Networking

Don't fall prey to these methods of VoIP abuse

As VoIP becomes more prevalent, its popularity will undoubtedly attract some unwanted attention—spammers and phishers looking for their next scheme. Deb Shinder looks at some common forms of VoIP abuse, including VoIP spam and caller ID spoofing, and she tells you how you can fight back.

Voice over IP (VoIP) technology provides many advantages to companies and individuals over both traditional telephone services and traditional IP communications. But, like other technologies, it also brings with it the potential for abuse. And as more people implement VoIP, we can also expect more frequent exploitation of this potential.

One growing concern is the possibility that unwanted VoIP advertising messages—often referred to as spam over Internet telephony or SPIT—will overwhelm IP voice systems, much like e-mail spam has overwhelmed e-mail messaging systems. Over the years, spam has reduced much of the functionality of e-mail—dozens, hundreds, and even thousands of unwanted e-mail messages clogging up servers and users' inboxes to the point of driving many users away from e-mail entirely.

While SPIT hasn't yet become a major problem, experts anticipate that it could do so in the future, as the increasing popularity of VoIP makes it a more attractive target. Let's look at the potential misuses of VoIP and discuss how you can fight back.

How SPIT works

We've long had to deal with annoying telemarketers on our landlines, so how is SPIT different? The problem is that a VoIP line isn't just a telephone number—it's also an IP address.

Auto-dialers used by traditional telephone advertisers must dial each phone number separately. But VoIP spammers can do their dirty work much more efficiently: They can harvest a large number of IP addresses, record an advertising message, and then send the message to hundreds or thousands of VoIP voice mail boxes all at once in bulk—just like e-mail spammers.

In addition, it's more difficult to track the origin of VoIP calls vs. public switched telephone network (PSTN) calls, so spammers who are also scammers are harder to catch. And using a VoIP line, the spammer can call from anywhere in the world at a much lower cost than using traditional phone lines.

Why PSTN users aren't safe either

Of course, spammers using VoIP can also make calls to PSTN numbers, so the SPIT phenomenon poses a risk not just to VoIP users themselves, but to all telephone customers. In fact, VoIP users may actually be able to protect themselves more easily than PSTN users since VoIP services usually include free voice mail, caller ID, and other features that you may have to pay extra for with a PSTN line.

One danger of SPIT, for both VoIP and PSTN call recipients, is the possibility of flooding voice mail boxes with spam messages. Full voice mail boxes prevent legitimate callers from leaving messages, resulting in voice mail denial of service (DoS). With the potential to create much larger file sizes than e-mail text spam, audio messages can take up a lot more storage space and overwhelm systems more quickly.

But SPIT isn't just about leaving messages—it's also about making live calls. Because of the difficulty of tracing these callers and the low cost to make the calls, it's a good possibility that phishers will latch onto VoIP to perpetuate their scams. Many people are more likely to trust a phone call claiming to be from a bank or credit card company than an e-mail message, so this is another potential misuse of VoIP.

Of course, you can use features already included with most VoIP accounts to help control spam and phone phishing. For example, you can reject all messages that don't provide caller ID information.

The bad news is that it's possible to spoof caller ID to make a call look as if it's coming from a different source. In fact, caller ID spoofing is another misuse of VoIP that will benefit not just spammers but other malicious callers as well.

How caller ID spoofing works

Spoofing caller ID information has been possible for years, but it's much easier and less expensive to do it with VoIP. In fact, you don't even have to have a voice line yourself to take advantage of it.

Numerous Web sites offer fake caller ID services. At least one company offers a $10 "calling card" that you can use to dial a toll-free number, enter the number you want to call, and enter the caller ID info you want to display. In addition, instructions for spoofing caller ID information using a Linux computer running Asterisk PBX software are readily available on the Web.

Caller ID spoofing is particularly troubling because some credit card companies and banks rely on caller ID information to verify customers' identities. Spammers and scammers can also use it to disguise their identities. And since some systems will automatically allow voice mail access if you call from the phone number associated with the voice mail box, unauthorized persons can also use spoofed caller ID information to listen to someone else's voice mail.

What you can do about it

The good news is that VoIP spam, like e-mail spam, will likely conform to certain patterns that systems can recognize, analyze, and filter. The technology also makes it possible to block calls from specific numbers or IP addresses.

It's likely that if—or really, when—SPIT becomes a problem, software companies will rush to offer solutions just as they have for e-mail spam. In fact, a number of companies are already working on it.

Qovia, which makes enterprise-level VoIP management utilities, filed patent applications in 2004 for technology that would identify and block VoIP spam. And companies such as BorderWare offer SIP-aware proxies and firewalls designed to protect VoIP sessions against SPIT, caller ID spoofing, and other VoIP abuse.

Summary

VoIP can save organizations money and make calling more convenient, but like any other technology, it's bound to attract abuse and misuse. The bad news is that you don't even have to be a VoIP user to be a victim of VoIP misuse. The good news is that there are ways to thwart VoIP spam, caller ID spoofing, and other misuses of VoIP technology.

Want more tips and tricks to help you plan or optimize your VoIP deployment? Automatically sign up for our free VoIP newsletter, delivered each Monday!

Deb Shinder is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. She currently specializes in security issues and Microsoft products, and she has received Microsoft's Most Valuable Professional (MVP) status in Windows Server Security.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

5 comments
3pdegeiso
3pdegeiso

Your description of how SPIT works leaves alot of questions. I understand you can't fully explain the technical details of how a person would hack a VoIP phone system. But just the basics of networking contradict your description. Even if a hacker obtains many internet IP addresses, the principle of NAT and firewalls should protect the VoIP phone system and voicemail server. Now if they somehow collected phone numbers, they could spam the voicemail system like a traditional auto-dialer on a PSTN phone system. Having internet IP addresses doesn't seem to have much value if the network and security is configured properly. Am I missing something here? Thank you, Paul DeGeiso

No User
No User

Internet telephony is the appropriate name. Labeling it as VOIP is a misdirection. Anything that transmits voice data and uses IP can loosely be classified as VOIP. The standard VOIP is an IP based phone system that runs on a LAN/Wan network. Although the Internet may be present on that network it is not Internet telephony. Most folks who use Internet telephony use it at home. For those who use Internet telephony this is a very informative article. For those who use VOIP after the confusion it is an interesting read.

Dr Dij
Dr Dij

as a company can be using 'voip' which uses all or in part leased lines between locations. And to confuse it even more, there is now a 'voip' company that DOESN'T use the internet for transmission of the call. Once connected either from your PC or an actual cell phone, it uses their own transmission lines to get to the destination landline or back to the net to PC

No User
No User

Do you have a link or the name of the company I would like to get the details on how they do that. It sounds interesting.