There may be no hotter topic in telecom right now than IP Multimedia Subsystem (IMS), an evolving standard that promises to offer a common way for multiple wireless and wireline networks to deliver multimedia applications.
Fixed and mobile network operators are expected to invest $US10.1 billion in IMS capital infrastructure between 2006 and 2011, and generate $US49.6 billion in service revenue from IMS-enabled applications within that time, according to ABI Research.
But there may be no more discouraging a topic than securing an IMS network. Recent events and published reports indicate that IMS security specifications are lacking, and that the architecture may open up more vulnerabilities than benefits.
"There definitely were security gaps in the standard right out of the gate," says Tom Valovic, a telecom analyst at IDC. "Many vendors are somewhat vague concerning the types of security issues associated with wireless."
Gaps in fixed-line applications are being addressed with standards efforts such as TISPAN and products such as session border controllers, Valovic says. Yet wireless remains a challenge, he says.
"I've seen less definition on the wireless side," Valovic says.
That's one of the reasons Verizon Wireless decided to develop Advances to IMS (A-IMS), a framework for mobile networks that attempts to fill in perceived gaps in IMS. And Sipera Systems, a maker of products for VoIP, mobile and multimedia security, recently authored an article in a monthly industry periodical describing a litany of vulnerabilities unique to and inherited by IMS.
In that article, Sipera claims to have identified in its labs more than 90 "major classes" of unique vulnerabilities and over 20,000 attacks that can be launched against IMS networks. Most of these vulnerabilities and attacks, however, are common to IP data and VoIP networks as well, says Sipera CTO Krishna Kurapati.
But securing IMS is a much tougher task.
"You have multiple channels of communication and states [in IMS] that complicates matters," Kurapati says, referring to the various packet data gateways, call servers, media gateways and home subscriber servers that IMS specifies. "There are multiple states that are getting involved simultaneously. You could launch multiple attacks against each of those servers and clients."
And building an attack mechanism for IMS is easy and inexpensive, Kurapati says. IMS specifications are published on the Third Generation Partnership Project (3GPP) Web site, and other components are available freely as open source software.
Hackers can also write scripts to read IMS Subscriber Identity Module (SIM) cards with which to gain access to the IMS network, he says.
Once inside, a hacker can launch denial of service (DoS) and distributed DoS attacks by flooding IMS elements with calls, as well as stealth attacks, in which certain IMS elements are targeted for floods by one or more DoS sources, Kurapati says.