after the telephone’s invention, weface the difficult task of reconcilingthe prodigal children of the twogreat men quoted above within theconfines of our computer networks.The assignment is far from easy,considering that men from tele-phony and computing worlds havesubstantially different philosophies,idiosyncrasies, technologies, busi-ness models, entry barriers, and op-erational characteristics.

The clash between these twoworldviews in the realm of computernetworks already plagued with secu-rity and privacy concerns is a fertileground for both offensive and defen-sive information security practition-ers. In this installment of AttackTrends, I delve into the new securityand privacy challenges the ongoingwidespread adoption of IP telephonyand voice over IP (VoIP) pose.

Phreaky styleyArguably, many of today’s informa-tion technologies, defensive securitymechanisms, and attack patternscame from organizations and indi-viduals with deep roots in thetelecommunications world of the1970s and ’80s. The information se-curity folklore is filled with stories,

anecdotes, and facts that link knownpersonalities with security and pri-vacy improvements and setbacks inthe telephony industry.

In 1971, for example, Steve Woz-niak (www.woz.org/letters/general/03.html) and Steve Jobs jerry-riggedan ingenuous device called the “BlueBox,” which gave its users control oflong-distance trunks on the publicswitched telephony network (PSTN)by manipulating the session teardown,call routing, and session establishmentprotocols (http://en.wikipedia.org/wiki/Blue_box). The Blue Boxproved to be a useful tool for explor-ing a PSTN’s obscure and propri-etary corners and making prank callsor engaging in phone fraud in theform of “free” long-distance calls. Italso demonstrated the commercialviability of new types of electronicconsumer products: Wozniak andJobs went on to found Apple Com-puter in 1976.

In his account of the Blue Boxstory, Wozniak cites an inspiring andsupposedly fictional article featuringJoe Engressia and John Draper thatappeared in Esquire in 1971 (www.webcrunchers.com/crunch/esq-art.html). Draper was called “Cap-tain Crunch” because of his most

valuable tool: a toy whistle includedin Captain Crunch cereal boxes thatproduced the exact signal—an au-dible tone with a 2,600-Hzfrequency—required to disrupt tele-phone signaling systems and takecontrol of the telephony trunk. Call-ing a random phone number andblowing the whistle at any point dur-ing the call would grant trunk con-trol to the caller and open up thePSTN’s front gate.

The practice of exploring, ex-perimenting, and exploiting PSTNand telephone equipment vulnera-bilities came to be called phreaking,and phreakers soon learned thatmessing around with a telephonecompany’s assets didn’t necessarilylead to success stories or happy end-ings. Draper was arrested on chargesof toll fraud in 1972 and sentenced tofive years’ probation; later, in 1977,he was arrested again and convictedof wire fraud. He made better use ofhis idle time by writing EasyWriter,one of the earliest word processorprograms for Apple and IBM PCcomputers. In the years to come,many other phreakers and hackerswould follow similar paths.

In the 1980s, the advent of PCsand the general availability of rela-tively low-cost modems popularizedby bulletin board systems (BBS)helped a new generation of com-puter users explore the confines ofboth their own computers and thevast technological world that lay atthe end of the phone line. Telephonycompanies worldwide operatedbusiness-oriented data networks onthe physical circuits of their PSTNs

IVAN ARCE

Core SecurityTechnologies

In 1876 Alexander Graham Bell received US patent

number 174,465 for his “improvement in telegraphy,”

triggering a revolutionary change in human com-

munications and the emergence of a new industry with

technology at its very foundation. Today, more than 130 years

Voices, I Hear Voices

80 PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/06/$20.00 © 2006 IEEE ■ IEEE SECURITY & PRIVACY

No, I’m not interested in developing a powerful brain. All I’m after is just a mediocre brain, something like thePresident of the American Telephone and Telegraph Company. —Alan Turing

Through pride we are ever deceiving ourselves. But deep down below the surface of the average conscience astill, small voice says to us, something is out of tune. —Carl G. Jung

Attack TrendsEditors: Elias Levy, aleph1@securityfocus.comIván Arce, ivan.arce@coresecurity.com

Attack Trends

using the ITU-T X.25 protocol suitefor wide area networks (WANs) overphone lines (http://en.wikipedia.org/wiki/X.25). Interconnectivity,open protocols, and free access todata networks belonged to “toy net-works” such as the Internet, not theserious business-oriented infrastruc-tures of X.25 networks.

