|
A group of Communications Experts has discovered a potential security loophole in Voice over Internet Protocol (VoIP) applications that could give criminals operating on the Internet a better way of covering their tracks.
The Communications Research Network (CRN) is a unique community of industry experts, academic pioneers and policy makers, dedicated to mapping and shaping the future of the communications industry. Funded by The Cambridge-MIT Institute - a joint venture between Cambridge University and the Massachusetts Institute of Technology - the CRN researches key issues facing the communications industry. A Principal Investigator of the CRN - Jon Crowcroft, Marconi Professor of Communications Systems at Cambridge University - has discovered that VoIP applications could provide excellent cover for launching denial of service attacks.
The scale of the denial of service (DoS) problem, where networks are brought down by flooding them with emails, is notoriously difficult to assess. Many attacks are simply not reported because organisations fear they may undermine client confidence in their security. The number of "zombie" computers being used to action these distributed DoS attacks is another unknown, but estimates are always range in the millions. Unknown to their owners, security failures on these computers have allowed criminals operating on the net to take control and install malicious software. The software is generally used for sending large amounts of unsolicited emails (spam) or for transmitting large amounts of low-level uncontrolled traffic in a distributed denial of service attack.
Armies of zombie computers can be hired for relatively small amounts of money on the blackmarket, and the attack command is usually given via instant messaging. Internet Service Providers (ISPs) are currently able to survey the Instant Message servers, and ascertain from the traffic where the control is coming from, where it is going and even anticipate an attack. However, if the control traffic were to be obfuscated, then catching those responsible for DoS attacks would become much more difficult.
The Communications Research Network has observed that VoIP tools could offer very good cover traffic for DoS attacks because VoIP runs continuous media over IP packets. The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making it almost impossible to trace the source of an attack. In addition, proprietary protocols - intended to protect a company's technology edge and prevent ISPs from blocking the VoIP application - inhibit the ability of ISPs to track DoS activity. Encryption for user privacy, peer2peer and a superpeer system to assist with call routing and NAT/Firewall traversal further obscure the command traffic.
"While these security measures are in many ways positive," says the CRN's Jon Crowcroft, "They would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks. Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation."
Although there has yet to be a recognised instance of a VoIP coordinated DoS attack, the CRN believes it is only a matter of time before the technique becomes mainstream, and accordingly have shared their findings with the VoIP community before going public.
If left unresolved, this loophole in VoIP security won't just decrease the likelihood of DoS detection and prosecution - it could also undermine consumer confidence in VoIP. Crowcroft suggests that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. These measures would not only allow legitimate agencies to track criminal misuse of VoIP - according to Crowcroft, there's also a clear business case for their implementation. If VoIP providers were to interwork with instant messenger tools that now offer voice, they could stand to increase their market share. And if the routing specifications were to be more transparent, ISPs could traffic engineer for VoIP traffic, delivering a better quality of service to VoIP users.
The scale of the DoS problem is already difficult to assess and combat, and that's without the widespread exploitation of VoIP cover. Despite the enormous cost to business, many attacks are simply not reported because organisations fear they may undermine client confidence in their security. One of the CRN's key recommendations is for the establishment of a central database where companies and individuals can log attacks anonymously, thereby allowing the communications industry to assess the scale of the problem and identify patterns of attack.
"Criminal activity on the internet should be a notifiable event, with registration on a central database," says CRN Chairman, David Cleevely. "It's important to remember that there are more of us good guys than there are bad guys. The more we share information between us, the more we stay ahead of the game."
A number of articles about this press release have appeared online, including:
"
