CSIA this week asked Congress to include security recommendations for VoIP as it revises the 1996 Telecommunications Act.
The group also said that key VoIP companies and researchers will meet next month to plan a national honey pot VoIP security test bed to begin to address some of their concerns.
VoIP is vulnerable to some of the same threats as any internet application, such as denial of service attacks. Compromised VoIP systems could also allow eavesdropping and voicemail hijacking, said CSIA. Adding an extra layer of security infrastructure could help resolve some of these issues, but not all of them.
Some of the same problems we see on data networks, we’re going to see on voice networks, said Paul Kurtz, CSIA executive director, And they will even be more complicated because some of the security tools we use on data networks are not as easily applicable on voice networks.
A major VoIP attack, which has not yet happened, could disable critical infrastructure and cripple VoIP-based emergency systems, Kurtz said.
Too little is known about VoIP security today to make specific policy recommendations to Congress yet, Kurtz said. But the CSIA will hold an event next month, out of which Kurtz expects will come some recommendations.
By submitting a detailed report to Congress on the issue, Kurtz said CSIA is trying to raise the level of understanding and awareness for VoIP reliability and security issues before we get into a situation where we have large scale attacks.
The biggest problem within the next few years will be spam over IP telephony, or SPIT, said Ram Dantu, assistant professor of computer science at the University of North Texas.
E-mail spamming is a very big issue right now, the same thing will happen with voice spamming in two or three years’ time, Dantu said. So, we need some techniques to stop this.
To develop VoIP security technology, some industry players, including Bell Laboratories, Sprint, Verizon, BellSouth, Cisco Systems and Juniper Networks will team on test bed research, Dantu said. MIT, UC Davis and the University of Tulsa, among others, will join them.
We want to see what is the damage that can be done by DoS attacks and spamming … we are pooling resources on this project, Dantu said. We want to test our filters.
The group will meet to work on details and a timeline for the research on June 1 and 2 at a conference, co-hosted by Dantu’s university, CSIA and George Mason University, in Washington, D.C.
Kurtz said CSIA has invited the Federal Communications Commission to next month’s event. Representatives from the Department of Homeland Security and the Department of Defense will attend.
While he expects the conference will bear recommendations for government on VoIP security, Kurtz sidestepped the issue of VoIP regulation, saying it was too early to call. There’s a lot of space between the free market and regulation, he said.