Hackers highlight holes in VoIP security

Stuart Corner
Saturday, 10 June 2006 03:41

Business IT - Technology

Two US hackers charged this week with a large scale VoIP scam could well have done the world a major service:  demonstrated convincingly what many experts have long been saying, that VoIP networks are just as vulnerable to  all the same sorts of nefarious activity as the Internet in general.
The multimillion dollar fraud was a particularly convincing demonstration because their multimillion dollar scam not on naïve end users of VoIP services but on VoIP service providers. The fraudsters  are alleged to have carried their traffic at cut price rates by offloading it onto the networks of other VoIP service providers. The scam also relied on vulnerabilities in at least one corporate network.

It required a two step process: finding a means of hiding the origins of the traffic, and then finding ways of getting it into the networks of unsuspecting VoIP service providers.

It is alleged that the two con men scanned routers of companies all over the world looking for router ports used for VoIP calls and that they eventually chose a router operated by a hedge fund company in New Jersey. Court documents claim that they ran more than six million scans for such ports over a four month period.

To get access to VoIP providers' networks they then bombarded these networks with calls using different prefixes in order to determine the unique identifier used by that provider to identify and admit its own calls from the Internet.

The increasing proliferation of VoIP is likely to create opportunities for criminals at every level: there are also reports in the US of VoIP calls to call centres being 'hijacked'  and diverted to operators masquerading as a company's  call centre operators who then obtain confidential information from customers.

With Skype software now sitting on millions of personal computers it presents a huge opportunity for hackers, and is far harder to manage than licensed commercial software such as Microsoft Windows.

Only last month Gartner Group warned enterprises against allowing the use of Skype, noting that a major vulnerability had been discovered details of which Skype had posted on its website but had made no effort to alert customers about.