Voice of VOIPSA

Cable Hastens Telco Phone Line Losses

Cable Digitial News, who recently sold themselves to the parent of Light Reading, recently put up an interesting article saying that cable now has 62% of the 6 million customer residential VoIP market; up from 52% a year ago.  The telcos have been seeing an erosion north of 8 million lines per year and claim to be reducing the churn to closer to 6 million this year.  I scratch my head at that one.  I see the trend going in the other direction now that Comcast and Charter have launched cable VoIP products in most of their footprint.  That’s almost 50% of the US market that didn’t have a cable VoIP option a year ago.  I see the churn to cellular-only picking up speed, too.

The article couldn’t resist taking a pot shot at Vonage… the poster child of failed IPOs.  Like everybody else, I’ve been watching it crater.  The FCC news this week that Vonage is going to be required to pay into Universal Service Fund just further erodes their price advantage against the telco wireline product and the cable VoIP product.  This after rulings about CALEA and 911 requirements.  I think the company will end up being worth their cash plus about $100 per subscriber. 

It’s unfortunate that the lay person now thinks VoIP == Vonage and the brand is associated with low quality and a gigantic stockmarket failure.  The cable VoIP product has quality parity with the telco wireline product.  It just goes to show that if you set out to build a quality product rather than take advantage of regulatory arbitrage, you end up winning in the end.

An interesting factoid I’ve picked up recently is that when cable companies sell or trade properties to other cable operators, they value each customer who takes their VoIP product $1000 more than one who doesn’t.  I think this is going to be a big incentive for cable operators to roll out VoIP in their smaller markets since those are the properties that tend to be traded around frequently.  I’ll refrain from talking about my own company but Nortel just announced a scaled down version of their product called the CS 1500 that is clearly targeted at smaller markets. 

Obligatory mention of VoIP Security:

I’ve found myself deluged both from executives within my company and from the cable-oriented trade press about the Net2Phone theft of service hacker case.  There were all kinds rumors flying around that our product was somehow involved.  I had to run through the littany of layers of security that protect cable VoIP. 

• DOCSIS is encrypted with 56-bit DES
• Cable modem chips can only listen on the downstream.  You need a $10K piece of test equipment to sniff the upstream
• The media terminal adapter (MTA) has a digitial certificate burned into it
• The MTA authenticates with a Kerberos Key Distribution Center as part of the boot & provisioning sequence
• The MTA is bound to a single Cable Modem Termination System so a cloned MTA will only work in a small geographical area
• PacketCable Softswitches sit behind firewalls
• Nobody turns on signaling or media security today but all the products support it and are conformance tested at CableLabs
• With a simple port blocking strategy, you could make the Softswitch and MTA invisible on their signaling port

 I did get extensively quoted in one article but they mis-spelled my name.  So far, I’ve only consumed a few nanoseconds of my 15 minutes of fame.

This morning Business Week weighed into the ongoing Pena/Moore story with their article “Is Your VoIP Phone Vulnerable?” Given that the article covers mostly familiar ground (and, like most articles in the mainstream press, brings up the fear of SPIT), the significance to me is not so much the content as it is the fact that it is in Business Week, which is well read and highly regarded within at least North American corporate leadership. I do agree with the conclusion:

Businesses would do well to consider the threats on the front end, given how fast VoIP adoption is growing. Although only 5% deploy VoIP companywide, 87% of companies are using VoIP in some capacity. Numbers like that may be too alluring for hackers to pass up.

Security should definitely be considered as part of a VoIP rollout plan - and you definitely need to be asking your vendor / reseller about the security of the VoIP system you are looking to implement.

The challenging part about this article - and most others I have seen on the subject in recent days - is that it lumps everything into a broad “VoIP” category while the reality is that there are definite differences between enterprise VoIP systems and the consumer / wholesale VoIP market. Now I don’t personally work in the consumer/carrier/service provider space, so I can’t really speak to that space, but I do see more and more “VoIP providers” popping up offering wholesale termination services. From an outsider’s point-of-view, it looks a bit Wild West-ish and in that cauldron of competition, I could easily see some newer entities overlooking security in the rush for the gold. However, through communication among VOIPSA members, I know that there are certainly service providers who do have a clue and are offering secure services. Unfortunately all get tarred with the same brush.

That same brush in articles like this unfortunately tars all of us on the corporate enterprise side as well. And I suppose the same “Wild West” image could be applied to a certain limited degree given the number of small startups launching various IP-PBXs. But that’s not the overall reality. While many of those new entrants are thriving, still most corporate enterprises are buying their phone systems from a limited range of vendors: 3Com, Alcatel, Avaya, Cisco, Mitel, NEC, Nortel, Polycom, Siemens… and probably a few others who I am forgetting right now. The point is, though, that within the enterprise market most all of us are offering VoIP systems that do provide security against many if not most or all of the threats outlined in the VOIP Security Threat Taxonomy (some of those vulnerabilities lie in the corporate network and so there is only so much we as vendors can do). Now each one of us will of course have our own reasons why our security is better than our competitors - and some are offering more security than others - but the point is that we do provide secure VoIP.

The challenge is that to those of us on the inside, the “VoIP industry” is this large space with lots of different segments and players. We can see the differences I outline (and many more). But to the larger business world, Voice over IP in general is so new that everything gets labelled as “VoIP”. That will change over time… and really it falls to organizations like VOIPSA and others to help in that education.

In the meantime, articles like this one in Business Week will hopefully at least cause business to ask questions about the security of their VoIP products - and VoIP services. To me, that’s a good thing.

[Full disclosure: I work at Mitel.]

The New York Times is reporting a story about Edwin Andres Pena, a 23 year old Miami resident who was arrested today by the Federal government. The Feds allege that Pena was involved in a scheme to sell discounted Internet phone service by breaking into other Internet phone providers and piggybacking connections through their networks unbeknowst to them. According to the story:

To evade detection, Pena is said to have hacked into computers run by an unsuspecting investment company in Rye Brook, N.Y., commandeered its unprotected servers and re-routed his phone traffic through them. These steps made it appear as if that company was sending calls to more than 15 Internet phone companies.

In one three-week period, for instance, prosecutors say that one of the victimized Internet phone providers, based in Newark, received about 500,000 calls that were made to look as if they came from the company in Rye Brook. The Newark company was left having to pay $300,000 in connection fees for routing the phone traffic to other carriers, without receiving any revenue for the calls, prosecutors said.

You can read the entire story here.