It is not possible in a few short words for me to describe just how profoundly our lives have been and will continue to be changed by the Internet. Beyond the obvious changes in the way we live and work, it is becoming deeply embedded into our psyche, to the point where many people frame their world view through their connectivity - the life we live online and the life we live offline. The life we live offline has been rapidly shrinking, every summer the cellular reception gets better during my treks into the local mountains.
Despite the tone I am taking, don't assume that I am saying that this is a bad thing. The market is delivering the pervasive online experience because we are asking for it, and we are asking for it to make our lives richer. In some cases it is also making our lives simpler, which is what we should expect, but in other cases it is making our lives more complex. The twenty year old joke about the flashing 12:00 on the VCR is only the tip of the iceberg, technology is poised to add a few more layers of complexity to our lives in the next few years. The Internet is now stretching itself not only to provide new services, but to retrofit a service that we all take for granted - the telephone.
Voice over IP (VoIP) is a group of technologies to enable the transmission of voice conversations over both private IP-based data networks and public networks such as the Internet. By converting the human voice into data and shipping it off on a packet switched network we are able to complete phone calls much more efficiently and also have the opportunity to create a world of impressive new voice services.
Saving money? More features? What is the problem? The market forces that are conspiring to enable VoIP will succeed beyond their dreams and by doing so will create a telephony infrastructure that for the mid-term at least will be fraught with security and reliability issues that we need to be prepared to deal with. Here are the drivers I see to a VoIP future:
Wi-Fi. Wireless local area networking has grown mightily and we now have hotspots all over the map. Wi-Fi of course, is a conduit for VoIP phone calls. Handset makers such as Nokia and Motorola are developing dual GSM/Wi-Fi phones that will sense and switch over to Wi-Fi networks when available to save money. Hotspot operators could potentially offer a low cost roaming service and corporate Wi-Fi networks could provide an avenue for free calls.
VoIP Upstarts. Companies like Vonage, Net2Phone and Skype are already making significant progress in offering low cost (or no cost) Internet phone calls, and the quality of their services have increased greatly compared to what was available two years ago.
Cheap Products. Virtually all new PCs come equipped with everything needed to make Internet-based phone calls. VoIP handsets are coming down in price and it is even possible to build a PBX using open source software like Asterisk.
Weak Telcos. Traditional telephone companies can see the future, and it is bleak for them. While they will use their army of government lobbyists to forestall the future, they cannot prevent it from happening. Revenues are already declining due to competition from VoIP and cell networks. It is impossible to fight off the Vonages of the world and instead they will have to play the VoIP game. This is the way the free market is supposed to work. The problem is that traditional phone companies as a group are not financially robust and will not have the resources to make this transition from Plain Old Telephone Service (POTS) to VoIP a painless one.
So we are at the beginning of a radical market shakeup, which will probably happen faster than we expect. It is easy to start a snowball rolling down the hill, but a lot harder to stop it. What are some of the problems I foresee?
Reliability. This is tangentially a security issue, nevertheless it is a big one for me. POTS famously provides 99.99% reliability, pick up the handset and it just works. You simply will not get that out of VoIP today, tomorrow or in ten years. It will take 15-20 years for IP Telephony to give us the reliability we already have in POTS, one obvious example is the fact that POTS is powered centrally. When a winter storm knocks out the power, I want to be able to call my 80 year old mother and check on her and ask her how she is doing with my laundry. Corporations will be able to mitigate these problems better than consumers that lack telephony sophistication. This leaves us with many questions about how these growing pains will affect consumers. Many people are assuming that they will continue to use POTS for things like emergency calls and use VoIP as the primary phone. The problem is that POTS reliability will begin to fade and/or its cost will grow tremendously as telcos are forced to make hard decisions on operational and maintenance budgets.
Security. Several interesting security problems will be caused by VoIP. Many of these problems have parallels in the traditional POTS networks, but we are lowering the costs and technology barriers for the new generation of "VoIP Phreakers" and we are giving them a global reach for their skills.
Disruption of service. Everyone has seen the movies where the bad guys creep up on a house and cut the phone lines. The bad guys will now have several options to cut off service at home and in large enterprises through buffer overflows, denial of service attacks and other methods from anywhere in the world.
Phone number harvesting. While many early adopters of VoIP love the fact that their phone number is not listed on any directory and is private, this is privacy through obscurity and it is unlikely that you will be able to keep your number private. VoIP Phreakers have developed several techniques for subverting Caller ID Blocking.
Spoofing. We also have ample evidence of spoofing of VoIP Caller ID already. A malicious person could use this to gain the trust of the receiving party and perform any number of attacks. Masquerading as your bank to perform VoIP phishing is just one example.
911. 911 service is a critical issue that is being addressed by VoIP technology bearers, but the portability and flexibility of the technology does not make this a simple problem to solve. Vonage is cross-referencing VoIP phone numbers to physical locations provided by the subscribers, creating another attractive database for malicious people to exploit if it ever were leaked. Approaches like GPS have also been explored, creating even more complexity.
Eavesdropping. Although standards exist to secure VoIP conversations and keep them private, these standards also exist for email and other forms of data communications and yet are rarely used. PBX stands for Private Branch eXchange, but connecting a PBX to an IP network (private or not), makes these central systems more accessible. Compromising an IP PBX to listen in on sensitive conversations internal to a corporation will be possible.
What it boils down to is that VoIP has the potential to be an attractive accessory technology in the commission of crimes we are already very familiar with: Identity Theft, Spam, Denial of Service, Stalking, Harassment, Corporate Espionage, etc.
Pervasive use of VoIP is coming and with it will come an inevitable tradeoff between the new order of lower costs and greater features and the old order of simplicity, security and reliability. Most of the security technologies we currently use to protect data networks are inadequate and ill-suited to secure VoIP. We will need to make extensive use of a layered security model explicitly tuned for VoIP. These solutions need to exist at the gateway level, at the endpoints, and need to make extensive use of encryption and authentication. By applying a combination of proven IP security standards and implementing the security features in new standards like Session Initiation Protocol (SIP), we have hope for securing IP Telephony. Next month we will talk more about what the potential solutions may look like, but be sure that VoIP security will be a battle coming to your phone.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.