Report: Attackers Can Hide Behind VoIP
Security researchers with the Communications Research Network (CRN) said they have discovered loopholes within VoIP applications like Skype and Vonage that could allow hackers a way of covering their tracks. Attackers could hide behind VoIP because the data streams sent by these applications are continuous.
CRN is a joint venture between the Massachusetts Institute of Technology and Cambridge University. While the group said it had not heard of attackers using the technique as of yet, it would likely not be much longer before the situation occurs.
VoIP is especially useful for covering up denial of service (DoS) attacks, CRN explained. In a DoS attack, Hundreds or even thousands of "zombie" computers infected with malicious software transmit large amounts of traffic in a short period of time aimed at a particular server. The goal is to overload the server and cause it to lock up or shut down.
Due to the proprietary software that ensures Internet phone calls cannot be blocked by ISPs or firewalls, it makes it impossible to trace the VoIP call. Traditionally, attackers have used instant messaging protocols to launch such an attack.
"While these security measures are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," CRN's Jon Crowcroft said.
Furthermore, if VoIP begins to be used as a method for Internet attacks, Crowcroft said it could threaten the nascent industry and drive most users away. He suggested that companies should work together and make their products utilize routing specifications based on open standards.
CRN is pushing for a central reporting system for DoS attacks. Currently, most organizations are underreporting attacks out of a fear that revealing them may undermine customer confidence. This database should be anonymous, CRN says, thereby allowing the communications industry to assess the scale of the problem and identify patterns of attack.
"It's important to remember that there are more of us good guys than there are bad guys," said CRN chairman David Cleevely. "The more we share information between us, the more we stay ahead of the game."