Not only did the skyline of New York City change on September 11th, but the landscape of our sense of security changed as well. The question of how best to protect our infrastructure is a hot topic of public debate. But in reality, our increased technological progress and interconnectedness through the Internet makes us vulnerable.

Dams, power production systems and our telephone infrastructure can now be controlled remotely via networks. Imagine the simultaneous outage of not only 911 emergency telephone service but also the lack of power, water and all telephone and Internet connections during a major crisis.

It is in this environment that the convergence of networking and telephony, now known as voice over Internet protocol (VoIP), with its own potential vulnerabilities to security breaches, is taking place. Fortunately, there are protections in place and evolving standards which will make all VoIP systems more secure, in fact more secure than the current PSTN.

Historically, the development of security features in new telephones has followed a fixed pattern. First , get it to work and then worry about security. It is a tribute to either the trusting nature of communications engineers or to the enormous pressures to get products to market, that security issues take a back seat to functional features.

Similarly, VoIP equipment manufacturers are under pressure to design phones that are cost competitive with ordinary handsets while duplicating their quality, functionality and security features. As far as the latter is concerned, the thinking goes something like this: "Ordinary phones are not that secure so we (the equipment manufacturer) can treat a VoIP phone like any ordinary insecure phone and let the network supply whatever security features it has to protect the integrity of the VoIP connection."

In fact, a VoIP handset is not at all like an ordinary handset in two important ways. First, unlike an ordinary PSTN phone, it is not necessary to install a physical connection (tap) to breach security in a VoIP phone. In fact, a VoIP phone is already connected to every device on the Internet from supercomputers on T3 links to home PCs with dial-up modems. Literally everyone in the entire world on the Internet has a potential tap on your VoIP phone.

Secondly, every VoIP phone has an IP address and an Internet aware processor. This processor is every bit as powerful as many home PCs. VoIP processors use standard operating systems such as POSIX and support Web servers and Telnet protocols for maintenance. This means is that anyone can type http:/// in a browser and get access to a VoIP phone web page. These Web pages often allow modification of phone features and options via common gateway interface CGI script. In addition, CGI is a way that a hacker can install code in the phone to be executed to accomplish a denial of service attack directed at the host phone or any other IP address on the Internet.

The idea that, in general, the security vulnerabilities of VoIP are the same security vulnerabilities as data traffic on the network, is also not true. Anyone intercepting a data packet would have to know the data structure of the packet to make sense of the "zeros and ones" in the packet.

Cracking a packet means first cracking the packet's data structure. VoIP packets have a well-known and standardized format so even an individual VoIP packet can be "played" without knowing the contents of previous packets in the packet stream. Standards have been developed such as IPSec to address these security vulnerabilities but it will take the will and a change in mindset of the VoIP equipment manufacturers to make VoIP phones more secure.

Easy interception

There are three types of security threats that are particularly problematic in a VoIP environment: eavesdropping, theft of services and denial of service. In the past someone had to physically attach to a telephone circuit with a wiretap to eavesdrop on a phone call. With VoIP, interception can take place anywhere in the network. Both data and voice traffic share the same Ethernet cabling and server infrastructure. Using a standard software tool, one can download VoIP packets and play them back if unencrypted. Data encryption is the best defense against eavesdropping. One of the options and benefits of VoIP based telephony is the ability to encrypt the digital data that represents the voice stream.

The VoIP equipment designer faces a number of issues associated with data encryption. The first is where do you encrypt? There are, for example, routers that provide encryption. In this case, voice packets are sent from a phone or VoIP gateway to an encrypting router and then outbound to a remote encrypting server that decrypts the message and sends it to the receiving phone. The problem is that between the phone and the encrypting router the data is vulnerable to interception on both ends of the connection.

Most security intrusions in companies are from their own employees. So, this scheme exposes the voice data stream to the greatest threat when it is the most vulnerable to compromise. Alternatively, the data packetisation — turning analog sounds into network- ready digital data — and encryption are done in the phone or at least in the VoIP gateway and the possibility of in-house interception are minimized. This means however, a considerable amount of computing cycles must be available in the phone VoIP processor.

