Reality, Hype, Paranoia and Marketing: Just Another Day in VoIP Security
9 August 2006
Welcome to the second issue of the Market Clarity newsletter. This short publication is designed to alert our colleagues and customers to new research and Market Clarity news. In addition, we will provide regular feature articles giving an in-depth discussion of relevant Market Clarity research findings.
- New Service: Market Clarity’s Aussie VoIP List
- New Research: Voice Market Analysis
- Feature Article: Deflating the “VoIP Spam” hype
- Sponsorship Opportunities
Market Clarity is thrilled to announce a new free service for Australian VoIP users: a comprehensive directory covering more than 200 VoIP service providers in Australia.
- Residential services;
- Business VoIP services;
- Hosted voice (IP Centrex) services; and
- Wholesale VoIP services.
With 112 services aimed at residential customers, more than 100 services targeting SMEs, 25 IP Centrex services and 38 wholesale services, Market Clarity believes the Aussie VoIP List is the most comprehensive list of Australian VoIP providers available today.
Market Clarity is committed to the active maintenance of the Aussie VoIP List. We regularly visit each service provider listed in the directory, removing organisations which no longer exist or no longer offer the services listed here, and we are happy to receive notifications from service providers to add new services or correct errors.
Market Clarity has released new research which analyses the supply side of Australia’s voice services industry.
As well as documenting the extremely rapid growth in the VoIP market, the study ISPs: The New Vanguard of Retail Voice Services identifies the rapid rate at which ISPs have adopted voice services as the value-add of choice alongside their traditional offerings.
To undertake this study, Market Clarity examined the services of nearly 250 companies offering retail and wholesale voice services in Australia.
As the Figure below shows, ISPs now comprise more than 28% of the companies offering VoIP services in Australia. There’s a very strong convergence between the Internet and the voice market: of nearly 550 ISPs in Australia, at least 161 also offer voice services; including fixed voice, VoIP and mobile services.
Market Clarity has been surprised by the rapid expansion in the number of companies offering either retail or wholesale VoIP services: from a handful of providers in 2004, the VoIP market has now reached 201 providers delivering 189 retail and 38 wholesale services.
This growth has been largely overlooked in mainstream coverage, which concentrates on a small handful of high-profile names in the VoIP market. An expanding number of wholesale VoIP services, which make it easy for ISPs to add VoIP to their service offerings with a minimum of effort, has encouraged ISPs to launch VoIP services.
However, ISPs are not restricting themselves solely to VoIP: Market Clarity also found nearly 100 ISPs also offer preselect and PSTN resale products.
ISPs: The New Vanguard of Retail Voice Services is available now from Market Clarity for $995 plus GST.
A couple of years ago, it was almost impossible to sustain a debate about VoIP security, even in the face of some high-profile incidents. Today, the trick is to sift reality out of the noise.
In Australia, for example, a marketing agency had its IP-based phone system taken off the air during 2003 due to a denial-of-service attack that clogged its broadband pipe. The attack wasn’t directly on the phone system, but since the phone system shared the company’s Internet connection, hosing a single pipe was enough to down the telephones as well.
At that time, however, the debate could not get “wings”, simply because in the IT media, the golden rule is that there’s no story if there’s no product to sell. Without vendors to offer a solution, there’s no advertising money in the story.
So in 2003, there was almost no VoIP security debate.
In 2006, the story is different. Plenty of people have something to sell, plenty of companies have already bought VoIP systems, and with a ready market for products and prognostications, there’s a steady stream of VoIP security stories.
Most of the VoIP security debate, however, is dangerous because real issues are sidelined to make room for products backed by a vendor with a sales pitch.
To help you avoid wasting time and money on non-issues, Market Clarity is going to deal with some of the myths of VoIP security. To cover everything will take some time, so I’m going to focus this brief article on a topic that’s making headlines – VoIP Spam.
There is a fundamental difference between VoIP and e-mail, which makes spamming easy on one, and difficult on the other.
If I use e-mail to spam, there is never any need for a real-time connection between the recipients and me. The sender dispatches a message into the network, with a thousand or a million addresses in the “To:” field, and the Internet’s e-mail infrastructure takes care of the rest.
If the message is in text, there is not even that much traffic involved. A kilobyte of message is trivial; and even a million addresses could fit into tens of megabytes.
The recipients get my advertisement some time later; the sender (whose address is obfuscated anyway) does not need to be online for the message to be delivered. And with Trojan software installing spam zombies, there may be no way to associate the message with its source.
The process is also fast. If I start with a mailing list, I might need only an hour to dispatch the message. There is no linear relationship between the number of recipients and the time it takes to send the message (and if the work is being done by a zombie, the real sender may only need a few minutes to soak the Internet with one more new ads, pfishing schemes, or whatever).
At the other end, the recipient only has a direct connection to an e-mail server. There is no “signal path” between spammer and victim – and nothing happens in real time.
