criminal behavior that happens today is the greatest risk," said Jonathan Zar, senior director at SonicWall Inc. and chairman for outreach at VOIPSA, which has more than 100 members from the hardware, software and telephone carrier businesses.
In an initiative reminiscent of the industrys lobbying campaign leading up to the ineffectual CAN-SPAM Act of 2003, VOIPSA is trying to direct policy-makers attention away from the technologies that enable new headaches for users and turn the spotlight on human behavior. The distinction between the human action behind threats to VOIP and their technical means is meant to dissuade policy-makers from imposing technology-related rules that could hinder growth and innovation in the industry.
"There is a policy and regulatory effort under way, and a number of us have been concerned that that was not informed," said Zar in Sunnyvale, Calif. "You could have a lot of effort going into putting a band-aid on a nonbruise. Put security in some context. We want it to be secure, but we dont want it to be as secure as East Germany was under the Stasi."
In addition to the vulnerabilities inherited from data networking, a number of VOIP-specific threats confront calls carried over IP. DoS attacks are easier to launch, in part because attackers have more devices to target, including IP phones, broadband modems, signaling gateways, location servers and other equipment. Furthermore, the wide array of vendors contributing to the VOIP environment makes security more difficult to achieve.
Privacy advocates, who widely rate Congress action to reduce e-mail spam as ineffective, argue that more needs to be done to protect consumers.
"What often is missed with social irritants like spam and telemarketing is that they are a product of privacy violations," said Chris Hoofnagle, director and senior counsel at the Electronic Privacy Information Center, in Washington. "You can try to marginalize spam, but it is inextricably linked to fraudulent practices. Addressing spam will get at the other issues that they claim to be important."
Hoofnagle cautioned that companies carrying voice traffic do not necessarily have a financial interest in eliminating unwanted calls. "A seller of these systems might benefit from the very things that annoy consumers," he said.
Lessons learned from the ongoing problem of e-mail spam likely will help the industry reduce the risks to VOIP, said Ray Everett-Church, chief privacy officer and senior consultant at Philadelphia-based ePrivacy Group. "With the current deployment of VOIP systems, youre not seeing nearly the risk of spam that you saw very quickly with the rise and popularity of e-mail," Everett-Church said. ´
Check out eWEEK.coms for the latest news, views and analysis on voice over IP and telephony.