The fusion of omnipresent telephony and the Internet has brought about Voice-over-IP (VoIP) as a very cost-efficient and location-independent new medium for voice communication. The transfer of telephony functions to the open Internet world also brings about new challenges and threats. The central ones such as call confidentiality and integrity on the level of single data packets have been addressed at an early stage in the design of the VoIP Internet protocols. However, it is possible that major security issues of the Internet ‘spill over’ to the business-critical telephony functionality.

Spam over Internet Telephony (SPIT) is viewed by many as a daunting threat in that field. SPIT is much more fatal than email spam, for the annoyance and disturbance factor is much higher. Various academic groups and the industry have made some efforts to find ways to mitigate SPIT. Most ideas in that field are leaning on classical IT security concepts such as intrusion detection systems, black-/white-/greylists, Turing tests/computational puzzles, reputation systems, gatekeeper solutions, etc..

SPIT is in everyone’s mouth though not yet in everyone’s ears. That is, the phenomenon has not yet (as far as we know) emerged in real-world VoIP installations or networks. We identified the lack of a benchmark testbed for SPIT as a serious gap in the current research on the matter, and this motivated us at the Fraunhofer Institute for Secure Information Technology SIT to start working on a first tool for that. We (AUS together with Nicolai Kuntze and our student Rachid El Khayari) developed a SPIT producing benchmark tool that can attack anti voice spam solutions. With this tool it is possible for an administrator of a VoIP network to test how vulnerable his system is. The SIP XML Scenario Maker’s (SXSM) main task is to simulate operations on the signaling plane of VoIP, i.e. the SIP protocol, through which voice terminals make contact and negotiate communication parameters, which is considered the main gateway for attackers. In our recent paper at the Information Security South Africa Conference (ISSA, www.infosecsa.co.za), see the ArXiv at arxiv.org/abs/0806.1610v1, we show how SXSM can be used conveniently to attack VoIP systems for instance by simulating the behaviour of known and trusted devices.

The tool will soon be made available on the Instutute’s Website at www.sit.fraunhofer.de under GPL v3. Currently we are starting to evaluate first SPIT protection tools and products with it.