Voice over IP (VoIP) technology provides many advantages to companies and individuals over both traditional telephone services and traditional IP communications. But, like other technologies, it also brings with it the potential for abuse. And as more people implement VoIP, we can also expect more frequent exploitation of this potential.
One growing concern is the possibility that unwanted VoIP advertising messages—often referred to as spam over Internet telephony or SPIT—will overwhelm IP voice systems, much like e-mail spam has overwhelmed e-mail messaging systems. Over the years, spam has reduced much of the functionality of e-mail—dozens, hundreds, and even thousands of unwanted e-mail messages clogging up servers and users' inboxes to the point of driving many users away from e-mail entirely.
While SPIT hasn't yet become a major problem, experts anticipate that it could do so in the future, as the increasing popularity of VoIP makes it a more attractive target. Let's look at the potential misuses of VoIP and discuss how you can fight back.
How SPIT works
We've long had to deal with annoying telemarketers on our landlines, so how is SPIT different? The problem is that a VoIP line isn't just a telephone number—it's also an IP address.
Auto-dialers used by traditional telephone advertisers must dial each phone number separately. But VoIP spammers can do their dirty work much more efficiently: They can harvest a large number of IP addresses, record an advertising message, and then send the message to hundreds or thousands of VoIP voice mail boxes all at once in bulk—just like e-mail spammers.
In addition, it's more difficult to track the origin of VoIP calls vs. public switched telephone network (PSTN) calls, so spammers who are also scammers are harder to catch. And using a VoIP line, the spammer can call from anywhere in the world at a much lower cost than using traditional phone lines.
Why PSTN users aren't safe either
Of course, spammers using VoIP can also make calls to PSTN numbers, so the SPIT phenomenon poses a risk not just to VoIP users themselves, but to all telephone customers. In fact, VoIP users may actually be able to protect themselves more easily than PSTN users since VoIP services usually include free voice mail, caller ID, and other features that you may have to pay extra for with a PSTN line.
One danger of SPIT, for both VoIP and PSTN call recipients, is the possibility of flooding voice mail boxes with spam messages. Full voice mail boxes prevent legitimate callers from leaving messages, resulting in voice mail denial of service (DoS). With the potential to create much larger file sizes than e-mail text spam, audio messages can take up a lot more storage space and overwhelm systems more quickly.
But SPIT isn't just about leaving messages—it's also about making live calls. Because of the difficulty of tracing these callers and the low cost to make the calls, it's a good possibility that phishers will latch onto VoIP to perpetuate their scams. Many people are more likely to trust a phone call claiming to be from a bank or credit card company than an e-mail message, so this is another potential misuse of VoIP.
Of course, you can use features already included with most VoIP accounts to help control spam and phone phishing. For example, you can reject all messages that don't provide caller ID information.
The bad news is that it's possible to spoof caller ID to make a call look as if it's coming from a different source. In fact, caller ID spoofing is another misuse of VoIP that will benefit not just spammers but other malicious callers as well.
How caller ID spoofing works
Spoofing caller ID information has been possible for years, but it's much easier and less expensive to do it with VoIP. In fact, you don't even have to have a voice line yourself to take advantage of it.
Numerous Web sites offer fake caller ID services. At least one company offers a $10 "calling card" that you can use to dial a toll-free number, enter the number you want to call, and enter the caller ID info you want to display. In addition, instructions for spoofing caller ID information using a Linux computer running Asterisk PBX software are readily available on the Web.
Caller ID spoofing is particularly troubling because some credit card companies and banks rely on caller ID information to verify customers' identities. Spammers and scammers can also use it to disguise their identities. And since some systems will automatically allow voice mail access if you call from the phone number associated with the voice mail box, unauthorized persons can also use spoofed caller ID information to listen to someone else's voice mail.
What you can do about it
The good news is that VoIP spam, like e-mail spam, will likely conform to certain patterns that systems can recognize, analyze, and filter. The technology also makes it possible to block calls from specific numbers or IP addresses.
It's likely that if—or really, when—SPIT becomes a problem, software companies will rush to offer solutions just as they have for e-mail spam. In fact, a number of companies are already working on it.
Qovia, which makes enterprise-level VoIP management utilities, filed patent applications in 2004 for technology that would identify and block VoIP spam. And companies such as BorderWare offer SIP-aware proxies and firewalls designed to protect VoIP sessions against SPIT, caller ID spoofing, and other VoIP abuse.
VoIP can save organizations money and make calling more convenient, but like any other technology, it's bound to attract abuse and misuse. The bad news is that you don't even have to be a VoIP user to be a victim of VoIP misuse. The good news is that there are ways to thwart VoIP spam, caller ID spoofing, and other misuses of VoIP technology.
Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!
Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.