VoIP Security

An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling

The Dumbing-Down of America...part XXVII

[TripMaster Monkey (862126)]

From TFA:

is an umbrella term used forthesoftware
some more introductionary information
Considerating the stability and reliability of the tradional telephony networks
so it's roll out is most likely inevidable.
particular relevence to most
VoIP and it's implementation.

And all these errors are in just the introduction.

Now, I don't expect perfection, but the sheer amount of errors present here is beyond the pale, and renders the reader incapable of trusting the subject matter presented, or taking the author seriously.

Mr. Anderson, about 98% of the errors in your article could have been avoided by the use of a simple spell-checker. Nowadays, people don't actually need to know how to spell, as we have software to do that for us...but you have to actually use the software.

Re:The Dumbing-Down of America...part XXVII

[Lifewish (724999)]

I note that the AC who submitted the story also abuses the apostrophe. Same person maybe?

A clue as to why...

[mindaktiviti (630001)]

Their website [whitedust.net] lists their numbers as: "Tel: 00353 - (0)87 - "...etc numbers, so they're not in North America.

This: (Mon, 14 Feb 2005 16:57:12 +0000) also suggests a European country (I think). So maybe English isn't their first language.

Re:A clue as to why...

[Tony Hoyle (11698)]

00353 is Ireland.

They may speak with a funny accent there but they're pretty likely to know English..

Re:The Dumbing-Down of America...part XXVII

[brianjcain (622084)]

Now, I don't expect perfection, but the sheer amount of errors present here is beyond the pale, and renders the reader incapable of trusting the subject matter presented, or taking the author seriously.

I can't tell if you're joking, but I find it a little ironic that you used "amount" where "number" is more appropriate (you can't have a partial error).

Man in the middle.

[matt21811 (830841)]

I have never worried about man in the middle attacks on the internet. To be successful, it requires very good access to my ISP or the backbone carrier's network which is hard to do. Even if they can get that access all they can do is listen to my calls, have a chat with me and the other person or maybe hang up the call. Any attacker listening to my calls is going to get very bored very quickly. If they do the later two, it could cause them to get caught because I'll complain about the problem.

The only security problem I see is if the attacker can learn information that lets him make calls billed to my account. This becomes the VOIP vendors problem anyway. When I notice something wrong with the bill I'll do a chargeback on my credit card for the bill and simply change VOIP providers. If this happens a lot, the VOIP vendor will do something about their security problem.

Or am I missing something?

Re:Man in the middle.

[rednuhter (516649)]

and what about at the other end ?
If an attacker has access to a router beyond your isp/backbone but before the signals reciever then the contents can be subverted.
Admittedly, if all you do is argue about the sports scores then there is not much risk.
But if you were using VOIP as a transparent replacement to POTS (Plain Old Telephone Service) and were ordering a new car or dicussing your new pin number with the bank then things are quite different.

Re:Man in the middle.

[Tony Hoyle (11698)]

If you're using VOIP as a transparent replacement to POTS there's no change.

POTS is wide open to MIM attacks.. in fact anyone with a cheap earpiece can do it - no need for a PC even.

Re:Man in the middle.

[Shakrai (717556)]

POTS is wide open to MIM attacks.. in fact anyone with a cheap earpiece can do it - no need for a PC even.

Yeah because it's so much easier to pick the correct pair of wires out of several dozen or hundred on the local loop then it is to setup a router rule to capture VoIP packets.

Unless they are hanging off the pole outside your house (which would be rather brazen) I don't worry myself too much with MIM attacks on POTS. In fact unauthorized bugs on POTS can usually be detected fairly easy (they cause a

Re:Man in the middle.

[Shakrai (717556)]

Unless you were targeting one specific person, the above will work fine

My whole point was that it's much harder to target one specific person with POTS then it is with VoIP. What's easier? Finding my pair or capturing packets from/bound for my IP address?

The article was dealing with security, and the security for both is the same. You would have to do the same for VoIP as you do for POTS if you want security. Harden the conduit, and encrypt and decrypt the message at the TX side and RX side.

