Hackers Are Discovering a New Frontier: Internet Telephone Service
By KEN BELSON, NY Times

Most new technology comes with risks, no matter how great the advantages. Computers, for instance, can store huge amounts of information, but they can also freeze, crash and melt down.

The challenge is no different with Internet phones, which more and more consumers and businesses are using. The phones break voice conversations into data packets and route them over the Internet, a cheap and more flexible alternative to traditional phone calls that travel over copper wires.

But Internet phones and the routers and servers that steer and store the digitized calls are susceptible to the bugs, viruses and worms that have plagued computer data systems for years. Already, a few malicious attacks have shut down corporate Internet phone networks, disrupting business at a cost of millions of dollars. With Internet phones, hackers or disgruntled employees with access to a company's phone server can eavesdrop on conversations by surreptitiously installing software that can track voice packets.

Worse, tapping phones by hacking into servers and hard drives is easier than wiretapping, which requires special equipment and more effort. Now, hackers can eavesdrop on hundreds of calls without ever leaving home.

In theory, hackers can listen in on anyone's conversation, including those of ordinary consumers using a commercial Internet phone service. Hackers, though, are more likely to focus on a business's Internet phone lines to glean information that can be used for profit.

Internet security experts and phone makers say that the amount of damage thus far has been minimal and is hard to quantify because the technology is so new and few companies want to disclose problems. Hackers, too, have mostly focused their attention elsewhere.

But anecdotal evidence and the history of trouble with data networks suggest that it is only a matter time before the number and seriousness of the attacks increases as more companies start digital phone systems and merge them with their data networks.

"Once you are running an Internet phone network, all those threats you worry about in the data world will be transferred to the voice world," said Joe Seanor, a security consultant for Avaya, a leading maker of Internet phones and equipment. "Voice over Internet phones are not in the spotlight of hackers yet, but in this voyeuristic world, if someone can listen in on people's conversations and get a thrill, they will."

The convergence of data and voice networks, while a significant savings for companies, leaves them vulnerable to hackers who could bombard systems looking for a weakness in the security protection and angry workers who could sabotage an employer's computers and equipment that route Internet calls.

In the first case, hackers can disrupt phone traffic by devising programs that look for holes in firewalls. Fast-moving programs like MyDoom or Slammer can bypass a network's armor and flood its servers with huge amounts of data, causing them to crash and potentially cutting off phone service.

Hackers might also devise packets to look like voice packets to trick tougher security programs. These packets can carry MyDoom Trojan horses, viruses, worms or some combination. In one recent case, a branch of a major insurer in the Northeast with about 1,000 Internet phone lines lost voice service for eight business hours because a worm jammed its servers, costing the company hundreds of thousands of dollars. In another case, a worm infected the voice and data systems at a bank branch also in the Northeast that had 500 Internet phone lines, disabling the company's trading floor, leaving it with about a million dollars in losses, according to the company's security provider.

Both firms did not want to be identified lest they become targets again. But both learned their lesson and installed software to block intruders from Mirage Networks, in Austin, Tex., which has created software that stops "rapidly propagating threats" by tracking their behavior and rejecting any malicious packets.

"You can spoof a packet and insert myself into a communications flow," said Grant Hartline, the director of systems engineering at Mirage Networks. "This kind of threat has been around a while for data, but now it will move into voice. As you see a broader acceptance of voice over Internet, you'll see more spoofs."

Spoofs that shut down servers are not the only threat. Once inside a company's firewalls or even on a consumer's computer, hackers can use software to scan files in a server looking for Internet phone packets. One such program called Vomit, which stands for voice over misconfigured Internet telephony, reassembles voice packets to allow people to listen in on conversations.

Hackers might be looking for a cheap thrill by tapping into a company's phone servers, but they might also be listening to corporate meetings and gathering information that could be resold to a rival company.

Tapping conversations carried over commercial Internet calling services provided by companies like Vonage and AT&T, is harder because those providers have their own security controls. But a hacker could place a malicious program on an individual phone user's computer, which would essentially give a hacker remote control over the computer and allow him to read e-mail messages and listen to voice calls.

Internet phone services that are installed in a corporation's own data center are also susceptible to internal sabotage by employees who have inside knowledge of a company's systems.

The best defense against sabotage, experts say, is to install encryption software and to keep access to the codes to only a small circle of employees. When that fails, companies may have to resort to steps like "deep packet inspection" to filter out malicious packets.

"If we know a worm is out there, we know to look for it," said Sue Spradley, president of the wireline group at Nortel Networks.

When trouble strikes, she said, Nortel can find and fix problems in one corner of the network without having to shut the entire system down.

Most major Internet phone providers like Vonage have teams of security managers who spend their days preparing and repelling attacks.

Companies that manage their Internet phone systems internally but do not have sufficient security or backup facilities are the most susceptible to attack. Some companies faced with that threat are outsourcing their phone services to specialists that operate data centers with multiple layers of security, back up power and 24-hour surveillance.

Still, nothing may dissuade hackers from seeing Internet phones as the next big challenge.

"We assume that natural or people disasters will happen," Ms. Spradley said. "We don't assume whether they will happen, but when."