In this context, several publica-tions, such as Phrack (www.phrack.org) and 2600 The Hacker Quarterly(www.2600.org), and organizationssuch as the German Chaos Com-puter Club (www.ccc.de) and theDutch Hack-Tic Group (www.hacktic.nl), emerged as the telltalesigns of a subculture linked togethervia a string of BBSs, informal techni-cal publications, prototypical chatsystems, and social gatherings. Theline separating harmless and legiti-mate activity from harmful and illegaldeeds rapidly blurred and soon con-fronted the apparent lack of legal, reg-ulatory, and technical preparedness toaddress security and privacy con-cerns. Science-fiction author BruceSterling’s novel epitomizes the daz-zled and confused times of this newsubculture and its clash with law andorder (“The Hacker Crackdown:Law and Disorder in the ElectronicFrontier” is available online at http://gopher.well.sf.ca.us:70/0/Publications/authors/Sterling/hc).

Meanwhile, the Internet and IPprotocol suite marched on to becomethe de facto standard for interconnect-ing research and academic organiza-tions, building local area networks(LANs), and reaching out to the userswho would transform it into a globalnerve system for business and leisure.With it came a new crop of securityand privacy problems: Web site de-facements, data privacy breaches, dis-tributed denial-of-service attacks,proliferation of computer worms andother malware, and spam.

The convergence of voice anddata communications over IP-basednetworks is developing steadily de-spite the iterative cycle of praise anddismissal that has raged since the mid

1990s. As the process unfolds, it’s in-creasingly obvious that security andprivacy concerns, attackers, and at-tack patterns have carried over fromboth the telephony and computernetwork worlds.

Like Ma Bell, I’ve gotthe ill communicationsA cursory review of the foundationsof PSTNs and IP-based networksreveals two opposing views on howto use technology for voice and datacommunications. The telephonynetworks were built on the assump-tion of complete ownership of al-most all communications. A handfulof providers deployed and ran com-munications over physical links andtightly controlled international stan-dards and proprietary protocols.Most important, these providersmaintained closed networks whoseoperational characteristics couldn’tbe tampered with because userswere physically isolated from the sys-tems that controlled them.

The Blue Box story is a particularexample of how the discovery andexploitation of design weaknesses insignaling systems invalidate the isola-

tion assumption and expose entiretelephony networks to the whim oftechnically savvy users. The Blue-Boxing phreaker exploited the factthat telephony trunks were operatedvia in-band signaling, a system inwhich network command and con-trol and user data is sent over the samemedium. Abuse of in-band signalingprompted the move to out-of-bandsignaling systems such as the Com-mon Channel Interoffice Signaling(CCIS, or Signaling System 7 as itcame to be known internationally[http://en.wikipedia.org/wiki/Signalling_System_7]), which is aneffective countermeasure for separat-ing signaling and voice circuits.Nonetheless, Micah Sheer, EricCronin, Sandy Clark, and Matt Blazeshowed—more than a decade later—that in-band signaling vulnerabilitiesremain a valid security and privacyconcern today.1

The use of computers and termi-nals to manage and operate tele-phony equipment and networksweakened another major premise—that PSTNs were closed networks.This proved to be invalid when theequipment became remotely accessi-

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 81

Attack Trends

ble via modems attached to regular,although unlisted, phone lines. Thepractice of systematically calling a setof phone numbers in search of anauto-answering modem attached toa computer system became a popularhobby for home computer users.War Games, a popular 1983 film, ex-posed this hacker “folklore” and in-troduced the term war dialing (www.imdb.com/title/tt0086567). Theprocess was later automated with thedevelopment of ad hoc programssuch as ToneLoc (www.textfiles.com/hacking/tl-user.txt), a func-tional predecessor to early TCPport-scanning tools such as Strobe(http://ftp.cerias.purdue.edu/pub/tools/unix/scanners/strobe/).

The use of the Private Branch Ex-change (PBX) by government agen-cies and research, education, andbusinesses organizations implied thedeployment of telephony equip-ment, owned and operated by PSTNcustomers, once again breaking theclosed-network assumption and cast-ing some light on the software andhardware used in telephony equip-ment. Further addition of IP-capableinterfaces for management of PBXand central office switching equip-ment paved a road that would eventu-ally lead to the IP protocol suite’sadoption for the only component ofthe telecommunications infrastruc-ture that remained isolated from datanetworks: voice transmissions.