And you still have the problem of the person at the other end who is on his speaker phone while the cubemate next door listens. Ultimately the only end of the line you know is secure is your end (POTS or VoIP) and this is all for highly paranoid people anyway.

As much as I am arguing against VoIP (and cell phones) security is not the reason why. I worry about more reliability and quality of service -- both of which seem to be lacking at this time.

Re:Man in the middle.

[SatanicPuppy (611928)]

The thing is, that person has to be physically out in the world, splicing himself into your line. Sure, it can be done, but the motivation needed to put someone to that kind of trouble is pretty intense.

Used to be that way with a lot of information crimes, but the internet makes them possible on a whole new scale. Imagine a mim attack that compromises a couple of major VoiP hops, and sorts out the calls to banks and creditcard companies based on phone number, or whatever. That can be automated now, so a guy

What about...

[bigtallmofo (695287)]

I think you're mostly correct. The only thing I worry about is the casual call to a company you do business with that requires you tell them your SSN over the phone to set up or make changes to your account.

Paranoia

[tod_miller (792541)]

Hi Hun, I am gonna be a bit late tonight

I thought you were going to give me a lift to Tinas?

Thats tomorrow, have you been taking my pain killers again?

No... erm... ok I'll see you later

*click*

Wait, we are being line-tapped

Oh my god! Execute the Omega 13 Device!

*end of world*

Really - if you want security, talk in tongues, or use a third party audio scrambler, plus encrypt the session. (then unencrypted it will just sound like noise). Plus standon one foot while you talk, and occassionally look through the venetian blinds for snipers across the rooftops.

Re:Paranoia

[mwilliamson (672411)]

-SNIP-
and occassionally look through the venetian blinds for snipers across the rooftops.
-SNIP-

Dude, why not stick your head out the door for a few seconds too while your at it? If you take paranoia seriously, you seriously need to set up outdoor pinhole cameras, like I have. I love the espressions of frustration on the sniper's faces. Also, keep in mind your location can be determined by a tempest brainwave triangulation attack, so wear the proper protection. (you have been warned)

Cain and VoIP Sniffing

[by Anonymous Coward]

There is a program called Cain that can sniff VoIP traffic (as well as other things) and turn it into a wav file if it understands the codec. There is a video on how it works at: http://www.irongeek.com/i.php?page=videos/cainvoip 1 [irongeek.com]

PacketCable VoIP security

[N7DR (536428)]

This is why the PacketCable 1.0 VoIP security spec runs to nearly 400 pages. (www.packetcable.com)

Of course, now ask how many cable compaines are actually deploying fully PacketCable-compliant systems with all the security turned on the way it was designed to be.

No discussion about this, w/out VoIPsec list

[papaia (652949)]

Please visit the VoIPsec archives [voipsa.org], before assuming that any one article could cover it all. There you could find links and comments from some of the most pertinent contributors to this subject.

Re:No discussion about this, w/out VoIPsec list

[Pandora's Vox (231969)]

I've been on this list for a few months and it's an excellent resource.

PGPfone

[laptop006 (37721)]

Was a neat little app a few years back for simple IP-IP VoIP that was (supposedly, never checked) well encrypted, it converted the key in to english words that you could say in your own voice to confirm that you weren't a victim of a MITM attack

http://web.mit.edu/network/pgpfone [mit.edu]

Damn hippies....

[Linegod (9952)]

The majority of people are going to be getting their VOIP service from someone sitting in their basement, or from Skype or somesuch. Their going to get it from their ISP, which will provide a security layer of some sort - separate VPN, encrypted trunks, etc.

Anyone who believes that this is some 'golden age' of free communications is on crack. And cheap crack at that.

POTS is also vulnerable

[BrianRoach (614397)]

If you have a set of aligator clips and a phone. Or a set of diaganol cutters (DoS attack).

I mean, really ... it's MUCH easier to access any of the copper lines strung all over than hacking anyone's VoIP connection.

- Brian Roach

One has to wonder...

