SPAM OVER INTERNET TELEPHONY: THE DARK SIDE OF VoIP

Technology is always a two-edged sword. On one hand, it can be beneficial to mankind; on the other, it can be intentionally used to cause harm or inconvenience, in the least. The research paper of Dr. Andreas U. Schmidt, Nicolai Kuntze, and Rachid El Khayari titled, "Spam Over Internet Telephony and How to Deal with It" is a case in point. It studies the phenomenon and methodology of propagating unsolicited, bulk calls over the Internet phone.

Wikipedia [1] defines Internet Telephony as the use of the Internet infrastructure to send phone calls either to phones connected to computers or to land line or mobile phones. The actual technical term used is Voice Over Internet Protocol or VoIP. The advantages of VoIP are outlined in [2] and these are low cost, simplicity, and “multimedia functionality”. When a company decides to provide the standard telephone service, it has to construct and spend for its own infrastructure or telephone network. Obviously, the capital infusion will be tremendous and makes the phone services expensive. However, if the company uses VoIP technology, it can use the existing infrastructure of the Internet, saving the company time and money. This brings the cost of calls down. VoIP is simple because it uses the existing network protocols. The protocols that define VoIP is called the Session Initiation Protocol (SIP). According to Wikipedia, SIP sits in the Session Layer of the OSI model and uses the existing transport protocols whether it is TCP, UDP or STCP, and the other protocols used in Network, Data Link and Physical layers. It is like a module which you plug into a running system and uses the other existing modules in the system. Lastly, since VoIP uses the Internet, it can avail of the existing Internet technologies to make a richer mix of services such as video conferencing, data and video downloads and others.

However, while VoIP has leveraged a lot of advantages by using the Internet, it has also inherited some of the problems that continue to plague this network. Sipera System's VIPER Lab, a Texas research company that specializes in VoIP, has identified the security problems in 2008 of which SPAM is one of these[3]. The paper [2] defines SPAM as unsolicited and, mostly, bulk email. They coin the word SPIT or SPAM over Internet Telephony to differentiate email from VoIP SPAM. The authors are obviously concerned about SPIT because SPAM comprises 80 to 90 percent of email traffic. They are afraid that the same will eventually happen to SPIT thereby clogging the network with unwanted traffic.

SPAM and SPIT share a similarity in the sense that these are unsolicited (and annoying) communication. But aside from this, they differ in the way each operates. SPAM mails are automatically received by mail servers before they can be accessed by the recipient. This allows the server to detect and filter out SPAM before it reaches the victim. On the other hand, SIP is a connection-oriented protocol which requires that a communication session be established before the message is delivered. This means that the phone has already rung and the call accepted before the recipient realizes it is SPIT. By then, the damage has been done- the victim has already been disturbed and the SPIT message delivered. It is for this reason that the paper [2] considers SPIT more difficult and challenging than SPAM.

The paper [2] studied and analyzed the cutting-edge SPIT countermeasures. It came up with the following categories: device fingerprinting, using white list or blacklists, reputation systems, Turing Test and computational puzzles, payment at risk, and intrusion detection mechanisms and honey phones. Device fingerprinting compares some features of the device used to make the call (User Agent), specifically the order and appearance of SIP headers, with those of "standard" devices. Those that fail to conform are rejected. This is done during session handshaking. White lists consist of acceptable callers while the black list is its opposite. Reputation systems let the recipient assign a grade to callers which identifies them as SPIT or otherwise. In the next attempt at handshaking, the grades determine whether a connection is allowed to be established. The Turing Test distinguishes human callers from web robots or bots. Since most SPAM and SPIT are delivered by bots, it is a way of identifying SPIT . Intrusion detection systems usually counts the number of calls a particular telephone address or Uniform Resource Identifier (URI) makes over a period of time and compares it with the average calls over time. A URI which makes 100 calls in an hour will most likely be sending SPIT.

However all the countermeasures enumerated above also contain weaknesses which allow these to be circumvented. For example, the finger print of of a software User Agent can be modified to appear like normal SIP headers. The paper calls it fingerprint spoofing. Or in the case of Turing Test, the call can be forwarded to a human call agent who will solve the test. To defeat the Intrusion Detection mechanism, the SPITter can minimize the average call per time to mimic the normal average. All in all, the paper [2] concludes that more research should be done to counter SPIT.

It is interesting to note that given the 3 phases of the SPIT cycle (gathering URI addresses, establishing a session, and delivery of the message [2]), most of the current SPIT countermeasures are done only during the phase when SPITters attempt to establish communication session with their intended victims. Come to think of it, the initial phase of gathering URIs is crucial because without the phone addresses, SPIT can not be sent to a target. If there is a way to protect the VoIP proxy servers from scanners, it may help limit SPIT to a manageable level .

The greater question for me is will VoIP ever be made safe or impervious to attacks or misuse?
I don't think so, for however man strive to improve technology, there will always be talented people who will be drawn to the dark side of technology, always be looking for weaknesses to exploit, and ways to misuse technology.

Philosophically, the paper only underscores the dialectical nature of technology. It will always have a Yin and a Yang. This should not mean that man shrink from the pursuit of innovation, rather it emphasizes the point that the struggle of change and the ascending spiral of creation and destruction will be as eternal as the struggle between good and evil.

References

[1] Wikipedia, http://www.wikipedia.org

[2] Dr. A. Schmidt, N. Kuntze, R. El Khayari. Spam over Internet Telephony and How to Deal with It, 2008

[3] J. Higdon. The Top 5 VoIP Security Threats in 2008, Jan. 24, 2008. VOIP-News