BOSTON -- Thirty years ago, John Draper, a.k.a. Cap'n Crunch, made monkeys out of a monopoly's security experts,...
by using a toy whistle from a cereal box to access the internal trunking mechanisms of the nation's telephone network.
In the decades since the brief reign of Cap'n Crunch and phone phreaks, however, the Public Switched Telephone Network has garnered a reputation for being near bullet-proof -- vulnerable only to the most sophisticated hackers.
But a group of engineers and executives working for VoIP vendors last week said that PSTN is old, messy and unsustainable. IP telephony is the low-cost, easily maintained successor to hard switches and hard telephone lines, they said.
The only trouble is that VoIP, which stands for Voice over Internet Protocol, is susceptible to the same demons plaguing other Internet applications today. Spam over Internet Telephony, or SPIT, is just one potential problem.
"The Internet, as great as it is, as the mother of all invention, also spawns new tools like SIP (session initiated protocol), which leave users open to great vulnerability," said Ashley Johnston, director of business development at Texas Instruments' VoIP Group.
Johnston, speaking at last week's 2004 Next Generation Networks conference, listed voice tapping, toll fraud and identity fraud at the top of his list of VoIP vulnerabilities. Each step in a VoIP call, which consists of a stream of data packets, will require some form of key exchange, authentication and encryption, he said.
Bruce Robertson, a Nortel Networks senior manager of network design, added distributed denial of service attacks and other Internet-based threats to the list.
Robertson made firewalls a part of his proposed VoIP security solution.
At the conference, Robertson introduced Nortel Networks' Secure VoIP Zone, which is built around a switched firewall. The system inspects voice data packets and allows or disallows their access to call servers. Calls in the system are carried through a Layer 2 IPSec tunnel. "We're building on the concept of unified security architecture," he said.
Robertson also made a pitch for regulation, including a set of VoIP standards being developed by the Telecommunications Industry Association.
The standards for VoIP security protocols are not yet in place, however.
Many hackers, meanwhile, are ready to take advantage of VoIP's weaknesses, said Ramesh Lakshmi-Ratan, president of VocalTec Americas, a division of the Israeli company VocalTec Communications, Ltd.
"In the telecom world, before someone could hack into the system, he had to be able to program in SS7," said Lakshmi-Ratan, referring to Signaling System 7, the network and protocol used for call forwarding and other enhanced call features. "But with VoIP, any kid with a little experience can write a SIP program to do some interesting things. The barriers are much lower."
Lakshmi-Ratan said he knows that AT&T engineers are studying best practices for securing VoIP communications. He believes that major operators like AT&T in the future will distinguish themselves by their ability to prevent SPIT and DDoS attacks.
"The heart of the solution," said Lakshmi-Ratan, "lies in carriers looking to uniquely provide services to their customers."