UW Computer Security Research and Course Blog

Nowadays, traditional phone service is not widely used. As stated in an article from http://www.technewsworld.com, “VoIP phones are growing in popularity — and 20 to 25 percent of customers are canceling home phone service.” In order to maintain Verizon’s customers and compete with other companies like the table television companies, Verizon launches VoIP house phone hub that provides many special features.

This VoIP phone requires a router to plug into it. VoIP house phone handset can connect to its hub which offers applications such as navigation. The hub has constant Web connection; in the meantime, it is capable of browsing local traffic, weather reports, and online calendaring.

Assets and security goals

• The first asset is to make it easier for busy family to manage their schedule. As stated in the summary, VoIP is capable for navigating, managing schedule, viewing weather, current traffic, and also works as usual phone.
• The device’s wireless has to be secure. The wireless for this VoIP phone is used for navigator to the Verizon wireless phone. Thus, if the wireless is not secure, third party can hack into it and give wrong direction to the user and could direct them to dangerous places.

Potential adversaries and threats

• Since the VoIP has constant web connection, there is plenty of time that the attacker can try different technique of getting the user’s private data. The attacker can get their voice mail, contact list or their calendar.
• The VoIP provides a companion Website that the use can change the calendar or added new contacts which will be synchronized to the VoIP phone hub. If a malicious person has access to the account, he/she would be able to change the content or even delete the important contact list.
• Ticket-buying is a good feature for the VoIP house phone hub; however, it is possible that the hackers can buy many of tickets that increase the expense for the user.
• The Verizon Wireless phone can get the navigations from the VoIP. However, if the attacker compromises the system, he/ she can direct the user to the wrong place or dangerous location.

Potential weakness

• There could be an insider threat. The employee might write code that makes them easily get access to the user databases or own the administrator privilege for the system.

• For the companion website, if password is required, this can be the weakness. It is because that for the home phone system, people will use weak password combination since the whole family need to memorize the password.

• The V Cast content will be available on the hub to display picture if phone is not in use. The attacker could potentially steal the personal pictures or abuse their display for bad pictures.

• Since there is wireless communication between phone hub and handsets, if the data is not encrypted, there is a possibility for a malicious person to acquire the data.

Potential defenses

• Verizon VoIP home phone hub allows the users to have their contact list and change their calendar schedule online. Thus, in order to be able to change the contact list or the calendar, they have to type in password. This way, it is harder for the third party to mess with it.

• Wireless is unsecured. Thus, they have to do encryption in order to have a safe wireless file transfer. By doing encryption, third party will have to decrypt the file first in order to alter the data.

• Verizon VoIP home phone can also preview local movies and it allows the user to buy tickets through it. This can be a big disadvantage for the users if people hack into the system and buy tickets from by using their phone. This will cause an increased in financial cost. In order to prevent this, there should be a limitation for purchasing tickets.

• Calendar and contact list are important for users. They would not want a third party to take a look at their schedule or contact list or change them. Thus, one way to avoid that is for the user to register using their email address and cell phone number in order to activate this phone. By doing this, the system could send notification to users’ email and cell phone if they or other people change their calendar or contact list.

Risk

• As mentioned above, the VoIP can be used as navigator. This can lead to a risk that the user is being directed to a dangerous place.

• Since the calendar can be changed online and will be updated to the phone hub, the attacker can attack the web system to modify the entries. If there is an important appointment that being changed, the user could potential lose their business contract or lose their reputation.

Conclusions

Using Verizon VoIP home phone hub may be convenient for many people. Calendar, contact list, viewing weather, buying movie tickets, and some other features are all in this phone. However, there is trade-off from this. As modern as security system is in Verizon’s VoIP, users also have to be aware of the worst case of using it. Awareness is the most important key to prevent bad things to happen.