By Kelly M. Teal
The arrest of a wholesale VoIP entrepreneur last week for fraud and hacking points to much more than a criminal mind cheating the system - it brings to light the oft-unspoken fact that VoIP networks have a long way to go in terms of security. The publicity also scares providers and security vendors because they fear losing customers.
The federal government on June 8 arrested Edwin Andrew Pena, 23, owner of Fortes Telecom Inc. and Miami Tech & Consulting Inc., for hacking into other providers' networks, routing his customers' calls onto those platforms, then billing those companies and pocketing the proceeds. He reaped more than $1 million. (see story)
This was the "first large attack on a voice system that's being reported," emphasizes Andrew Graydon, chair of the security requirements committee of VoIP Security Alliance (VoIPSA). "It's known that there have been problems in the industry for a while," he says, noting that security vendors and VoIP providers have kept a lid on such issues because they don't want to upset their customers. The U.S. Attorney in New Jersey filed charges against Pena, apparently on behalf of compromised provider Net2Phone Inc., which is based in the Garden State and did not return requests for comment from New Telephony.
Industry watchers were left wondering how the attacks were able to happen; the ironic answer, say several experts, is that everything old is new again. The attacks vendors and providers are facing now are the same ones they experienced in their data networks 10 years ago, says Core Security Technologies' Max Caceres, director of product management. Core Security specializes in network penetration testing, which means it uncovers vulnerabilities in communications software, proprietary and open-source alike. IT folks have all but plugged security holes in data networks; the trouble is, they didn't look at voice over the Internet in the same way. "They haven't viewed it as an application that goes over the Internet," says Graydon. "As soon as you see voice as an application, you start to protect it the way you protect e-mail."
Agreed, says Caceres. The more functionalities a system has, the more holes it can contain. He points out that two of the main reasons for moving to VoIP are to save money and add services. But, "[t]hose services come at a cost because they add complexity to the network." Hackers have discovered voice networks' vulnerabilities because IP communications largely have not been incorporated as part of companies' networks, he adds.
One way to solve that problem would be to put VoIP behind a firewall, says VoIPSA's Graydon. That has been an iffy proposition in the past, though, because enterprises often found their IP telephony systems functioned poorly, or not at all, when placed behind a firewall, he says. But there are ways around that once providers think of voice as an application, says Graydon, who also serves as CTO for BorderWare Technologies Inc. For example, he suggests putting an Internet server into the network, placing a firewall with SIP enablement around the perimeter and tracking behavior analysis to catch any hacking attempts. With a little implementation, he says, providers can "close the barn door."
Caceres recommends intrusion testing as another security tool. Such activity would protect voice and data networks. He also says firewall systems need to be adapted to properly support voice protocols.
Seshu Madhavapeddy, president and CEO of Sipera Systems Inc., concurs that hackers are doing to voice what they did to data a decade ago. "The attack was able to occur because of the openness of the Internet," he says. "The trick is to identify the kinds of attacks that are likely and deploy security. . In this case, it's more by omission that people have not deployed voice security systems." Like Graydon and Caceres, Madhavapeddy says providers' firewalls don't fend off VoIP attacks. In his mind, the answer is to deploy security products that perform in real time and that know how VoIP works. Sipera develops such technologies. The cost of such an implementation depends on the size of the VoIP network, but if a company spends a dollar on the equipment that delivers the voice service, it will spend no more than a dime on security, says Madhavapeddy.
Overall, says Graydon, Pena was successful in his hacking attempts thanks to a mixture of human and technological error. "It's a certain amount of human error, it's a certain amount of, there are security solutions out there but maybe they weren't available when the people were implementing," he explains. "It's a certain amount of human error in that this is an IP protocol not a voice protocol. So you've got to look at it with a slightly different view - a certain amount of human error in that, 'Oh, there've been no attacks yet, why will I pay for these security solutions?' Well, I think that over half a million dollars worth of phone calls later, it probably would have been cheaper to get the security solutions."
Until providers address the security problems in their VoIP networks, (problems Graydon terms "extremely prevalent"), hackers such as Pena likely will continue to be able to get free calls by finding holes in networks.
BorderWare Technologies Inc. www.BorderWare.com
Core Security Technologies www.coresecurity.com
Miami Tech & Consulting Inc. www.miamitac.com
Net2Phone Inc. www.net2phone.com
New Jersey United States. Attorney's Office www.usdoj.gov/usao/nj
Sipera Systems Inc. www.sipera.com
VOIPSA (VoIP Security Alliance) www.voipsa.org
Source: New Telephony