McAfee Inc. researchers are forecasting a new type of security headache for IT departments to deal with known as SPIT storms.
SPIT (spam over Internet telephony) is an emerging threat that will likely materialize within the next year or two, said Jimmy Kuo, fellow for the McAfee Anti-Virus Emergency Response Team (AVERT). “It can happen today because all the technology is there. Spammers can spoof caller ID numbers. That’s the thing that will enable VoIP spam.”
Making long-distance calls costs money on traditional phone networks, but with VoIP, the cost of international calls will be virtually nothing. “Someone from Russia can register a New York number and make calls with fake caller ID,” said Kuo.
No actual cases of SPIT have been reported yet. However, Quovia, a Maryland-based start-up that offers VoIP anti-spam and management tools, created a stir last year by developing a test program that generated enough SPIT to knock out a call manager in the Quovia labs capable of handling 100,000 phones. How would you feel if you got into the office in the morning and had 160 voice mails?Bruce Schneier>Text “All an offshore spammer would need is a laptop with an Internet connection,” says Choon Shim, CTO at Quovia. “He could create a pre-recorded WAV file, and a Java program to generate SPIT is easy, less than 200 lines of code.” Spammers can also create “SPIT bots” to harvest extension numbers and IP addresses from unsecured servers, since VoIP networks can be sniffed via their unique signaling patterns, says Shim.
SPIT would have a far greater impact on productivity than e-mail spam. Voice mail messages have no subject line, so human filtering would be very time-consuming. “How would you feel if you got into the office in the morning and had 160 voice mails? Of which you may want to hear three, but you’re not going to know which ones they are until you walk through them all?” said security expert Bruce Schneier.
Schneier agreed that there’s a certain inevitability to the emergence of SPIT.
“There’s nothing subtle or weird here, it’s just pure economics,” says Schneier. “The only thing that’s going on, and it’s true for any advertising on the planet, when the cost changes, the volume changes. With VoIP, we’re going to have very cheap phone calls. We all knew this was coming because it’s so obvious.”
Telemarketers using computers to generate calls locally to plain analogue phone numbers are not a major problem today, relatively speaking. But the scale of damage made possible by VoIP makes a difference. “With current phone systems, you need to dial one number after another sequentially,” explained Shim. “But with VoIP, you can generate 2,000 messages per minute; that was the SPIT rate in our test.”
So why hasn’t any SPIT happened yet? According to a recent IDC study, only about 12 per cent of Canadian companies with 100-499 employees have adopted VoIP. “It’s market versus effort,” said Shim. “Currently, the market is small and not really attractive to spammers. But one analyst projected 90 per cent of new phone installations will be VoIP by 2008. It will be a totally different picture by then.”
Shim also claimed some real instances of SPIT have already occurred. “I’ve been contacted by a couple of phone companies selling VoIP services. But they didn’t want to go public, obviously.” Networking hardware manufacturer Cisco Systems Inc. is treating SPIT as a credible threat and is preparing for it. “There are many ways to protect a network from threatening traffic and there’s no one answer for voice or data or video,” said Brantz Myers, director of enterprise marketing at Cisco Systems Canada in Toronto.
Cisco is taking a multi-pronged approach to the problem, using similar techniques developed for spam, such as access control management to detect IP addresses coming from known threats or unknown sources, identifying tell-tale signatures or key words like “Viagra” in the voice stream, and pattern analy