Net phones vulnerable to sabotage
Viruses, attacks can cripple systems, which are gaining popularity
It takes something really big -- like Hurricane Katrina -- to disrupt the nation's telephone system on a massive scale. But in a few years, it might only require something as simple as a computer virus.
That's because American businesses and individuals are moving to voice-over-Internet Protocol or VOIP telephone systems, which use the same underlying technology as the Internet. And just like the Internet itself, these new systems are vulnerable to viruses, worms and other forms of deliberate sabotage.
Industry specialists at a major Internet phone trade show in Boston this week said that companies that rely on the technology have already come under attack by Internet vandals. ''I can tell you that financial service companies have had this happen. Call centers have had this happen," said Albert Behr, chief marketing officer at security hardware maker BorderWare Technologies Inc.
Behr said that in one case, a call center that used VOIP to relay customer service calls to the Philippines was shut down by a ''denial of service" attack. An attacker bombarded the phone system with so much data that it was overwhelmed and couldn't function. It's the same kind of attack that was used early in 2000 to bring down some of the Internet's biggest sites, including Yahoo and eBay. But this time, it was the phone system that suffered.
Behr refused to identify the victims of these attacks, citing confidentiality agreements with the companies. But he and other experts say that few Internet phone companies are taking the issue seriously.
''Everyone sees the cost benefits, but nobody's talking about the security concerns," said Ejove Nuwere, chief technology officer of SecurityLab Technologies Inc., a security consulting firm in New York.
The largest Internet phone provider in the United States, Vonage Holdings Inc., says its system is safe.
''The key here is spreading the system out across different nodes throughout the world," said Louis Holder, Vonage's executive vice president of product development. Holder said that Vonage's computer network is well dispersed. Therefore, even if an attacker took down a portion of it, enough would remain to correctly route all calls for Vonage's 1 million subscribers. But, Holder claimed, ''a lot of VOIP providers do not do that."
Whatever the risks, interest in the technology is soaring. Researchers at IDC Corp. in Framingham estimate that by 2009, 27 million Americans will use Internet phones at home. Analysts at Deloitte Services LP say that two-thirds of the world's 2,000 largest companies will use the systems by next year.
Consumers and businesses are attracted by the low cost unlimited long-distance and international calls. Internet phones can also serve as a backup to traditional systems in emergencies. After New Orleans was hit by Hurricane Katrina, city officials lost access to normal phone service, but were able to contact the outside world through a Vonage Internet phone line.
In addition, because the systems use Internet technology, it's easy to integrate them with other digital communications systems, like video conferencing, e-mail and instant messaging. The old phone networks promised cheap videophone service for years, but never delivered. Today, you can buy a color VOIP videophone for about $200 at a local Best Buy.
Of course, any Internet-based technology is susceptible to worms, viruses, spam messages, and data theft.
SecurityLab Technologies tested five leading Internet phone software packages, and found at least two serious security bugs in each of them. Nuwere compares the current state of VOIP security to the early days of the Internet, when few software products were hardened against deliberate attacks. ''It's like 1999 all over again," Nuwere said.
In some ways, Internet phones can be more secure than traditional systems. Because the phones transmit speech in the form of digital packets, the computer-based systems can be harder to tap than standard phones. ''When it comes to people hacking in and eavesdropping . . . it's very hard to do," said Vonage's Holder.
However, computer hackers have found that an Internet phone can be rigged to display a false phone number on Caller ID. Many companies, including some credit card firms, use Caller ID to confirm that a caller is a legitimate customer. A clever criminal, using a fake caller ID number, could gain access to someone's sensitive financial data.
Internet phone equipment can also be programmed to ignore Caller ID blocking. Some callers conceal their numbers from Caller ID to protect their privacy. But some VOIP systems can be programmed to capture the caller's number whether he likes it or not.
The biggest potential threat comes from the risk that a network will be infected by a major computer worm. Dug Song, security architect at data security firm Arbor Networks Inc. in Lexington, said that several of his firm's customers lost the use of their internal Internet phone systems in January 2003 when the Slammer worm devastated large portions of the Internet worldwide. ''Enterprises have to take special care to make sure their voice networks aren't also affected" when the Internet is under attack, said Song. One possible solution is a corporate network that handles only voice traffic and is entirely separate from the data network.
But this solution won't help millions of consumers who are being urged to rely entirely on services like Vonage and Verizon Communications' VoiceWing. Vonage cofounder Jeff Pulver, who sponsored this week's Boston VOIP conference, admitted that Internet phones carry risks, but adds that they are far outweighed by lower costs and greater versatility.
''It's not really a question of whether we should or we shouldn't," Pulver said. ''It's inevitable to me that communications goes to IP and stays there, until something better goes along."
Hiawatha Bray can be reached at email@example.com.