VoIP is different to e-mail: it puts the originator of the call and the recipient in much closer contact. A Skype user, for example, is in a peer relationship in a conversation: communication is end-to-end and real-time.
Even if the recipient of the VoIP spam is a voicemail box, there is an end-to-end, real-time session involved.
Let’s look at what’s needed for a caller to arrive at someone’s voicemail:
1) Dial number – since this is automated, the time budget at the source is effectively zero;
2) Network establishes session – the signalling lag in VoIP networks is highly variable. I have known it to take ten seconds. Let’s allow a time budget of five seconds for a ring at the far end.
3) Client answers call – Since we’re sending a voicemail spam, we need to wait for the voicemail pickup delay: fifteen seconds at least.
4) Recipient system plays voicemail welcome message – Allow another ten seconds.
5) Record message – Say ten seconds of unwanted advertisement.
6) End call.
That’s a time budget of 30 seconds to deliver one VoIP spam. For 100,000 messages, that’s a time budget of over a month, compared to an hour to send one e-mail spam to a 100,000 targets.
Clearly, to deliver 100,000 messages, I need lots of sessions to happen simultaneously — but even using zombie clients to broadcast SIP sessions, there is a huge efficiency gap.
For delivering messages on a large scale, e-mail spam is far more efficient, in terms of system time, than VoIP spam.
Risk to the Spammer
VoIP spam also involves a much greater risk to the spammer: the source of the messages is exposed in a way that an email spam source is not.
Let’s imagine a feasible zombie that would work on a home PC, capable of running 100 sessions simultaneously. Instead of opening one session to the SMTP host, it’s opening hundreds of SIP sessions to hundreds of destinations, and holding those SIP sessions for as long as it takes to deliver the message.
But here’s the stinger.
Imagine the message itself — the item of spam we’re working so hard to get through to VoIP users — is just ten seconds’ worth of “Call now for an Unwanted Product!” using an 8 Kbps codec. That’s 10 KB per message; and delivering 100,000 messages means 1 GB of data from the source machine in a day.
A lot of users in a lot of countries simply won’t get that far: their service will be throttled back to 64 Kbps, and as far as a useful VoIP spam zombie goes, forget it.
Moreover, even the dullest of ISPs is going to notice if its customers suddenly reverse their normal behaviour and start uploading their entire month’s traffic in a day.
A machine that’s behaving so unusually for hours is not that hard to track down and shut down.
Sure, I could build an infrastructure that could launch a VoIP Spam campaign. I would only need two things: a huge SIP broadcast server, and somewhere to host it. But spammers don’t like spending that kind of money (that’s why they love Trojans and zombies), and a single host would be even more vulnerable to discovery and retaliation than the ineffective zombies.
And blocking SIP sessions from a spam host would be trivial compared to blocking e-mails from spammers.
The final point is this: once the recipient’s phone is tied up, the effectiveness of the next call is reduced. The spammers can’t soak the VoIP inbox the way they can soak the e-mail inbox.
Will people use VoIP for telemarketing? Sure: it happens already. But the next step, of creating an analogue to e-mail spam that uses VoIP, is a fabrication created solely to get airtime for vendors and analysts who know better.
Market Clarity can help: with our unique combination of technical and editorial expertise, we can provide technical how-to and background documents, which clearly explain new technologies and service offerings.
We can offer:
- Completely independent White Papers and Technology Guides, which clearly explain the technology choices facing your customers, to help them choose between service offerings
- Professional writing, editing and presentation
- Technical expertise
For an example of similar projects, take a look at Market Clarity’s free Technology Guide, Demystifying Layer 2 and Layer 3 VPNs.
Shara Evans, CEO of Market Clarity, has a busy conference schedule – which will give you, our customers and readers, plenty of opportunities to hear about our research studies. Here is her current speaking calendar:
How Will MVNOs Reshape the Australian Telco Market?
IQPC MVNO Summit
30-31 August 2006
The Australian Broadband Market – Positioning Satellite Services
ATUG 2006 Satellite Forum
22 August 2006
The Australian Technology Park
Eveleigh NSW (Sydney)
What is the role of Wireless in the World of Next Generation Networks?
ACIF Forum – Future Wireless
22 August 2006
Baker & McKenzie
Level 27, 50 Bridge Street
SPAN-CommsDay Awards Dinner
Market Clarity has been named as a finalist in the “Services to the Industry – Professional Services” category.
SPAN-CommsDay Awards Dinner
31 August 2006
Grand Ballroom, Four Seasons Hotel
199 George Street
For more information and links to conference registrations, visit Market Clarity’s Events page.
Recent speaking events include:
- IIR – Broadband over Power Lines in Australia
- ACE – VoIP and IP Communications
- Terrapinn – VoIP World
Research papers from these events are available for purchase.