Voice of VOIPSA

There was an interesting story at Reg Hardware about cellco T-Mobile in the UK, and their response to VoIP.   T-Mobile’s Web ‘n’ Walk is a data service aimed at business people, with a flat-topped monthly tariff, however they do not want you to use VoIP or IM with this service, and it is explicitly forbidden.  To quote from T-Mobile’s own webpage:

Use of Voice over Internet Protocol and Messaging over Internet Protocol is prohibited by T-Mobile. If use of either or both of these services is detected T-Mobile may terminate all contracts with the customer and disconnect any SIM cards and/or web ‘n’ walk cards from the T-Mobile network. 

Of course this brings many questions to mind, including “why?”; presumably so that VoIP use does not threaten the normal call revenue.  Another important question is “how?”, since much business traffic is secured by VPN and so it would be impossible for T-Mobile to tell email from VoIP, IM or anything else.  Researchers have documented that the Skype client uses random TCP port numbers, and that the line protocol has been deliberately  obfuscated in order to conceal how it works.  In short detection of Skype traffic is not trivial.

All in all it’s a very interesting example of how the collision of Internet and mobile technology is causing discomfort to telcos.

The Ebay Devcon starts today at the Mandalay Bay, Las Vegas. For the first time this year, there are also sessions on Skype and the Skype API. One session that certainly seems to capture the zeitgeist (judging by this week’s discussions on the Voipsec mailing list) is that of using Skype in the enterprise.

Ebay are certainly trying some new things with their conference, firstly by running it over the weekend from Saturday to Monday, but secondly with the Unconference. The idea of the Unconference is to hand over the conference agenda to the attendees; for some weeks they have been running a Wiki where people can suggest their own topics, and once again I see that someone has nominated Skype for a roundtable discussion on Monday.

A patent filed by Nintendo for a “messaging service” in the US was discovered yesterday, which may provide clues into what Nintendo may be up to with VoIP and messaging systems between their gaming consoles. The patent describes an IM type environment using presence information and user activity information, such as which game the user is currently playing. IGN writes: “Will we be sending messages and chatting during games of Bonk’s Adventure? Or more impressively, does this mean a DS user on the go could text- or voice-chat with a friend at home playing Wii? What about DS-to-DS communication? Nintendo seems to have wide ambitions here, and the possibilities are striking.” As with most new VoIP implementations the security implications should be interesting, especially considering that the Wii when connected to broadband Internet service will be “always on.”

The presentations from last week’s Berlin VoIP Security Workshop are now online.  You can download all the presentations in one file, or you can go to the main conference page and click on Program to see the conference programme with clickable links to download individual presentations.

There’s a fairly spirited discussion happening on the VOIPSEC mailing list regarding the security of Skype and other softphones. VOIPSEC is a mailing list hosted by VOIPSA that is dedicated to discussing VoIP security topics. You can join in the debate by signing up for VOIPSEC here.

The New York Times is reporting a story about Edwin Andres Pena, a 23 year old Miami resident who was arrested today by the Federal government. The Feds allege that Pena was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and piggybacking connections through their networks unbeknowst to them. According to the story:

To evade detection, Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeered its unprotected servers and re-routed his phone traffic through them. These steps made it appear as if that company was sending calls to more than 15 Internet phone companies.

In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook. The Newark company was left having to pay $300,000 in connection fees for routing the phone traffic to other carriers, without receiving any revenue for the calls, prosecutors said.

You can read the entire story here.

New versions of Asterisk were released today that fix a security vulnerability in the IAX2 channel driver:

The Asterisk Development Team today released Asterisk 1.2.9.1 and Asterisk 1.0.11.1 to address a security vulnerability in the IAX2 channel driver (chan_iax2). The vulnerability affects all users with IAX2 clients that might be compromised or used by a malicious user, and can lead to denial of service attacks and random Asterisk server crashes via a relatively trivial exploit.

All users are urged to upgrade as soon as they can practically do so, or ensure that they don’t expose IAX2 services to the public if it is not necessary.

Slightly more detail about the flaw is available in the Changelog:

* channels/chan_iax2.c: ensure that the received number of bytes is
included in all IAX2 incoming frame analysis checks (fixes a
known vulnerability)

Hank Cohen of Hifn sent along this article taking a look at cryptography in VoIP both for signalling and for voice. He explains the various proposals (including TLS/SSL, IPSec and Datagram TLS) and provides his view of the advantages and disadvantages of each proposal. Here is a brief taste of the longer article:

I believe that we first need to divide the VoIP cryptography problem into two parts; signalling security and media security. The requirements for these two areas are quite distinct so we need to be careful not to lump them together. Signalling connections may be persistent for long intervals but they tend to carry only a few short messages. Furthermore although signalling messages must be delivered in a timely manner they are not real time in the sense that their value degrades if latency or jitter increases, assuming that they are delivered soon enough that a connection can be created in a reasonable amount of time. Media on the other hand has stringent real time constraints. If media packets are not delivered within strict limits of latency and jitter their value can decrease to the point where call quality will be better if they are discarded rather than delivered late.

There is an interesting analogy between signalling security in the PSTN and VoIP. In the PSTN in-band signalling was found to be vulnerable to all sorts of hacks through your namesake BlueBoxes. The final solution to the Phone Phreak problem was for the PSTN carriers to create a completely separate signalling network inaccessible from the media network: thus was SS7 born. In the world of VoIP signalling is inherently in-band but we can use cryptographic VPN technology to build a virtual private signalling network with the same technology that enterprises have been using for years now to build virtual private data networks.

There are three proposals floating around the VoIP world for signalling VPNs; SSL or TLS secured signalling tunnels, IPsec secured signalling tunnels and most recently Datagram TLS secured signalling tunnels. I would like to offer some pros and cons for each method.

Follow the link below to read Hank’s full article and if you have a different view (and I expect some will) on the different proposals, please do feel free to leave a comment to this article.

We thank Hank for providing this article and please do know that we are always open to publishing guest articles such as this. Just contact me or one of the other weblog authors if you would like to have an article appear.

(more…)

What forms of social enterpreneurship would most benefit the art of VoIP and in turn benefit your company and the public ? VOIPSA wants to know. In a recent survey over 25% of the VOIPSA advisory board expressed interest in time contributing to some charitable purpose for VoIP beyond their job, family and professional responsibilities. This is high number for voluntary action and encouraging. What if serving the public helped you, your employer and the community ? What kinds of projects might benefit the public appeal to grant funding and give your company an account you could reference and leverage for selling?

• Community VM via ip-PBX and hosted VoIP for people displaced in emergencies
• Mobile VoIP based telephony for rural 3rd world communities

When WalMart was established it sold outside of the major cities. Turns out there’s lots of money there. What else would you put on the list above.

Blue Box Podcast #28 is now available with about a 14-minute interview with David Endler, Chair of VOIPSA, where he discusses such things as:

• The background on the creation of VOIPSA
• VOIPSA’s major accomplishments in its first year
• What’s next for VOIPSA
• New projects
• How people can help

Jonathan and I of course cover recent VoIP security news and have some great comments from listeners. Show notes and links to topics discussed are all available on the episode’s page.