Friday, July 20, 2007

Why Ooma is a security risk

Now finally it's out what Ooma is:
With one fell swoop, it hopes to let people share their phone lines with each other in order to disrupt the business of major telecommunications companies.

Here’s how it works: You install an Ooma “hub” device, costing a $399 one-time fee, in your home that routes phone calls through your computer or your land-line. Ooma’s device also sends and receives calls for other people in your geographic area (local land lines that Ooma takes advantage of).
A P2P calling application? That's pretty dangerous and has failed before! I think it will not work, especially in the USA where people are so afraid of terrorists. Would you borrow your phone to Al Qaeda for their next announcement? No? But you might be doing it with Ooma, without even notice.

Out of the same reason Jeff Pulver's "fwdOUT™ Phone Sharing Network" (former Bellster) never made it big: People cannot control who is talking under their number. When someone uses Ooma or fwdOUT, his call will appear on someone else's phone bill or call record. This poor person would then have to prove that it was an unknown criminal who made the latest phone call. Quite difficult.

Jeff Pulvers fwdOUT idea sounds quite similar:
The fwdOUT™ Network is a system that matches callers with other users that can complete the call for them at no charge. The only catch is that to make some calls, you have to let others use your phone. fwdOUT™is free and not to be used for commercial purposes.

For Instance, Erik lives in New York City, and he gets free local phone service, his family is in Holland. Joe is an expatriate from New York living in Holland that calls New York on a regular basis. Using the Free World Dialup Phone Sharing Service, Erik shares his number. Joe also shares his number. When Joe calls New York, he uses Erik’s line and Erik uses Joe’s Line. The sharing is not done on a one-on-one basis, members share with the entire community and accumulate credits when their line is used. These credits can be used to place calls through other member’s phones. Free World Dialup maintains the tallies so that no line is used more than the owner has permitted.
Only that fwdOUT doesn't connect slick Ooma boxes over the internet but private Asterisk PBXes worldwide. It doesn't work too good because there are to few people providing their phone lines and the project has to face legal problems. Some Russians use it, but that's not enough. Boingboing wrote already two years ago about Bellster/fwdOUT:
The Bellster challenge for 2005 is to find out whether or not there are still people in the world who would let total strangers place non-commercial phone calls for free in exchange for the ability to do the same thing themselves. At the moment we have a handful of active nodes around the world, and as the word of Bellster spreads, my hope is that our network will be able to deliver calls to the PSTN all around the world.
Now Ooma wants to do the same. Good luck! As far as I know Jeff Pulver's project did not fail from technical difficulties, but from lack of acceptance. Jeff downsized his support when he realized what a difficult issue it is. Here you can read the fwdOUT risks, collected by Many of them apply to Ooma as well:

Possible Risks:
  • Potentially a criminal offence in some countries to provide this service, and you could face jail time, while there you would end up meeting a big guy named bubba who wants to be really good friends.

  • Your phone line could be used for credit card fraud or to report bomb threats or death threats, and you will have a lot of explaining to do when the police come and confiscate your equipment and take you down to the station for a little chat. Unlike carriers who are explictly exempt from being responsible for facilitating these kinds of things occuring, home users aren't and you could end up being the one facing court over it. Even if you get off, there will be no doubt a great inconvience for some from having their machines confiscated for any arbitary length of time. Although if you decided to give smart answers to the police you could end up being the next rodney king.

  • Contractually, the phone company could cut you off, or could introduce clauses in your contract to cut you off in future if they feel you are participating in this kind of service. Phone companies can and do monitor call patterns in different countries and people have reportedly been cut off when their call patterns changed legimately, they were still required to sign documents that it was their calls, the calls were valid and even had to pay a reconnection fee.

  • Security, any route your call takes could easily be monitored, recorded or altered, all without your knowledge or consent, even if this is against bellsters terms and conditions you may not know it is happening until it's too late.

  • You could end up with large phone bills, it's one thing to setup asterisk for home use for your own toll by pass but securing asterisk to prevent unwanted calls is a whole other thing and it's your phone bill on the line if someone works out a way round your filtering. Some 1800 numbers in the US offer to bill your phone line like a 1900 number, so this could also increase your phone bill. Some people apparently are listing themselves as +1 area code, what they don't realise is that there is 20+ countries other then just the US listed under +1 which could also give them a nasty surprise if the bellster route filtering is breached. These calls are not blocked by the fwdOUT network (but instructions for blocking them are available). There are other locations that aren't being listed that could cause similar damage to your phone bill/wallet.

Minor points:
  • Only likely to benefit those in cheap call areas, in which case you can use VoIP providers which in general have MUCH better call quality and are bound by privacy regulations regarding your privacy.

  • Call quality, you are relying on the fact that someone else won't suddenly flood their home line with a massive download causing your phone call to be lagged or jittered severely.

  • You could end up receiving calls from people in foreign languages if you don't setup asterisk properly to block out bound caller ID (also you can't always block Caller ID apparently)

  • Bellster has the potential to make it easier for telemarketers to push their sales pitches by leveraging the bellster network.
  • Time to establish a phone call could dramatically increase if you hit a bunch of hosts that only allow calls out of hours, so while the network hunts and trys different routes you either hear local ring back or dead air depending on your local configuration of asterisk, which could potentially miss inform people about the true state of the call.

  • non-geek house hold members, is it likely that most people will want to queue to use their own phone line? try explaining it to non-geeks and see how they react to it.

  • high barrier to entry, as you not only need a linux box running asterisk but also hardware that's capable of interfacing with the PSTN network.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.