On a recent flight, I was reading USA Today, and I saw an article about a VOIP service called ooma Inc. . For a while, I was intrigued. It even has Ashton Kutcher, the executive producer for the MTV celebrity prank show Punk'd, as its "Creative Director." Why his involvement is important to the company, aside from a marketing stunt, is beyond me. But I guess everyone needs a gimmick.
Then I came to the point in the article where it said Ooma's technology runs over peer-to-peer (P2P) networks, and that calls go out through the local phone lines of other random Ooma subscribers. Now I know why Kutcher is involved. Dude, if you take the service, you'll be punk'd.
Fundamentally, you buy an Ooma hub box for $399, plug it into your Internet connection, and you get free domestic phone calls for life. The technology basically routes the call from your home box to other VOIP users and to national and local landlines via a P2P network. The assumption is that each Ooma box is part of Ooma's national network. The box in your home, for instance, is used to facilitate someone else's phone call, even though you can't hear that call.
It makes great use of P2P technology, and of course we have seen how secure that is. Even if you assume that the calls are encrypted within the P2P network, the two fundamental issues are the security of the underlying software/hardware and, most importantly, the ability for a person to monitor what is going in and out of his/her own telephone line.
So, I decided to conduct some research on the service's security. I called Ooma's online customer service, and they couldn't find anyone from technical support who could answer my questions. I called Ooma's headquarters, left a message, and never received a return call. However, I did find a link to a podcast interview where Ooma's CEO, Andrew Frame, talks about Ooma's security.
I went to Ooma's Website to see how it addressed my concern. I found the following definitive quote about calls being private and secure (under Top 10 Tech FAQs): "Ooma has been engineered to detect and thwart third-parties from being able to listen in on your phone calls. As a result, Ooma is no less secure than a traditional landline." Having previously worked at the National Security Agency (NSA), this was all I needed to know.
See, Ooma is actually less secure than a traditional landline. By using Ooma, your call would be going out over the landline of a complete stranger, making it theoretically subject to eavesdropping. I can see those with criminal intent agreeing to be an Ooma subscriber, so they can eavesdrop on calls being routed through their Ooma box. They could listen in on people giving out their personal account information, credit card numbers, and other sensitive details. Technically, though, I wonder if it is illegal to eavesdrop on your own telephone line. For the record, Ooma does not perform a background check on potential subscribers.
Normally, I wouldn't give out hints on how to commit criminal acts. However, Ooma's CEO proudly states that he thinks that system cannot be broken, and he challenges hackers to "Bring it on!" You can listen to Frame's podcast interview to hear the quote for yourself. Just so you don't have to listen to the whole commercial pitch, the security discussion is about 15 minutes into video, and lasts about a full minute. That's how much they care about security, or better stated, trivialize valid security concerns.
It has been my personal opinion that the only people who promise perfect security are fools or liars. Frame can decide which one he is.
Besides the risk of eavesdropping on calls routed through Ooma hub boxes, there is also the potential to compromise their underlying software or hardware. If Ooma turns out to be a success, they will definitely attract the attention of the "hackers" that Frame challenges. A few smart hackers out there will eventually find vulnerabilities in the product. The effects can be drastic, depending on the vulnerabilities found.
— Ira Winkler, Former National Security Agency analyst and author of Spies Among Us