|
Phone Phreaking is Back …
By R. Pierce Reid, Qovia Inc.
Today, there are hackers. In the 1970’s, there were Phone Phreakers. Today, hackers use sophisticated software tools to crack and hack computer networks. In the 1960’s and ‘70’s, Phone Phreakers used hardware boxes and even Captain Crunch whistles to trick the phone system into giving them free long distance. Phone Phreakers dispersed across the country used the AT&T phone system as their personal network, sharing Phreaks (hacks) and communicating the same way people do using chat rooms and Web pages today.
The practice was both illegal and costly to the phone companies and, ultimately, to long distance phone users who had to make up for the losses.
Over the years, however, Phone Phreaking virtually died out. AT&T gradually plugged all the leaks; high profile Phreakers such as John Draper (aka Captain Crunch) were prosecuted; and the more enticing world of personal computers and the Internet gradually drained people away from Phone Phreaking.
But that is about to change.
With the widespread adoption of VoIP, phone systems are moving onto computer networks and using Internet Protocol (IP) to carry voice traffic. Now, instead of having dedicated (and largely closed) networks for phone calls, phones will use networks that look and act exactly like today’s large data, financial and communications networks.
On the positive side, this will allow phone users to do much more with their phones. Applications that had previously required personal computers or workstations will now be able to run via a phone handset. Phones will be more portable, allowing you to move your office or home phones across a building or across the country with complete number and feature portability. And, because of the inherent efficiency of the VoIP network, costs will drop even further.
On the downside, IP phone systems are vulnerable to many of the same issues and kinds of attacks commonplace on today’s data networks and Internet-connected computing systems. These include intrusions and hacks, viruses and worms, rogue devices, SPIT (Spam over Internet Telephony) and DoS (Denial of Service) attacks.
Dial Tone is a Birthright
When it comes to their Internet connections, their cable TV and even their electricity…people are somewhat forgiving. If your Internet goes down, you watch TV. If the TV is out, you read a book. If electricity fails, you light a candle.
If your phone stops working, you call your Congressman.
It’s simple, the phone companies have made dial tone so reliable that it’s far more noticeable for its absence than for its availability. The industry standard is 99.999 percent availability. In addition, because phones are the first link in emergency services (via 911 calls) and because businesses depend on phone systems for ordering and communications, any loss of dial tone can be costly to business––or even lives.
Enter the New Phreakers
With the rise of new voice networks, it is inevitable that we are going to get hackers, virus creators, worm writers and crackers taking on these new frontiers.
Unfortunately, while the Phreakers and ‘early’ hackers lived by codes such as “leave no trace, do no harm” and regarded their forays into forbidden territory as technical challenges, today’s hackers are simply criminals and vandals whose technical talents are used for the online equivalent of band robbery and “keying” cars. And these are the people who are going to be coming after the phone system.
The good news is that today, we can see them coming. Since VoIP is still a growing technology, there is still time to build the tools, hardware, software, best practices and expertise needed to ensure that phones remain reliable and secure.
A Laundry List of Threats
To understand the vulnerabilities of a VoIP phone system, it’s important to look at today’s data, financial and storage networks, but also to examine those threats that are unique to phones.
Intrusion and hacking: As previously mentioned, traditional phone systems are relatively safe from hacking and intrusion. True, some components (voicemail servers, for example) are vulnerable, but for the most part, these systems are safe. However, VoIP phone systems use hardware, software, architecture and transmission protocols based on the Internet. If you can use a tool to hack into an e-commerce server, it’s not hard to use that same tool to hack into an IP PBX.
In addition, because VoIP phones will be capable of running applications and handling everything from messaging to financial transactions, intrusion and hacks are real threats. Finally, phone performance (and therefore quality and dial tone) can be affected by the intrusion itself or by damage caused by intruders/hackers.
