Unarmed in the Gunfight -- The Lack of Security for wVoIP

Unarmed in the Gunfight -- The Lack of Security for wVoIP
Georgia Tech's Richard A. DeMillo argues that the wireless and VoIP industries need to tackle wireless VoIP now.

The recent onset and growth of Voice over IP (VoIP) has thrust the telecommunications industry into a new frontier. RBOCs, MSOs, and ILECs view this white-hot technology with giant dollar signs in their eyes; while, on the supply-side, the equipment vendors, application developers, and solutions providers are engaged in a high-stakes shoot-out for a piece of the pie. In the midst of this Wild West struggle for success, one question continues to tug at the collective bootstraps of the industry: Who's keeping the VoIP frontier safe?

Recent executive summits and the formation of various alliances and working groups, such as the VoIP Security Working Group, have served and will continue to raise the industry's awareness of critical security issues, including SPIT (spam over Internet Telephony). However, as with email over the last several years, security is having a tough time keeping up with new technological developments.

VoIP is constantly presenting new challenges and new opportunities, and the inevitable convergence of wireless and VoIP technologies seems to produce the ultimate enabling technology. With wireless VoIP (or wVoIP), users are provided the means to make cut-rate calls over dual-mode mobile handsets or laptop-loaded "softphones" at WiFi hotspots that are multiplying across the country. However, for the security expert, wVoIP presents what some would refer to as the ultimate challenge; others, the ultimate nightmare.

While we know VoIP is wide-open to cyber attacks, believe it or not, current WiFi (802.11) standards do not require its access points to be secured with encryption/decryption protocols and identifier codes. This lack of standardized protection leaves wVoIP open to a host of security issues, from the aforementioned SPIT to cyber worms and even WiPhishing attacks, where a wireless IP or VoIP user is unknowingly lured into entering an illegitimate access point or portal. With the possibility of downloading wireless content over a VoIP-enabled handset on the horizon, the door is wide open for security breaches.

So what's to be done? The answers lie on all fronts: design, regulation and education.

VoIP security is entirely different from generic IT security technologies. As many VoIP applications often run on top of public, open networks, institutions and early-adopter end users are relying on legacy structures (PSTN networks) or broadband connections that were not designed with security in mind. For enterprises, a VoIP security breach can bring the whole network (phone, email, Internet, etc.) to a standstill, paralyzing businesses to the point where it effects revenue. The recent "Blaster" and "Slammer" worms show the devastating effects that security attacks have on all types of networks.

In order to address the true scope of the security issue, it must be addressed from a convergence standpoint. As with other open technologies, such as email, weak authentication has been a major cause of the dramatic rise in identity theft, phishing attacks, and a myriad of other threats such as spam, viruses and worms. While the incredible amount of spam in in-boxes has made it difficult to simply click "delete" without sacrificing a legitimate email along the way, the effect on productivity multiplies when VoIP voice mailboxes are flooded with unsolicited messages. Both VoIP and wireless security specialists must explore what architectural structures will allow authentication in a consistent manner between an IP packet-switched network and next-generation wireless interface standards such as WiMax (802.16). Without a synthesis between VoIP and WiFi design architectures, the gold rush will be on for hackers, SPIT-ers and the like.

From a regulatory perspective, VoIP stakeholders must work with the FCC and other regulatory bodies to propose strong legislation to deter the proponents of these threats. As seen recently with the E911, it often takes a crisis -- or significant lawsuits -- to spur legislative momentum. In order to keep ahead of the coming risks, security companies and the working groups they sponsor must proactively communicate their research findings and calls for action to the FCC, providing them with the ammunition to fight for regulatory changes.

Lastly, education is the key to keeping the frontier safe. Everyone in the industry -- from C-level executives to academics to programmers -- has the responsibility to actively educate current and future wVoIP users to the existing and potential threats, and the best way to protect themselves.

Recent data released by the market research firm Disruptive Analysis indicated that, by 2009, the market for voice over WLAN (or WiFi) phones will reach 46.8 million. Sixty-four percent of this market will be dual-mobile/wVoIP devices, enabling users to initiate calls over both traditional mobile and WiFi access points. Additionally, by 2009, residential VoIP adoption could reach 15 million households, with IP telephony functioning as a primary (or "landline") substitute. While it is unclear whether this significant market segment will be concerned about security, the convenience and cost-savings inherent to the technology will be enough to propagate adoption among consumers. Before mass adoption, the industry must figure out how to structure an effective information security program to respond to what ultimately will be a risky environment.

Will the industry listen? Well, it hasn't yet. A quick search for articles that contain the phrase "wireless VoIP security" yields zero hits ("wireless VoIP", however, produces a respectable 130 articles -- not bad for a nascent technology!).

As we've seen time and time again, the technology frontier can be a dangerous place.

Therefore, the industry MUST keep on top of the pending security problem related to wireless, VoIP and wVoIP, or it could find itself unarmed in a nasty gunfight with the bad guys.

Richard A. DeMillo is the Imlay Dean and Distinguished Professor of Computing at the Georgia Institute of Technology. DeMillo is one of many industry-leading speakers at wVoIP 2005, an executive summit dedicated to the convergence of wireless and VoIP. To learn more about wVoIP 2005 visit www.wvoip.com.