This audio real-time protocol (RTP) packet breakdown shows the configuration attained when using all the optional methods and fields of IPSec. The length of the additional data, with the exception of the pad length, is determined by the selected methods and options mutually agreed upon by the security gateways that establish a secure connection. Source: Netergy Microelectronics

Another second issue is the impact of security on the quality of service. Two things impact the quality of VoIP telephony. One is packet jitter — unpredictable arrival time of sequential packets of voice data — and the other is missing or dropped packets. Encryption schemes that operate over multiple packets are inappropriate for VoIP since the loss of a single packet could make adjacent packets in the stream indecipherable, thus causing large burst of voice drop out. VoIP encryption has to occur in real time. This argues strongly for hardware acceleration of encryption and decryption.

The three common encryption standards are DES, 3DES and AES. All are amenable to on- chip hardware acceleration. Unlike data compression algorithms, these encryption algorithms have no inherent algorithmic delay so, the faster you can compute, the shorter the delay.

VoIP "phreaking," that is, theft of service, can be accomplished using spoofing and the so-called man in the middle attack (MITM). Spoofing is manipulating header data in packets to make them appear to be coming from someone other than the sender.

Spoofing can also be accomplished through the hacking of domain name server databases and in the case of SIP — through the manipulation of SIP registrar information. In the case of the MITM attack, a hacker monitors and manipulates a VoIP phone session by intercepting traffic from both parties and then recording and changing the content of the interaction. From this powerful position, one can steal valuable unencrypted or weakly encrypted data such as credit card numbers entered via the touch-tone pad.

Authentication, as well as the generation of special randomized sequence numbers for each packet, is used to defeat spoofing and MITM attacks. Authentication in general is based either on using a shared secret or on public key based methods with certifications. An alternative to prior establishment of a shared secret or password is generating or exchanging the shared secret key with methods based on public key cryptography, e.g. the Diffie-Hellman key exchange.

The same considerations that were applied to encryption are also applicable to authentication. Namely, authentication is a computationally intensive operation that benefits from the same hardware acceleration as encryption and placing authentication in the phone creates better end to end protection than having it done in a router or server.

Program sniffing

VoIP denial of service attacks are of two kinds: ones that exploit software bugs to bring down routers and servers and those caused by a distributed bandwidth attack.

In one scenario for a distributed denial of service (DDoS) attack, the hacker prepares a number of unwitting hosts in advance of the actual attack. A "sniffing" program roams the network looking for poorly protected and hence vulnerable hosts.

A very desirable host would be a computer with a high bandwidth connection to the Internet such as a home PC connected via a cable modem. When a likely host is found the program installs software sometimes referred to as a "bot." The bot, once installed, logs on to a clandestine chat server account, posts its identity and awaits instructions from a master. The master attack program sends a message to all its compromised hosts' bots to send a barrage of traffic directed at a specific victim.

A great deal of work still needs to be done in this area. The most effective means are filtering programs that are installed at Internet service providers' servers that look for suspicious packets and block them before they reach the victim.

A general public awareness of the dangers of unprotected connection to the Internet and subsequent tightening of security will reduce the number of cooperating hosts available for a DDoS attack. Private software security suppliers have seen this as an opportunity and are supplying packet profiling software that can spot suspicious packets and unusual attempts to log on to chat servers and prevent or reduce the impact of this kind of attack.

The major design issue in this case, is the reverse of encryption and authentication. The designer who wishes to protect a phone from becoming infected with attack bots and being the source of attacks, must be careful to make access to the Web browser and the Telnet maintenance port secure from remote tampering. Having guest and maintenance ports with easy to guess passwords are where computers used to be 10 years ago.

Currently, most equipment manufacturers tend to not think of phones as targets or sources of Internet attacks. History has taught us to think otherwise.