Purdue Investigates Vulnerability of VoIP
Professors Sonia Fahmy and Elisa Bertino are working with a group of researchers on a multi-university collaboration to develop a secure test bed to analyze vulnerabilities in Voice over Internet Protocol (VoIP). Their collaborators on the project are Professor Ram Dantu from the University of North Texas, Professor Henning Schulzrinne from Columbia University, and Professor Dipak Ghosal from University of California at Davis. The NSF has awarded the project $600,000, and Purdue will receive $95,000 to fund Fahmy and Bertino's efforts.
New services over the Internet, such as Voice over IP (VoIP) and IP-based media distribution (IPTV) are being aggressively deployed. These services operate on private and public IP networks, and share the network with other types of Internet traffic such as web traffic. Not only will these services reduce communication costs, but they will also pave the way for innovative, value-added, highly personalized services.
This type of communication is still vulnerable to security threats such as unpaid service usage and service disruption. Convergence of public switched telephone network and the Internet also introduces new vulnerabilities. VoIP is different from many Internet applications making it more vulnerable because it uses separate signaling and bearer sessions. Another characteristic of VoIP is that it generates real-time traffic so Quality of Service (QoS) must be maintained.
Despite the importance of VoIP and other new multimedia services, there is little data on the scalability and vulnerability of these services. Although a number of emulation testbeds and wide-area experimentation platforms are available at several universities, these testbeds do not include the equipment and software tools specific to multimedia security experiments. The testbed developed in this project will include IP phones, media proxies and media gateways.
Specific research projects planned for the proposed testbed at Purdue include Denial of Service (DoS) attack experiments, and security/Quality of Service tradeoff evaluation. A DoS attack designed to render a VoIP system useless is relatively easy to launch. Unlike traditional DoS attacks, attackers can cripple an IP phone by creating very few signaling messages per minute. Fahmy and Bertino will also investigate whether proposed security solutions impact the QoS of a session when a system is not under attack, while ensuring the QoS is maintained at an acceptable level when the system is under attack.