On a recent flight, I was reading USA Today, and I saw an article about a VOIP service called ooma Inc. . For a while, I was intrigued. It even has Ashton Kutcher, the executive producer for the MTV celebrity prank show Punk'd, as its "Creative Director." Why his involvement is important to the company, aside from a marketing stunt, is beyond me. But I guess everyone needs a gimmick.
Then I came to the point in the article where it said Ooma's technology runs over peer-to-peer (P2P) networks, and that calls go out through the local phone lines of other random Ooma subscribers. Now I know why Kutcher is involved. Dude, if you take the service, you'll be punk'd.
Fundamentally, you buy an Ooma hub box for $399, plug it into your Internet connection, and you get free domestic phone calls for life. The technology basically routes the call from your home box to other VOIP users and to national and local landlines via a P2P network. The assumption is that each Ooma box is part of Ooma's national network. The box in your home, for instance, is used to facilitate someone else's phone call, even though you can't hear that call.
It makes great use of P2P technology, and of course we have seen how secure that is. Even if you assume that the calls are encrypted within the P2P network, the two fundamental issues are the security of the underlying software/hardware and, most importantly, the ability for a person to monitor what is going in and out of his/her own telephone line.
So, I decided to conduct some research on the service's security. I called Ooma's online customer service, and they couldn't find anyone from technical support who could answer my questions. I called Ooma's headquarters, left a message, and never received a return call. However, I did find a link to a podcast interview where Ooma's CEO, Andrew Frame, talks about Ooma's security.
I went to Ooma's Website to see how it addressed my concern. I found the following definitive quote about calls being private and secure (under Top 10 Tech FAQs): "Ooma has been engineered to detect and thwart third-parties from being able to listen in on your phone calls. As a result, Ooma is no less secure than a traditional landline." Having previously worked at the National Security Agency (NSA), this was all I needed to know.
See, Ooma is actually less secure than a traditional landline. By using Ooma, your call would be going out over the landline of a complete stranger, making it theoretically subject to eavesdropping. I can see those with criminal intent agreeing to be an Ooma subscriber, so they can eavesdrop on calls being routed through their Ooma box. They could listen in on people giving out their personal account information, credit card numbers, and other sensitive details. Technically, though, I wonder if it is illegal to eavesdrop on your own telephone line. For the record, Ooma does not perform a background check on potential subscribers.
Normally, I wouldn't give out hints on how to commit criminal acts. However, Ooma's CEO proudly states that he thinks that system cannot be broken, and he challenges hackers to "Bring it on!" You can listen to Frame's podcast interview to hear the quote for yourself. Just so you don't have to listen to the whole commercial pitch, the security discussion is about 15 minutes into video, and lasts about a full minute. That's how much they care about security, or better stated, trivialize valid security concerns.
It has been my personal opinion that the only people who promise perfect security are fools or liars. Frame can decide which one he is.
Besides the risk of eavesdropping on calls routed through Ooma hub boxes, there is also the potential to compromise their underlying software or hardware. If Ooma turns out to be a success, they will definitely attract the attention of the "hackers" that Frame challenges. A few smart hackers out there will eventually find vulnerabilities in the product. The effects can be drastic, depending on the vulnerabilities found.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us
It is also important to consider what is the best IT Strategy when dealing with security. There has been many research in this area involving game theory and other models. If hackers are incentived to find vulnerabilites such as offer them rewards or buy the exploits found before they are released to the public this will avoid the company to suffer from bad publicity and loss of credibility, however this behaviour will eventually incentive hackers to focus on this company to find vulnerabilites and become a regular business between hackers and the company, creating a loss of revenue for all the security patches that will have to be fixed. On the opposite side, if the company does not encourage hackers to find vulnerabilities, it risks that any one found and exploited can cause big economical damage to the company credibility and bad publicity, specially if what the company does is sell private information such as private communications.
Some companies don't offer any kind of incentive to hackers, other do, what is important here is that there has to be some kind of strategy to handle this, because rule number one of software development is that creating a a bug-free, perfect security software is impossible (would need unlimited resources, hence imposible), so vulnerabilities is part of the software maintenance and upgrades which needs to be addressed as a company strategy.
If all a hacker has to go on is a verbal challenge, it's not much incentive (and not very brave of ooma). Where is the RSA-style $1 million dollar reward from the ooma CEO, if he is so confident? And if they are so confident, why is the company making legal threats to those that publish information on how to easvesdrop on ooma P2P calls: http://www.goebel.net/technews/2007/09/ooma-closing-critical-website.html
Without a substantive reward, there isn't much of a challenge here, not all that much interest in this box (so not much fame to be had for a successful hacker), and so we aren't likely to see anybody put much effort into this.
