Mark Spencer is de ontwikkelaar Asterisk, de populairste open source software implementatie van een telefooncentrale. Zoals bij elke telefooncentrale staat het toe om meerdere telefoons die bevestigd zijn met elkaar te laten bellen. Naar het PSTN bellen is ook mogelijk. De naam is afkomstig van het asterisk symbool,”*” , dat meestal gebruikt wordt als joker symbool in de computerwereld. Spencer begon zes jaar geleden met de ontwikkeling van Asterisk. In 1999 leidde hij het bedrijf Linux Support Services, dat zoals de naam al doet vermoeden, bedrijven ondersteuning bij het gebruik van Linux gaf.

Het bedrijf van Spencer had geen geld voor een eigen telefooncentrale, en daarom begon hij met de ontwikkeling Asterisk. Toen het aantal gebruikers van de software groeide, richtte hij het bedrijf Digium op, dat zich bezighoudt met de professionele ontwikkeling van Asterisk. Inmiddels hebben meer dan 300 mensen bijgedragen aan de code van de software.

Onlangs hadden we een interview met network engineer en VoIP expert Luca Deri over de bedreigingen voor VoIP, nu hebben we Spencer gevraagd waar VoIP gebruikers in de toekomst rekening mee moeten houden.

What are the biggest security threats for VoIP?
Security issues with VoIP generally fall into a few categories:

1) Improperly configured systems that allow unauthenticated callers to utilize resources like long distance trunks.

2) Traditional buffer overflow attacks against poorly written string parsing code.

3) Denial of service through transmission of arbitrary packets.

4) Ability to intercept call information or media through sniffing.

SIP as a protocol is especially weak on points #2 and #3. First, SIP relies heavily on text parsing which places and exceptional burden on the programmer to be especially vigilent when creating code to be sure not to allow any opportunity for a cracker to utilize a flaw to deny service to a system. Secondly, SIP's architecture is highly asymetric in terms of where signalling and media packets travel. While this can allow for some more unusual call flows and media scenarios, it also means that an implementor has less control to be able to prevent unauthorized access.

Running SIP across encrypted systems like TLS / SRTP can strengthen some of these issues, however. IAX is designed to address points #2 and #3 more easily and can also easily provide encryption to address #4. The first line of defense -- proper configuration -- lies with the person doing the configuration.

Some people worry that VoIP will be more susceptible to eavesdropping. Do you think this fear is justified?
Without proper encryption it's a potential concern, definitely, but with proper encryption it's even less possible than with traditional PSTN. The technology for encryption is there but it's not widely deployed and (especially as implemented in SIP) it's not that easy to administer and setup since it's not a simple "yes/no" option as it is with IAX, but instead requires the use of certificates and authorities.

More and more people are using Asterisk. Do you expect that because of this more security flaws will be found?
Open Source tends to make it easier to find and repair problems and it decouples the fixing process from a single vendor. We have seen surprisingly few security issues in Asterisk since its inception -- none major yet.

Phreaking was a big thing in the late seventies/early eighties, can we expect VoIP / Asterisk phreakers anytime soon?
I don't think it will be a substantial number of users. It appears that like many people, phreakers have on the whole found things more interesting than telephones to explore the limits of.

Did you design Asterisk specifically with security in mind?
I have certainly kept security in mind in its architecture.

What can we expect in the future from Asterisk / Digium regarding VoIP security?
We have already created encryption and security for IAX and recently discovered that Asterisk can be used to block some security holes that exist in certain parts of the PSTN proper (although I cannot comment on too many details here at this time). We plan to support the SIP encryption model of TLS and SRTP sometime this year.