CAMBRIDGE, England, Jan. 27, 2006 -- A group of communications experts have discovered a worrysome security loophole in voice-over-Internet-protocol (VoIP) applications such as Skype and Vonage that could give criminals operating on the Internet a better to cover their tracks.

The Communications Research Network (CRN) is a community of industry experts, academic pioneers and policymakers working on mapping and shaping the future of the communications industry. Funded by The Cambridge-MIT Institute -- a joint venture between Cambridge University and the Massachusetts Institute of Technology -- the CRN runs numerous working groups on key issues facing the communications industry. The CRN's working group on Internet security, led by Jon Crowcroft, a professor of communications systems at Cambridge, has discovered that VoIP applications could provide excellent cover for launching denial-of-service (DoS) attacks, in which networks are brought down by flooding them with emails.

The scale of the denial of service problem is notoriously difficult to assess. Many attacks are simply not reported, because organizations fear they may undermine client confidence in their security. The number of "zombie" computers being used to action these distributed DoS attacks is another unknown, but estimates range in the millions. Unknown to their owners, security failures on these computers have allowed criminals operating on the Internet to take control and install malicious software. The software is generally used for sending large amounts of unsolicited emails (spam) or for transmitting large amounts of low-level uncontrolled traffic in a distributed denial-of-service attack.

Armies of zombie computers can be hired for relatively small amounts of money on the black market, and the attack command is usually given via instant messaging. Internet service providers (ISPs) are currently able to survey the instant-message servers and to ascertain from the traffic where the control is coming from and where it is going, even to anticipate an attack. However, if the control traffic were to be obfuscated, catching those responsible for DoS attacks would become much more difficult -- perhaps even impossible.

Cover Traffic

The Communications Research Network's working group on Internet security has observed that VoIP tools could offer very good cover traffic for DoS attacks because VoIP runs continuous media over IP packets. The ability to dial in and out of VoIP overlays allows for control of an application via a voice network, making it almost impossible to trace the source of an attack. In addition, proprietary protocols -- intended to protect a company's technology edge and prevent those ISPs who are also telephone companies from blocking the VoIP application -- inhibit the ability of ISPs to track DoS activity. Encryption for user privacy, peer2peer and a superpeer system to assist with call routing and NAT/Firewall traversal further obscure the command traffic.

"While these security measures are in many ways positive," says the CRN's Jon Crowcroft, "They would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks. Although one could slowly shut down and patch or upgrade the exploited machines, it would be much harder to find affected computers and almost impossible to trace the criminals behind the operation."

Although there has yet to be a recognised instance of a VoIP coordinated DoS attack, the CRN believes it is only a matter of time before the technique becomes mainstream, and have shared their findings with the VoIP community before going public.

If left unresolved, this loophole in VoIP security won't just decrease the likelihood of DoS detection and prosecution -- it could also undermine consumer confidence in VoIP. Crowcroft suggests that the loophole could be resolved if VoIP providers were to publish their routing specifications or switch over to open standards. These measures would not only allow legitimate agencies to track criminal misuse of VoIP; according to Crowcroft, there's also a clear business case for their implementation. If VoIP providers such as Skype were to interwork with instant-messenger tools that now offer voice, they could stand to increase their market share. And if the routing specifications were to be more transparent, those ISPs who are not telephone companies could traffic engineer for VoIP traffic, delivering a better quality of service to VoIP users.

'Good' Guys Prevail

The scale of the DoS problem is already difficult to assess and combat, and that's without the widespread exploitation of VoIP cover. Despite the enormous cost to business, many attacks are simply not reported because organisations fear they may undermine client confidence in their security. One of the CRN's key recommendations is for the establishment of a central database where companies and individuals can log attacks anonymously, thereby allowing the communications industry to assess the scale of the problem and identify patterns of attack.

"Criminal activity on the Internet should be a notifiable event, with registration on a central database," said CRN Chairman, David Cleevely. "It's important to remember that there are more of us good guys than there are bad guys. The more we share information between us, the more we stay ahead of the game."

For more information, visit: www.communicationsresearch.net