VoIP Scam Raises Security Questions

As VoIP technology becomes commonplace, advocates have assured skeptics that digital-voice networks will be no more difficult to secure than data. But a high-profile scam has possibly put a dent in those contentions.

In June, federal authorities arrested a Miami man for perpetrating a scam to resell Internet telephone service to which he allegedly gained access by hacking into the lines of legitimate Internet phone companies. They also arrested a computer programmer in Spokane, Wash., in connection with the case.

Allegedly, the Miami man, who has raked in more than $1 million in connection fees since late 2004, made the phone companies carry extra traffic for two wholesale phone-service companies he had started.

Federal officials say that the man offered wholesale phone connections at discounted rates to small Internet phone companies. Rather than purchasing network access, he allegedly used hackers to tap into Internet phone-provider networks in New York, then routed customers' calls over them. One phone company paid about $300,000 in connection fees on behalf of the alleged perpetrator.

The most troubling part of this "piggyback scheme" is that it wasn't very hard to pull off. Given that most voice packets from Internet phone companies are sent without encryption, it's fairly simple for infiltrators to reroute them by installing new prefixes, sources say.

"You can't trust data-security products to protect VoIP traffic; voice has been delivered on trusted, separate voice networks," says Seshu Madhavapeddy, CEO of security vendor Sipera Systems. "On the Internet, it's a free-for-all. A comprehensive VoIP security strategy is vital to protect these services, and a whole new set of techniques is needed to secure them, including application-layer spoof detection, user behavioral learning and fingerprinting, user-intention verification and machine-call detection."