[by Anonymous Coward]

Wouldn't it be simpler, more effective and thus cheaper to secure IP communication instead of securing Voice over IP, HTTP over IP, SMTP over IP, FTP over IP and whathaveyou over IP? There even is a standard for secure IP communications, inconspicuously called IPSec. Stop the nonsense and start using encryption where it benefits all protocols.

What about something like OTR?

[Ikester (571286)]

Can't something like OTR (Off The Record messaging - http://www.cypherpunks.ca/otr/ [cypherpunks.ca]) be applied to SIP or IAX conversations? I know it was designed for slow, IM-type packet traffic, but the crypto is there. It can't be that hard :)

Anonymous Diffie-Hellman would be "good enough"

[pp (4753)]

I mean, negotiating a private key between two hosts is trivial, just use the good old DH key exchange thing. Could even use IPSEC for the actual encryption, no need to reinvent the wheel and add crypto to the VOIP protocols, just do those security associations when you setup a call.

The downside is, that a MITM is possible to get the key, but that's pretty damn unlikely compared to people just sniffing and listening to your call or blindly injecting data to an existing one. From what information is available about Skype, it does something like this, I believe.

But, designing horribly complicated systems that cover the corner cases seems to be the norm, and those get ignored due to complexity and thus everyone does the unencrypted thing in the end :(

So what?

[j-tull (201124)]

Since when have good old fashioned telephone systems been secure? I can't count the number of times I've picked up a neighbor's conversation from their cordless phone. Although I'll agree that the scope of the attack may be broader with VOIP (after all, my neighbors phone only puts out enough power to be picked up within a certain proximity), I think an expectation of privacy on any current phone system is a flawed assumption at best.

How secure is the PSTN?

[Sketch (2817)]

Considering I can walk up to 90% of the houses on the street. open up the phone box, and plug a lineman's handset (or anything else) into the phone line...how secure is the PSTN?

If you think the PSTN is really secure, you might want to look through some old issues of 2600...

Nomadic vs Non-Nomadic VoIP

[isecore (132059)]

Folks, you have to remember that this article talks about the so-called nomadic voIP-services.

I've been using VoIP for the better part of two years now, and it's maintained by my ISP. I run it over the Ethernet hookup I have, and as far as functionality is concerned I hardly notice the difference from POTS.

Outages? I've had two. Once when my apartment lost power (thus the VoIP-box lost power) and once when some major link in my ISP's chain went down. As a matter of fact, I've had FEWER problems with VoIP th

*sigh*

[matth (22742)]

VoIP is *more* secure then your PSTN... with the PSTN any doofis with a butt-set can climb the pole outside your house... or worse yet go OUTSIDE your house and tap into your line.

With VoIP you have to actually be on the network.. and not just on the network.. but IN the packet stream.

Hacker A who is on a server off the switch can't listen to your conversation... they woudl have to interrupt the packet stream flowing through the router.

VPN

[prisoner (133137)]

We work with a bunch of local phone vendors who always dictate that for site to site voip to be used, we need to setup a site to site VPN (or point to point circuit). It is my suspicion that they do this so that

1. they don't have to be bothered with trying to figure out what ports to forward on the firewall and

2. they have so much difficulty in troubleshooting their own systems that they love to blame everything on us.

In any event, I picked up the new o'reilly book on voip and they talk a lot about avoiding vpn as it creates lag. They also indicate that sending all of your QOS flagged traffic down a VPN tunnel eliminates the ability of the upstreams to "see" the QOS flags as they are encrypted. Anyone else have experience with this?

So much safer.

[MyLongNickName (822545)]

Because there is no way in the world I could just go to you telephone access box with a phillips head screwdriver and pull your connection.

Re:So much safer.

[gunpowda (825571)]

Whereas on the Internet you could just take your time - as long as you need - with relatively little fear of discovery and all kinds of freely available sniffing software.

Hrm. Tough call.

Re:So much safer.

[Shakrai (717556)]

Because there is no way in the world I could just go to you telephone access box with a phillips head screwdriver and pull your connection.

Your welcome to try it at my house. The lines are underground and all of the NIDs are in the utilities room downstairs which only the teleco and my landlord have a key too.

