NEW YORK - After four years of pondering, Bruce Stevens is finally ready to buy a service for making phone calls cheaply over the Internet.
|
ADVERTISEMENT
|
|
|
Have a thought?
Go to the Forums or Chat.
|
|
|
|
Jeff Pulver, of Pulver Communications, smiles as he e demonstrates of his free video and talking VOIP (voice over Internet Protocol) device at a tradeshow in San Jose, Calif., March 14, 2005. Pulver, founder of Free World Dialup, believes VoIP security concerns are overblown.
Associated Press
|
|
The New Orleans graphics designer just isn't ready yet to rely on it as his sole means of communications: He'll keep his cell phone, even if it means an extra $60 a month.
"Since it's all brand new, there are always unexpected things, things you never would have dreamed would be a problem," Stevens said. "You could mark me down as having a slight fear of the unknown."
A computer virus, for instance, could knock out Internet service - and with it the phone line. An Internet service provider that happens to be the local phone company might decide to cripple the technology entirely. Or 911 might not work properly - something callers wouldn't think to check until they need it most. Eventually, eavesdropping could also be a serious concern.
Cheap as they may be, Internet-based phones carry risks not encountered with conventional landline and cell phone services.
"Just think about how often your home Internet connection goes down as compared with your conventional home telephone system, which almost never goes down," said Rick Kuhn, a computer scientist at the National Institute of Standards and Technology, which recently published a study warning of such dangers.
But few customers are even aware of the potential for problems, said Mark Rasch, senior vice president at security company Solutionary Inc. Although people were initially wary about cell phones, he said, Internet-based calling "is perceived as picking up the same phone, making the same call, just using a different service."
Take Peter John, who was lured by the prospect of unlimited domestic calls for about $32 a month - half of what he was paying SBC Communications Inc.
He and his wife were both bleeding from gunshot wounds inflicted in an armed robbery at home by the time his teenage daughter realized their Internet phone wasn't activated for 911.
John had always assumed, "If the phone works, 911 must work." The Houston couple has since bought a cell phone just for emergencies.
Voice over Internet Protocol, or VoIP, phones break voice signals into small data packets that travel the Internet just like e-mail or Web pages. But unlike conventional phone calls, which carried over dedicated circuits, data packets can traverse several networks and devices before getting reassembled into sound at the destination.
"There are so many moving parts involved, and each of those individual devices has to be functioning at a 100 percent level," said Gerhard Eschelbeck, chief technology officer at security vendor Qualys Inc.
Johannes Ullrich, chief technology officer at the SANS Institute's Internet Storm Center, says the complexity introduces more points of attack, from the Windows computers that run software for some phones to the routers where traffic gets handed off from one network to another.
But that doesn't concern him too much, Ullrich said.
"It's cheap enough where I'm willing to take the risk," he said via his Internet phone.
Nor does it faze Mike French, who got VoIP service in December and will soon dump his conventional phone.
"I don't expect to have privacy. I don't say things or do things that I wouldn't be afraid to say out in the open," the Huntsville, Ala., electrical engineer said. "If this were my only phone, (the security risks) would be a big concern, but we do have three other cell phones in the house."
VoIP providers say conventional phone networks have problems, too.
Engineers simply have designed ways around them so customers never know, said Bryan Martin, chief executive and chairman of 8x8 Inc. VoIP networks will get as robust over time, he said.
Jeff Pulver, founder of Free World Dialup, believes concerns are overblown.
On privacy, for instance, although "traffic sniffers" might capture and reassemble data packets in transit, he said listening in on a call requires having all the pieces, which might take multiple routes to reach a single destination.
Of the potential threats, the chief technology officer of Vonage Holdings Corp. is worried most about tapping in for free calls. But Louis Mamakos said fraudsters are more likely to open new accounts with stolen credit cards than to figure out how to crack the service's validation scheme.
Yet Mamakos understands the fears.
"It's a bit of an unknown to people, so people are going to be skeptical," he said.
Security risks with Internet phones can be divided into two broad categories.
The first affect other types of Internet applications as well. A virus could bring down a company's network, meaning no phone calls, either. And if spammers can flood inboxes, couldn't they also automate telemarketing calls?
Then there are risks unique to Internet phones.
A hacker might trick a phone into obtaining a software update from a rogue server, or toss a fake "hang up" command into the data flow - perhaps as a caller is trying to land an important job interview.
Some services let you take phones on vacation, and hackers might decided to trick the system and redirect your calls to them instead.
All kinds of mischief is possible: A rival might try to capture your business sales lead. Or a snoop might listen in on a neighbor's secret calls to a lover.
Though these attacks would be difficult to perform today, security experts believe that as such phones get more popular, hackers will have greater incentive to develop tools for automating such attacks - just as they have with viruses and other computer threats today.
As for reliability, phone providers are still trying to make their systems fully compatible with 911.
In some cases, phones might ring a non-emergency number or fail to provide caller ID details like location - crucial when a caller can't speak.
And during blackouts, traditional phones can draw upon electricity in the phone lines, but an Internet modem will fail without backup power.
Last month, a group of VoIP vendors and security researchers formed the VoIP Security Alliance to research such issues and develop countermeasures.
Many customers see VoIP only in terms of costs and convenience, and the group will try to raise awareness about security, said its chairman, David Endler.
Security companies like Qualys and NFR Security Corp., meanwhile, have recently developed VoIP-specific tools for businesses. Qualys updated its vulnerability auditor last summer to identify VoIP-specific threats, while NFR started offering a package in February to look for anomalies in VoIP traffic.
"Security tends to be an afterthought," said Andre Yee, NFR's chief executive. "We believe security managers will be scrambling to catch up."
For consumers, though, it's mostly buyer beware.
Providers generally disclose the limitations - 8x8 spells them out in a nine-page service agreement that customers must sign. But Eschelbeck of Qualsys said security isn't emphasized in the sales pitches he reviewed from six VoIP providers.
"We're in the very early pioneers day," he said. "The first thing industry is trying to do is to make it work."
Potential risks with Internet phones:
-VIRUS-RELATED OUTAGE: A virus might bring down a company's network, and with it phone service carried over that network. And without a phone backup, a user of Internet-based phones might have trouble calling tech support.
-WINDOWS VULNERABILITIES: Some phones run entirely on PCs. Even with standalone phones, some business systems rely on call-management software that runs on regular Windows computers and are susceptible to their security vulnerabilities.
-SNIFFING: Network traffic might pass through sniffers that can capture and reassemble data packets, whether they are for e-mail, instant messages or voice calls. Even if the call is encrypted - and most aren't - it might still be possible to tell who's calling whom and for how long.
-BROAD WIRETAPS: The federal government is considering requirements for providers to build in mechanisms for law enforcement to wiretap calls. Privacy advocates warn it would be difficult to separate calls authorized by courts for wiretaps from those of neighbors or from other Internet traffic like e-mail, resulting in broader surveillance.
-ROGUE FIRMWARE: Phones themselves typically use proprietary software that gets updated periodically over the Internet. A hacker might be able to trick the phone into obtaining an update from a rogue server instead, and the new software might come with spying or other malicious capabilities.
-HANG UP: Many systems rely on Internet standards that carry known risks, including the ability to toss a fake "hang up" command into the data flow.
-ROAMING: Several Internet phone providers tout the ability to take service with you when you're on vacation or working from home. Hackers might trick the system into thinking your phone has moved, and your calls will then go to them.