Although the original PSTNs re-lied on a set of assumptions that de-fined a specific threat model,IP-based networks suffered from se-curity and privacy issues that derivedfrom their own set of assumptions.The adoption of open protocolshelped make interoperation possiblewith many implementations thatwere running on low-cost hardwareand rapidly evolving software. Com-munications over a shared mediumwith no single entity enforcing stan-dards, regulating use, or policingabuse yields, at least initially, a sub-stantially different threat model. Atthe heart of the IP protocol suite is an

almost total disregard for security andan explicitly stated spirit of opennessto foster interoperation among co-operative parties, which elicits a con-stantly changing threat model due tothe rapid development and adoptionof new protocols, technologies, andapplications. On the other hand, thetechnological foundations of tradi-tional telephony networks indicate aconscious attempt to maintain con-trol of all the variables in an almostunchanged and unchangeable threatmodel, demanding security by ob-scurity and slower adoption and de-ployment of new technologies andinnovative business models.

These two conflicting visionswere on a collision course 20 yearsago, and the possible outcomes of theimpending crash are increasingly evi-dent today in both the corporate net-work and consumer market realms.

I sit around andwatch the phone,but no one is calling As IP telephony and VoIP becomeintegral parts of modern enterprisenetworks, security and privacy con-cerns are on the rise. On the securityfront, several groups have pointedout several design and implementa-tion flaws in VoIP’s building blocksand in its relatively new protocols,such as the H.323 protocol suite(www.packetizer.com/voip/h323/standards.html), the Session Initia-tion Protocol (SIP, www.ietf.org/rfc/rfc3261.txt), Real-time Trans-port Protocol and Real-time Trans-port Control Protocol (RTP andRTCP, www.ietf.org/rfc/rfc3550.txt), and the Media Gateway Con-trol Protocol (MGCP, www.ietf.org/rfc/rfc3435.txt).

In February 2003, the OuluUniversity Secure ProgrammingGroup (OUSPG) found an “alarm-ing failure rate” when it performedsecurity testing of various SIP im-plementations (www.cert.org/advisories/CA-2003-06.html) with thePROTOS security testing frame-

work (www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/). A yearlater, in April 2004, the UK Na-tional Infrastructure Security Coor-dination Centre (NISCC) workedjointly with OUSPG to uncovermultiple vulnerabilities in imple-mentations of the H.323 protocolsuite that affect various vendors(www.cert.org/advisories/CA-2004-01.html). The Secure RTPspecification of March 2004 (www.ietf.org/rfc/rfc3711.txt) seeks to ad-dress the lack of confidentiality, mes-sage authentication, and replayprotection mechanisms in the origi-nal RTP and RTCP standards, asubstantial privacy concern becausethese protocols are used for voicetransmission over IP networks.

Protocol-level attacks are nolonger theoretical possibilities, asPeter Thermos indicates in his de-tailed account of two plausible attackscenarios against VoIP (www.securityfocus.com/infocus/1862), but amore mundane type of security flawplagues VoIP devices and software.Insecure default configurations andsoftware riddled with buffer over-flows and other trivial flaws charac-terize many VoIP devices beingdeployed in corporate networks asyou read this article. Specific IP tele-phony and VoIP vulnerability met-rics and statistics aren’t compiled as asingle class in the lists maintained bythe Open Source VulnerabilityDatabase (OSVDB; www.osvdb.org), MITRE (http://cve.mitre.org),SecurityFocus.com (www.securityfocus.com/vulnerabilities), or Secu-nia (www.secunia.com), but a quicksearch for vulnerabilities with thekeywords “voip,” “phone,” and“SIP” reveals a mounting number ofIP-telephony products with a grow-ing history of security flaws.

Operator, number pleaseAlthough deployment of IP-telephony and VoIP systems on enter-prise networks pose security and pri-vacy challenges with no precise or

82 IEEE SECURITY & PRIVACY ■ JULY/AUGUST 2006

Attack Trends

clear-cut solutions, the increasingadoption of VoIP in the consumer andsmall-enterprise markets doesn’t ap-pear free of problems either. Signaledby eBay’s US$3,200 million acquisi-tion of Luxembourg-based softwaredeveloper Skype Group in 2005, therace to prevail in the VoIP communi-cations market seems to be gainingspeed when we look at initial publicoffering (IPO) tribulations of the US-based Internet telephony companyVonage Holdings (www.businessweek.com/technology/content/feb2006/tc20060209_519496.htm), theavailability of instant messaging soft-ware with voice communications ca-pabilities such as Google Talk(www.google.com/talk/), AmericaOnline’s TotalTalk service (www.totaltalk.com), and the new VoIPservice offerings from incumbentUS phone companies such as AT&T-SBC, Qwest, and Verizon and cable-modem operators such as CoxCommunications and Comcast.