Personally, I think the eavesdropping thing is a bit of a red herring and I'd rather they just admit it's possible, and we could all just move on. I think a potentaiiy bigger issue is that criminals will use this system knowing ooma is providing a terrific CALEA smokescreen for law enforcement taps because the cops will be busy tracking down the innocent owner of the landline at the far end instead of the actual crook. In fact, one could use this just to get their enemies in trouble - calling in bomb threats from that line etc.
A tap circuit is shown here: http://oomahacks.blogspot.com/2007/10/eavesdropping-on-ooma-calls.html I built a passive tap as shown at http://www.unterzuber.com/tap.html and it worked, but I don't have time to fiddle with ooma just to show I can capture a call.
Many thanks Ira for your great concern over security. In this day and age where consumers are are searching for cheaper rates for services especially via the internet, the issue of personal security can often times be overlook. Even though i agre with what you said that only fools or liars will promise perfect security, i'm also of the opinion vulnerabilities to our personal security through internet service providers should be reduced to the barest minimum.
Having gone through omma's website and reading some of the answers they gave on the most FAQs, i'm also very doubtful of our secure their system is. I believe eavesdropping will be a potential downside of the system. But rather than be too critical, i believe it's time for some very smart hackers out there to accept the challege which omma's CEO had issued. Whatever vulnerabilities they will discover will help omma improve their product.
For now at least the product seems to get high ratings from the media and consumers. Reading an article on USA TODAY title: Want a free phone? makerooma for ooma, writer Edward C. Baig thinks that ooma has a great future and would ultimately make monthly phone bills a thing of the past. With so many people hoping that in future the internet would make it possible to get services at a much cheaper rates, then ooma could be just one of the several internet service providers that can make it happen for us.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
While I try to think that one should never be happy with the misfortunes of others, it is satisfying to see that Albert Gonzalez was sentenced to 20 years in prison for basically masterminding the compromise of more than 100 million credit cards.
I am surprised a recent news story is not getting more attention. In short, Iran took down 29 Websites the government said were operated by Iranian dissidents, supposedly backed by CIA operations intended to destabilize the country. The government arrested 30 people assumed to be affiliated with those sites.
Given what I do, I felt compelled to watch the CNN special, Cyber Shock, which featured a simulated cyber-attack against the United States. As I watched I wanted two things: a bullet in my head, and the return of Dick Cheney's take-charge governance style.
In his recent Congressional testimony, Dennis Blair, the U.S. director of national intelligence, stated that the U.S. is "severely threatened" by cyber attacks and that the recent Google (Nasdaq: GOOG) attacks should serve as a wake-up call.
I keep telling people that if they do everything right, they will be generally secure. I like to think I do everything right myself to minimize the likelihood of being hit by malware. I avoid going to unusual sites. I don’t click on links in strange emails. When reading normal emails, I verify any embedded links, just in case.
Internet evolution has been stagnating both conceptually and in business model terms, and what is likely to bring us out of that is the concept of software-defined networking, not as it is today but in the form it will become.
That's what Larry Page said on Google's earnings call, referring to the conjunction of mobile and the cloud. Well, let's chart it then! We need to be thinking about an Internet where 90% of our traffic goes to 70 destinations within 40 miles of us.
EU operators are considering joining up to create a pan-European network to reduce competitive overbuild and cost. This might lower costs and focus operators on higher-level, more interesting services.
Many enterprises view high-speed broadband connections as ubiquitous. Yet in about 20 percent of the country, businesses and their employees do not have access to even DSL connections. This shortcoming diminishes enterprises' ability to support their employees.
Congress is considering a bill to extend a moratorium on Internet regulation changes for two years. But with issues like service quality, cloud performance, and privacy looming, we risk contaminating the Internet with fraud.
The risk of the ITU taking over the Internet is overblown. First, it's almost certain its goals are simply to create orderly interconnect and settlement. Second, how good a job has ICANN done anyway? If we don't like international control we should clean up our own processes in both governance and interconnect!
Businesses helped neighbors with Internet access and mobile device charge-ups during Sandra. Following that example, enterprises should consider preparing Internet disaster plans to help the public during disasters.
Big-data and analytics tools enable marketers to understand customers as individuals, identifying unmet needs and addressing each customer as a "segment of one," says John Kennedy, VP corporate marketing, IBM.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The IBM Smarter Commerce Global Summit in Monaco kicked into high gear today, and we've already begun to see news emerging from that lovely city-state by the sea.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
Email This