Worms, Viruses, SpyWare: On January 15, 1990, more than 100 nodes of AT&T’s long distance switching systems went down. The outage cost the company more than $60 million in lost revenue. While the ultimate cause turned out to be a bug in the switching software, such an outage could just as easily have been caused by a worm or virus. The difficulty in that network would have been inserting it. With VoIP phone networks, voice and data are converged and transactions can take place in parallel with conversations or (soon) video. As a result, worms, viruses and other malicious code are much easier to insert into the system. And if a virus can travel with a phone call as easily as with an e-mail, the potential for damage is tremendous.
DoS: Denial of Service attacks are designed to slow down or even halt networks by overloading their capacity. In the case of a computer network, this means that e-mail might be slow, online transactions bogged down or perhaps a shopper misses sniping that item on eBay. But DoS attacks do more than slow down a network. A well-orchestrated DoS attack can shut down communications entirely. Today, blackmailers are using this fact to extort money from companies by threatening their data networks. On a phone system, timing of packets and movement of streams is much more critical. Anything that interferes with traffic is likely to impact reliability and call quality. DoS attacks can mean dropped calls, poor voice quality or even no service. When one remembers the importance of dial tone, a DoS attack is no small threat.
SPIT: Spam over Internet Telephony first caught the media’s attention in 2004. A hybrid of telemarketing and e-mail spam, SPIT can have the same effect on a VoIP phone system as a DoS attack, clogging servers and bandwidth with millions of unwanted messages. But unlike e-mail Spam that can be detected and filtered based on keywords or scans of the text, voice packets can’t be slowed down for inspection––the timing and routing of the packets doesn’t allow for that flexibility. Moreover, with e-mail Spam, recipients can at least look at the header and mass delete unwanted items. With voice spam, one has to listen to every message in order to know it should be deleted. And since it’s not covered by the Do Not Call List or the “CAN- Spam” Act, SPIT lives in limbo between the Internet and telephony worlds.
And others…Threats to new IP phone and communications systems are not limited to the above laundry list. If there is one thing that the hacker/cracker/phreaker community has proved over the decades it’s that there is a constant armor vs. warhead battle to keep computer (and now phone) networks secure. Other threats could include cloning, spoofing and identity theft, bugging and tapping conversations, and even attacking the phone system as part of a larger terrorist action against physical or economic targets.
So what’s a CIO to do?
With all the challenges outlined above, one might think we should lock VoIP technology in the bottom of a salt mine and forget it ever existed. But that’s neither desirable nor practical. VoIP phones are here to stay because their benefits far outweigh the risks.
But there are some things that can be done to mitigate the threats.
First, recognize that VoIP phone systems need to be managed––organizations cannot simply plug them in and forget about them. VoIP phone systems must be monitored and managed in the same way that “old” phone systems and data networks are managed. In the process of implementing management tools, software, hardware and best practices, security issues will also be addressed.
Second, design in security and management right from the start of a VoIP phone implementation. Don’t wait until after it’s up and running and vulnerable to begin thinking about how to secure and manage it. These two items should be a part of the initial planning, tested during the pilot phase, and procured alongside the handsets and IP PBX’s.
Third, remember that your organization is not alone. Security––whether for computer networks or phones––is a multi-pronged effort. Management tool companies help enterprises see and understand what is happening on the network and identify anomalies that could be caused by attacks. Security companies build firewalls, virus detection software, Spam/SPIT blockers and many other tools to keep networks safe. Government and law enforcement play a role by legislating to prevent unwanted calls and law enforcement has made tremendous strides in being able to identify, capture and prosecute criminal hackers. And OEM manufacturers continually improve and secure their products to prevent threats.
The best news is that we can see the threats coming. With Phone Phreaking, hacking and viruses the world was unprepared for the creative––and destructive––minds involved. With VoIP, we know what is on the horizon and we have plenty of time to prepare.
The White Hats are ahead of the Black Hats. For once.
About the author
Currently the vice president of marketing for Qovia, Inc., a VoIP monitoring and management company, Pierce Reid has more than 16 years of experience in high tech marketing, public relations and technical communications.
In addition, he is active in defense issues and has taught, published and lectured in the areas of psychological warfare, advanced weapons systems and less-than-lethal technologies. He is a regular speaker on military information
[ Back To TMCnet.com's Homepage ]
|
TMCnet LOGIN
Webinars
