Reuters “scam artists” story spreadiing VoIP FUD

While there are plenty of legitimate issues surrounding identity on the Internet at large and with VoIP specifically. the Reuters story
Scam Artists Dial for Dollars on Internet Phones
by Andy Sullivan gets it wrong on many counts, IMHO.

First, the story repeats the myth that somehow the traditional phone networks are somehow more secure and less vulnerable than the Internet. I won’t even go there.

The statement that “VOIP calls … are vulnerable to the same security problems that plague e-mail and the Web” is just silly. If a VoIP call is being handled by an independent device, such as an ATA or IP phone, it is no more likely to cause a virus than a printer or other networked device on your LAN. If an IP phone ran Windows and used IE and Outlook, then it may be as vulnerable as your computer, but since there are no such phones, this statement is pure FUD, in my opinion.

The article also says “experts at AT&T say VOIP conversations can be monitored or altered by outsiders.” Well this is technically true, but the same can be said about calls placed over the traditional phone system. The question is whether one kind of call is more likely to be intercepted than another. The assumption is usually that VoIP calls are easier to intercept, but that assumption needs some criticial review. It cannot be taken at face value. In my experience, I find that people generally overestimate the difficulty of intercepting traditional calls and underestimate the difficulty, in practice, of intercepting Internet traffic. In general, I’d flag the two as about equal in difficulty. It is far easier to violate the security of a central office than most people think and far more difficult to break into an Internet peering point than most people think. Neither is easy for the casual hacker.

What’s the easiet way to intercept a call? In both the VoIP case and traditional phone system case, it’s at the edges, near the caller or the callee. And in fact, in both cases the easiest techniques are probably similar and low tech, such as a snooper microphone. A call over open Wi-fi is probably the one case where VoIP is fairly easy to snoop, if you’re within range of the Wi-fi signal (and the same applies to a plain cordless phone using a cheap radio shack scanner). So again, it’s FUD to imply that somehow VoIP inherently makes all your calls available for the world to hear.

Finally, the primary topic of the article, Caller ID spoofing, is not a VoIP problem per se. In fact, flaws in the security model of the traditional phone system is what enables Caller ID spoofing in the first place. One doesn’t need VoIP to enjoy Caller ID spoofing. It is in fact standard PSTN interface signalling that introduces the spoofed Caller ID info into the PSTN, and that can be generated anywhere in the network and it has nothing to do with VoIP.

So where are they getting this mis-information and why are they spreading it? The final paragraph of the article perhaps offers a hint: “the problem will likely recede as companies like VeriSign Inc. and NeuStar Inc. develop ways to verify online identities.”

7 comments for “Reuters “scam artists” story spreadiing VoIP FUD

  1. I agree that this story is poorly reported/edited. For example, Western Union uses 800 number and I thought in that case caller ID spoofing is not applicable, especially when the call is made from a residence.

    But certain other aspects of potential trouble when VoIP and PSTN meet, especially for unaware PSTN users, is not discussed. For example, if one uses SkypeOut to make a harassing call, will Skype help the authorities to track the miscreant. There are all sorts of similar scenarios that could potentially violate PSTN current operational understanding. But neither the press nor the industry is bringing them up.

  2. The article is genral touch upon the increasing risk that exist by using VoThe article is general touch upon the increasing risk that exists by using VoIP as the means to carry our voice as oppose to traditional POTS.
    1) It is easier hack and penetrate information. You no longer require having a phone switch or any other digital device. You can download tools (mostly open source) and protocols code which in few hours you can alerts to work for your needs.
    2) IP, as the main transport protocol is known as more vulnerable means of transport. Unfortunately nothing really much been done from the SP perspective to protect the IP layer through the application layer (I.e. SIP). The information can be penetrating from the center or any other place in the network.

    I agree with one of the readers comment that VoIP privacy penetration when it comes to WiFi as opposed to cordless is the same to capture the information but in VoIP you can replay, and "wear’ the captured user information as you knew identity and generate as many calls as you want.

    To conclude my point VoIP is a lot more risky and easier to "break", penetrate and steal information than the older brother the PSTN.
    VoIP being a data based is attracting a lot more hackers to try make calls for free.

    Thanks
    IP as the means to carry our voice as oppose to traditional POTS.
    1) It is easier hack and pentrate information. You no longer require to have a phone swith or any other digital device. You can download tools (mostly opensource) and protocols code whcih in few hours you can aletr to work for your needs.
    2) IP, as the main transport protocl is know as vulable means of transport. Unfortunatly nothing realy much been done from the SP perspective to protoect the IP layer through the application layer (I.e. SIP). The information can be pentrate from the cetner or any other place in the network.

    I agree with one of the readers comment that VoIP privacy penteration when it comes to WiFi as opposed to cordless is the same to capture the infomation but in VoIP you can replay, and "wear’ the captured user information as you knew identityy and generate as many calls as you want.

    To conclude my point VoIP is a lot more risker and easier to "break", pentrate and steal information than the older brother the PSTN.
    VoIP being a data based is attarcting a lot more hackers to try make calls for free.

    Thanks

  3. As someone considered (at least at one time) a security expert, I respectfully disagree with a number of your assertions. Again, I believe a lot of what you’re saying is FUD and mythology.

    I assert that hacking traditional POTS is at least as easy as hacking the core of the IP backbone (or any significant inspection point). The PSTN is flush with security holes. Hint: you don’t need an SS7 switch.

    Again, it is a security vulnerability inherit in the design of the PSTN that permits the original alert of the article: Caller-ID spoofing.

  4. Aswath, you have the right language there when you say "current operational understanding." These security matters are far more social and operational, traditions and assumptions, than they are technical. That applies to both IP and PSTN of course. In both cases, people often entirely discount the significance of human protocols vs. computer and network protocols.

  5. Sure, these matters are just about always more social and operational than technical.

    It’s when the con men are able to divert the victim’s attention, by waving the "technical" flag, that they free themselves up to fleece in all kinds of ways, practical ways, that overwhelm the geek’s common sense.

    My three sons are all committed (and admitted) computer geeks, and their common sense in constantly overwhelmed by hacker-ology.

Comments are closed.