Is VoIP the cyber criminal's new best friend?

Internet phone services such as Skype and Vonage could provide a means for cyber criminals to send spam and launch attacks that cripple websites, experts have warned.

Moreover, because many voice over IP applications use proprietary technology and encrypted data traffic that can't easily be monitored, the attackers will be able to go undetected.

The Communications Research Network said on Wednesday: "VoIP applications could provide excellent cover for launching denial of service (DoS) attacks." The Communications Research Network (CRN) is a group of industry experts, academics and policy makers funded by the Cambridge-MIT Institute, a joint venture between Cambridge University, UK, and the Massachusetts Institute of Technology in the US.

The group urges VoIP providers to publish their routing specifications or switch to open standards. Jon Crowcroft, a professor at Cambridge University, said in a statement: "These measures would... allow legitimate agencies to track criminal misuse of VoIP."

Essentially, some of the features to protect VoIP applications can now be used maliciously, Crowcroft said. "While these security measures are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks," he said.

In a DoS attack, a flood of information requests is sent to a web server, bringing the system to its knees and making it difficult or impossible to reach. Today, such attacks often involve many hacked computers, so-called "zombies", that have been networked in a so-called "botnet".

Botnets are typically controlled by an attacker via Internet Relay Chat (IRC). Zombies listen for instructions from their masters on IRC channels. Investigators monitor those channels to help catch cyber criminals and experts have said ISPs can block traffic to the IRC servers used by zombies in order to thwart attacks.

VoIP applications such as eBay's Skype and Vonage could give cyber criminals a better way of controlling their zombies and covering their tracks, the Communications Research Network said. The group said in a statement: "If the control traffic were to be obfuscated, then catching those responsible for DoS attacks would become much more difficult, perhaps even impossible."

There has yet to be an instance of an online attack launched through a VoIP application but the CRN believes it is only a matter of time. The group said: "If left unresolved, this loophole in VoIP security won't just decrease the likelihood of [attack] detection and prosecution, it could also undermine consumer confidence in VoIP."

The CRN contacted VoIP providers with its concerns, it said. Skype and Vonage did not immediately respond to a request for comment.

Joris Evers writes for CNET News.com