Security In Voice Over IP Converged Networks

dotslash writes: "This article at Internet Telephony Magazine has a very interesting analysis of security issues created by converging data and telephony networks with VoIP: "When the phenomenon of "convergence" between telephony and Internet started, it also brought closer the world of the phreaker and the hacker. VoIP brings all this to the next level. Unfortunately, the security inherent in VoIP solutions is equivalent to that of the early Internet: Non-existent.""

As if analog was better?

[jdclucidly]

Anyone equiped with a standard issue electrician's but-set can walk up to a house, pop open the telco terminal and listen/make phone calls on any line in the house. Same goes for corporate lines.

"Virtually no security" is an improvement over "_no_ security."

Security inherited from IP network?

[gatekeep]

Granted, security should be implemented at each layer if possible, but wouldn't VoIP inherit the security of the IP network itself? So far, most VoIP installations I've seen/heard about are either within an office, connecting handsets to a PBX with traditional trunks, or between offices of the same company using their internal WAN. Granted you can still have attacks internally, but in neither of these scenarios is it very easy for the general public to snoop or intercept your phone calls.

That said, I really don't see VoIP on a large scale taking off for a while. Two things need to occur before that happens;

- Suitably fast data service has to be ubiquitous. Spotty DSL/Cable coverage won't do it.
- Said data service has to be less expensive than conventional phone service. This one's a no brainer.
- Wireless data on a large scale would help as well.

So far, I don't see these criteria being met in all but niche markets, and that's exactly where VoIP has found itself... for now.

Re:Security inherited from IP network?

[Martin+Blank]

I've been using Vonage's service for a couple of months now, and except for some minor issues when I'm doing file transfers, the signal is clear, and definitely worth it. I've lowered my phone bill by about $25 a month (I pay about $40 for the service), and will soon be removing a couple of additional things so that they balance out. In addition, a few family members are considering moving to Vonage.

Now security is a bit of a concern, but since most people who would want to intercept my calls would likely try either the analog line first or else try to intercept the cordless phone signal, I'm not worried too much. If they can get in, they can listen to me get pestered by friends for solutions, or hear about how my nephew across the country is doing well in school. If I had something really pressing, I'd look for another solution, but for now I'm content to wait for the service to provide support through a firmware update, and if they don't and I need it then I'll look for something else.

Re:Security inherited from IP network?

[afidel]

That said, I really don't see VoIP on a large scale taking off for a while.

Then you are crazy. The amount of money that can be saved by rerouting interoffice calls over the corporate wan is staggering. Because business class SLA's on PRI's for voice are so expensive many businesses are still paying rates close to what consumers were 10 years ago, not the great low rates we are used to today. In the case of our large (180 person) satelite office nearly 80% of our long distance traffic (measured in minutes) was back to one of the companies two major north american campuses or to our manufacturer in taiwan, when we decided to move to VoIP it was determined that the equipment would pay for itself in about 9 months, not a bad ROI at all!

Little known fact

[krich]

... your old Capt Crunch whistle will send 2600Hz over the IP connection, and will give you root on the other end.

Who really gives a shit!

[noahbagels]

Sorry for swearing - but everyone reading /. is adult enough to get a dose of reality.

If you're actually reading this thread - you're wasting your time.

do you really care if someone can easily tap your phone conversations?.

More importantly:

is the value of your conversation worth the energy required for someone to crack your phone call?

In a security course (both in college, and later in a Cisco class) we heard that the risk is equal to the value divided by the effort required to get at that value.
Now: I don't believe this quote exactly, but it's point is clear.

Nobody I know would spend the effort required to tap my personal line just to hear something I might not tell them directly.
Further: Companies with secrets can use:

I. Standard Non-Secure Phone Lines

II. Secure VoIP solutions

III.Standard VoIP solutions over a VPN
... need I go on?

bring bring

[joe_bruin]

HELO?
what? is this ~l33t_hax0r? i'm sorry, there's no such user.
no, no, this is 129.168.0.1, you must have meant to connect to 192.168.0.1.
j00're welcome.

*click*

goddamnit, i gotta install a firewall.

SIP and security.

[muonzoo]

Many of the current VoIP deployments today are not using the security features that you might expect to see. In large, this is because the standard itself is maturing and the manner in which security will be implemented is still under investigation. In the case of SIP, the article points out that although the payload (voice) might be encrypted, the signalling isn't. This is not entirely true. One thing that SIP permits is to tunnel SIP as a payload within SIP. The external session serves only as a routing mechanism for the fully encrypted 'real' signaling session contained within. These mechanisms are just completing peer review and implementors are just wrapping their heads around it all. One thing is for sure; unlike protocols that have preceeded them, SIP and it's designers are taking security very seriously. How else could they consider using SIP as an integral part of 3GPP and/or it's use for inter-carrier peering.

Sure, the protocol itself may have exposure issues, and problems with NAT/PAT devices, but there are companies on the market that are addressing these issues as they arise.

SSL wont cut for many reasons

[apankrat]

Few of them being:

* it's transport layer protocol, not an IP one. By default it runs on top of TCP, while majority of VOIP protocols do not require TCP's reliability. Needless to say that this is voids no good by any means.

* it requires reliable carrier for key establishment/renegotiation. Hence dropped and out-of-order packets will effectively break session. This means that you cant just stick SSL between V and IP layers.

You still can run SSL over unreliable layer (such as UDP or IP itself), but this will require certain protocol 'fixup' effort, which might end up be no less effort than building VoIP security from the scratch.

The simpliest solution along the lines of your suggestion would be to use IPsec and classical VPNs. Throw in IKE and you get yourself PKI-based system. It'd be somewhat pain in the arse to configure, but as a quick and dirty solution is will suffice.

Been there, but most other haven't...

[xt]

Only a couple of months ago, we finished a roll-out for IP phones. The client was a bank and security was the top consideration. In essence, whatever worked to secure data, worked to secure VoIP. The problem in general is not with the technology; it is with the "old school" PBX designers and engineers.

I have met quite a few people, extremely skilled with PBXs, who view data networks as a black box and have almost no knowledge or methodology to work with products that use them, much less secure them.

When these people grasp the realities of the new, converged, technology, we can expect to see quite a few changes both on VoIP systems' built-in security and fail-safe operation.

Re:Simple Answer

[homer_ca]

That's pretty much it. Educate the users so they are aware of the level of privacy. Police, fire, taxis and pilots have for years used (and still use) unencrypted analog 2 way radios. Anybody with a scanner could eavesdrop on them, and they lived with that risk.

I'm not saying it's a good idea to just forget about security, but people should remember there's nothing sacred about privacy electronic communications. If it's really important to keep something secret, don't say it on an insecure line.

Re:Some Numbers about Voice over IP

[Bill+Currie]

A 1ms delay for a packet does not equate to 1000 packets per second. It just means that your (eg) 20ms packet (50 packets per second seems reasnable) comes out 21ms after the first sample went in rather than 20ms.

As an example, look at ppp: your ping time over a 56k modem to your ppp server is going to be around 100ms but it takes about 250ms for a 1500 byte packet to get transfered which is why modem users often see around 200-300ms ping times when playing online games (depending on the size of the packets). Even with that 100ms delay, you will still get about 4 packets per second even though 350*4=1400 (or 325*4=1300 if you're going to split the ping).

My School's IP Phone Fiasco

My university just recently overhauled the on-campus phone system. They replaced the old (working) system with IP phones. They did the whole job in a matter of months, despite very vocal opposition by the CS department faculty. These Cisco IP phones cost $700 a pop.

They hooked the central hub of the phone system up to generators in the event of a power failure. Unfortunately, all our phones depend on switches and routers scattered throughout campus, and the phones themselves have DC power adapters. In the event of a power outage, the central hub will stays on-line, but all the phones throughout campus go out!

When asked what students and faculty should do in the event of an emergency during a power outage, our IT services department responded, "Try to find someone with a cell phone!"

Worse yet, switches have a mean time to failure of 100,000 hours. With 2,000 switches throughout campus, sections of the phone system go out once every 50 hours. The current average time for IT services to replace a down switch is 2 weeks.

These phone have web servers, and a few other goodies. I'm just waiting until an IP phone worm takes out our entire campus's network and telecommunications infrastructure.

Re:My School's IP Phone Fiasco

[slashnik]

Interesting,

How does the cable powered device request power before it's got any?

Some good points, some dumb ones...

[cfulmer]

Finally, something I know about! This is what I do for a living.

The fact of the matter is that most of the large emerging packet telephony networks are not being deployed in enterprises, but in the carrier networks -- telephone companies around the world are replacing their old circuit-switched back-haul networks for packet-switched networks, either ATM or IP. These are private networks which are not open to the general public, and so do not have the same risks as, say running VoIP on the internet would. Sure, the telcos still need to watch out for attackers... it's just that you've raised the bar far enough that 'script kiddies' would have a tough time.

The article also has an over-simplified view of the effort needed to tap an IP phone call. Even if the user were able to mirror any port on the network onto his computer, he still has the extremely hard task of figuring out which port(s) he needs to monitor -- they typically change on a per-call basis, and the user would actually have to mirror two ports (one for each direction of speech) in order to get the entire call. Now, it can be done, but it's difficult. And, it's made even harder because the signalling path (the communication link that handles setting up calls) is usually encrypted, so it becomes impossible to distinguish among calls.