Despite that your point would be valid if it wasn't for the fact that a VoIP phone can be brought down the same way. And a cell phone can be jammed. If somebody is out to get you then you have b

Re:So much safer.

[Shotgun (30919)]

Bulletproof?!

I don't think that word means what you think it means.

DoS attack? Want to take out a neighborhood? Piece of rope tied to a car bumper and the little 2ft post on the side of the road. Or just knock the lock off with a cheap hammer, then reach in and pull out a handfull of wires.

Hit a big box with your car to cause real havoc.

How about listening to cell calls with a scanner? Ask Newt Gingrich about that one.

Monitoring a POTS line is still as simple as climbing a pole and attaching a couple of

Re:So much safer.

[MyLongNickName (822545)]

Actually, I could. How hard is it to set up an auto-dialer to lock up your phone line? Ever try hanging up on someone who has dialed your number? I get the freaking "this is a thinly veiled political announcement wrapped in a cheesy poll" phone calls. I hang up. I pick up thirty seconds later... still blabbing away.

Try clicking the receiver a bunch of times... no good. If there is a way to free the line, I don't know what it is. Since you are such a brilliant fellow, I am sure you know.

Point is... if you ar

Re:So much safer.

[tomstdenis (446163)]

Um if you hang up and 30 seconds later are still connected it means someone else on the line [on your side] is still off hook.

Check your house for nosy people and failing that call your telco to have it looked at.

Of course I've never heard of that problem before. Doesn't mean you're making it up but more than likely the reason is more than a "remote DoS" attack.

Mostly call-centers can only fake their CID information [but not ANI] which makes call display all fucked up [but not their billing]. That's about

Re:So much safer.

[MyLongNickName (822545)]

Tell you what. Try it yourself. Grab a cell phone and call your land line (assuming you have one). Pick up the land line. Hang up. Pick it back up a few seconds later... unless things are handled differently in your part of the world, your cell will still be there.

If your experiment doesn't work as I predicted, let me know. I've had it happen on more than one line, and yes, I am sure no one on my end picked up a receiever.

Maybe call-waiting would get around it, but if you didn't have it, I know I could tie

Re:So much safer.

[tomstdenis (446163)]

"few seconds". It usually takes 3-4 seconds to hang up. Anything longer and your phones and/or telco is broken.

Tom

Re:So much safer.

[Tony Hoyle (11698)]

It depends on the phone system in use.

It's normal behaviour for the caller to control the state of the call - it's actually useful - for example if someone phones you and you pick it up on an extension you can hang up and go to the another phone and pick up.. and the caller will still be there.

In this country all phones work like this, even the new digital exchanges. I'd expect in the US it's more varied as there isn't one telco running everything.

Re:So much safer.

[tomstdenis (446163)]

Dude, I wish I was skinn[y|ier].

In reality if you stood on a soap box spouting crap like that I'd tell you to shut up as well.

And it doesn't make me feel better, it makes me sad that there are people like you living amongst us. It makes me weep for the future, do you have or plan on having kids? Seriously consider giving them up for adoption.

Tom

Re:Hmm...

[Shakrai (717556)]

Cant we just stick to regular telephones? I dont want my 911 call to be interrupted by a denial of service attack...

Indeed. I have spoken about this [slashdot.org] before. In fact from TFA:

Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.

I couldn't agree more! All the power to people who use VoIP or cell phones as a primary line. But anyone who completely abandons POTS at this point is jumping off the diving board with no idea of how deep the water is. POTS is damn near 100% reliable (short of drunk guy hitting pole outside your house), it survives power outages and I don't think it can be brought down by a buggy TV in your neighbors house. A friend of mine lost Roadrunner and TW's digitial phone service for two days because of a TV next door that was leaking RF onto the coax network.

More to the point, if these services are going to be sold as a replacement for your POTS line then they damn well ought to be regulated like your POTS line -- with requirements for reliability and appeals processes if you get hosed.

Re:Hmm...

[BackInIraq (862952)]

POTS is damn near 100% reliable (short of drunk guy hitting pole outside your house)

I live in a college-heavy neighborhood, in a DUI-heavy state...you'd be surprised just how often this can happen (though I lose power more often than phone).

