Computer Crime Research Center


VoIP hackers

Date: June 15, 2006

The arrest of a wholesale VoIP entrepreneur last week for fraud and hacking points to much more than a criminal mind cheating the system – it brings to light the oft-unspoken fact that VoIP networks have a long way to go in terms of security. The publicity also scares providers and security vendors because they fear losing customers.

The federal government on June 8 arrested Edwin Andrew Pena, 23, owner of Fortes Telecom Inc. and Miami Tech &Consulting Inc., for hacking into other providers’ networks, routing his customers’ calls onto those platforms, then billing those companies and pocketing the proceeds. He reaped more than $1 million. (see story)

This was the “first large attack on a voice system that’s being reported,” emphasizes Andrew Graydon, chair of the security requirements committee of VoIP Security Alliance (VoIPSA). “It’s known that there have been problems in the industry for a while,” he says, noting that security vendors and VoIP providers have kept a lid on such issues because they don’t want to upset their customers. The U.S. Attorney in New Jersey filed charges against Pena, apparently on behalf of compromised provider Net2Phone Inc., which is based in the Garden State and did not return requests for comment from New Telephony.

Industry watchers were left wondering how the attacks were able to happen; the ironic answer, say several experts, is that everything old is new again. The attacks vendors and providers are facing now are the same ones they experienced in their data networks 10 years ago, says Core Security Technologies’ Max Caceres, director of product management. Core Security specializes in network penetration testing, which means it uncovers vulnerabilities in communications software, proprietary and open-source alike. IT folks have all but plugged security holes in data networks; the trouble is, they didn’t look at voice over the Internet in the same way. “They haven’t viewed it as an application that goes over the Internet,” says Graydon. “As soon as you see voice as an application, you start to protect it the way you protect e-mail.”

Agreed, says Caceres. The more functionalities a system has, the more holes it can contain. He points out that two of the main reasons for moving to VoIP are to save money and add services. But, “[t]hose services come at a cost because they add complexity to the network.” Hackers have discovered voice networks’ vulnerabilities because IP communications largely have not been incorporated as part of companies’ networks, he adds.
Original article

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo