[VOIPSEC] SPIT and vishing

Zmolek, Andrew (Andy) zmolek at avaya.com
Fri Jul 18 13:22:55 EDT 2008 

> This will change.  More and more people are looking at how to link up 
> their SIP clouds in federations and other forms.  But until the time 
> comes when: a) there are tons of SIP servers exposed on the Internet; 
> and b) those servers allow connections from random SIP endpoints...  
> until that time, there's not a huge market potential for someone to   
> bother setting up a SPIT operation.

Dan's comment here is the key - and given enterprise the SIP deployment
trends we see today, it's likely that few if any SIP servers deployed at
the enterprise edge will be configured to accept such unauthenticated
connections. That doesn't mean SPIT won't be a problem at some point,
just that it's unlikely to ever become the unmitigated disaster that
SMTP mail is today. I fully expect to see 3rd party federation and trust
providers emerge  down the road who will enable things like carrier
bypass without exposing requiring wide-open SIP servers on the edge.

That said, the damage potential for a single piece of SPIT in terms of
resources and productivity losses (for the interrupt itself) is much
higher for a given piece of SPIT than a piece of spam. My own basic rule
of thumb is that you've got perhaps a 100:1 ratio in play here (i.e.
impact for a single piece of errant SPIT is roughly equivalent to that
of 100 email spam messages that get by your filter), and when you add to
the mix the fact that voice communications is EXTREMELY
latency-sensitive (I can hold a legitimate email for a few seconds to
check against a real-time spam service but doing the same for a voice
call is a much more complex and intrusive undertaking). For that reason,
none of us in the industry can afford to ignore the SPIT problem
overall. In a sense, it's just an extension of the nuisance fax and
automated calling problem that exists in the PSTN today but is kept in
check somewhat by connection costs and regulatory surround. 

As Dan points out, we as a community are woefully short of real research
in this area. Too much of the work done to date has been driven more by
personal or entrepreneurial ambition than academic or scientific
considerations. As the information security community matures beyond the
awkward teenage stage, I expect we'll see more meaningful analysis of
the trade-offs required to arrive at stable, cost-effective answers. 

/\\//\Y/\   Andy Zmolek  |  zmolek - at - avaya.com  |  303-538-6040 
            Senior Manager, Security Planning & Strategy
            GCS Security Technology Development  |  Avaya, Inc.

More information about the Voipsec mailing list