I once had drunk drivers crash into some box two houses down that apparently my home power runs through twice in three weeks. Same box. Different cars. No joke. And it wasn't even the snowy season.

Of course, this has nothing to do with VoIP security... :) (

Re:Hmm...

[Shakrai (717556)]

I live in a college-heavy neighborhood, in a DUI-heavy state...you'd be surprised just how often this can happen (though I lose power more often than phone).

Hahaha, nice. I should have pointed out that odds are the drunk guy hitting the pole would also knock out your VoIP service too -- unless you have a wireless internet connection and a laptop/UPS. My main point was that in my 30 some years on this earth the only time I can ever recall the phone not working was when somebody hit the pole and ripped t

Re:Hmm...

[rbarreira (836272)]

Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.

[sarcasm] Yeah, fuck progress! [/sarcasm]

taxes and fees

[tom75646437 (877334)]

>POTS is damn near 100% reliable

My phone company charges $12 for my no-frills service. Somehow the bill I pay is $45 after all the fees and taxes. Those extra charges are the main reason I'm considering bailing from POTS to VoIP. They'll catch up sooner or later, but for a time, I can keep some of my money.

Heck I might have some cash to enter the sucker mill^H^H cell phone subscriber pool.

Re:Hmm...

[pete6677 (681676)]

Failure of a VOIP line is generally not a life-threatening event. For a backup, use your cellphone. For a backup to that, use your neighbor's phone. If your VOIP or digital phone fails, along with your cellphone, along with your neighbor's phone, and you have a life-threatening emergency, then you're just screwed, but how often does that happen?

Keep risk management in perspective. In the case of a business, I think it would be a good idea to keep at least one POTS line, to prevent a total outage of phone se

Re:Hmm...

[BrianRoach (614397)]

" In the case of a business, I think it would be a good idea to keep at least one POTS line, to prevent a total outage of phone service. VOIP would be very useful in the business world to keep down the cost of long distance calls, and the quality is good enough."

It is good enough, and that's exactly what we do. I have a VoIP "line" from AT&T at our business for outgoing long distance, plugged right into our phone system. It saves us probably $200 - $300 a month in long distance (You should see what busi

Re:Hmm...

[Shakrai (717556)]

The advantages of VoIP is amazing... the cost on Long Distance is ridiculous... POTS might not be broken.. but what happens when those wires do need to be replaced... i'm positive nobody is going to be jumping in and re-laying the wire..

And exactly what kind of wires do you think your internet connection is coming in on? Do you worry about the wires when you talk about VoIP? And, yes, they will replace the wires. Pretty much the only copper part of the PSTN left is the local loop from the CO to your h

Re:Hmm...

[Shakrai (717556)]

Well the VOIP provider has one important motivator that the phone company lacks.

Yeah, because between VoIP, the cable company and cell phones (none of which are regulated or held to the same standard) the baby bells have no competition at all. Do you really beilive that?

The bells seem to think that whatever they want to do is okay. Youre stuck with them, they dont have to be honest in their billing, It costs the telcos nothing to enable caller-ID, indeed it is an integral part of the POTS system, so w

Re:Hmm...

[Shakrai (717556)]

People don't seem to care about the availability of their phone system, 99.something pwercent availability seems to be good enough for most.

Cell phones might be at 99% but VoIP isn't even close. And those people will care when they have a heart attack during that 1% of the time.

Think that's a remote chance? Take a 1% downtime and apply it across a couple hundred thousand users. It's only a matter of time.

Re:Cisco / Encryption

[Pandora's Vox (231969)]

Great thing about this - in a Call Manager environment you can do encrypted, or recorded / monitored (system side, not talking MITM here) - never both. So in a contact centre environment... no encryption if you're going to do any call logging / monitoring.

It makes sense on one level - you're preventing /everyone/ from monitoring the call, right? But you'd think that Cisco could figure out some way of sharing the encryption keys between the Callmanager and whatever does the recording, as well as the phone.