I am callinglong distance, don’tworry ‘bout the costIn April 2006, Nicholas Fischbasch,senior manager of network engi-neering security at COLT Telecom,a European Internet service providerin 14 countries, described carrierVoIP security as both a present con-cern and a difficult-to-solve puzzleat the CanSecWest security confer-ence in Vancouver, Canada (www.cansecwest.com/slides06/csw06-fischbach.pdf ). A day later at thesame venue, German researcherHendrik Scholz provided the flipside of the coin with a presentationthat gave a panoramic view of attackscenarios against VoIP networks(www.wormulon.net/files/pub/csw06-attacking-voip-networks.pdf ).

The skeptics needed only to waitjust over a month to read about areal-world example of VoIP-relatedattacks motivated by quick profits.On 8 June, 2006, New York Times re-porters Ken Belson and Tom Zeller

Jr. broke the story of a set of VoIPscams that were worth one millionUS dollars to Edwin Andrés Pena, a23-year old Miami Fla., residentwho was arrested a day earlier onfraud charges (www.nytimes.com/2006/06/08/technology/08voice.html?ex=1307419200&en=ae6b91a86dc4d7fa&ei=5088)

If phishing and spam are any indi-cation of real and present threats for“traditional” IP networks and initialreports of use of these nefarioustechniques over VoIP are confirmed(www.newscientist.com/article.ns?id=dn6445 and http://blogs.pcworld.com/staffblog/archives/001921.html), no further wakeup calls forinformation security practitionersshould be necessary to address IP-telephony threats proactively. Sev-eral guidelines and resources arealready available:

• In April 2006, the first IEEEworkshop on VoIP managementand security occurred in Vancou-ver, Canada, at the 10th IEEENetwork Operations and Man-agement Symposium (www.noms2006.org/content/workshop.html#voip). The initiative is promis-ing and, hopefully, will continueto gather research, industry, andservice provider experts fromaround the world.

• In January 2005, the US NationalInstitute of Standards and Tech-nology (NIST) published specialreport 800-53, “Security Consid-erations for Voice over IP Sys-tems” (http://csrc.nist.gov/publica t i o n s / n i s t p u b s / 8 0 0 - 5 8 /SP800-58-final.pdf ).

• The Voice over IP Security Al-liance (VOIPSA, www.voipsa.org), an industry consortium ofVoIP and information securityvendors, runs a mailing list dedi-cated to VoIP security and pro-vides several security resources.

• David Piscitello, ICANN Securityand Stability Advisory Committeefellow and coauthor of “Under-standing Voice over IP Security”

(www.amazon.com/gp/product/1596930500/104-5238401-7578347) maintains a comprehen-sive IP telephony security site. Anextensive and regularly updated setof resources is also available athttp://hhi.corecom.com/voipsecurity.htm.

O ur networks are convergingrapidly to become a single

medium for all communications.We’re lured by the siren songs thatpraise countless benefits and newbusiness opportunities, but if we don’tseal our ears with wax and listen care-fully, we’ll not miss a voice saying thatsomething is out of tune. It’s in ourhands to test the VoIP waters, holdsteady at the helm of our networks,and pilot our way to tranquil shoreswhere we can take advantage of thisinnovative communications technol-ogy without having to do it at the ex-pense of our privacy and security.

Reference1. M. Sheer et al., “Signaling Vulner-

abilities in Wiretapping Systems,”IEEE Security & Privacy, vol. 3, no.6, 2005, pp. 13–25.

Iván Arce is chief technology officer andcofounder of Core Security Technologies,an information security company basedin Boston. Previously, he worked as vicepresident of research and development fora computer telephony integration com-pany and as information security consul-tant and software developer for variousgovernment agencies and financial andtelecommunications companies. Contacthim at ivan.arce@coresecurity.com.

www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 83

Feedback

Like what you just read? Hate it?If you’d like to share your opin-ions on this or any other materialyou’ve read in this issue of IEEES&P magazine, please contactlead editor Kathy Clark-Fisher,kclark-fisher@computer.org. Besure to include “Letter to theEditor” in your subject line.