Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snooping on VOIP

Posted by michael on from the nothing-better-to-do dept.

EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers: FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."

28 of 141 comments (clear)

  1. Encryption? by byolinux · · Score: 3, Interesting

    What's the encryption like on VOIP? Would something like PGP be possible?

    --
    Join the Free Software Foundation
    1. Re:Encryption? by bmongar · · Score: 4, Informative

      Well there is PGPFone

      --
      As x approaches total apathy I couldn't care less.
    2. Re:Encryption? by Max+Romantschuk · · Score: 5, Interesting

      What's the encryption like on VOIP? Would something like PGP be possible?

      In theory, the following applies... in practice I have no idea :)

      Since VOIP is transferred in IP packets and packets can be encrypted encryption should be possible.

      Since PGP is public key encryption and this is fairly standard there shouldn't be any problems there either.

      The real issue is that whatever the solution it has to be part of the standard... otherwise it's pretty meaningless, unless your dodgy friend also has a custom encryption solution, and then I guess one could tunnel VOIP through an SSH tunnel just as well.

      I suspect that VOIP technologies have incorporated encryption, but I'm not educated on the subject. Would someone care to fill in?

      --
      .: Max Romantschuk :: http://max.romantschuk.fi/
    3. Re:Encryption? by jackb_guppy · · Score: 3, Interesting

      Since it is packets.

      You can direct it though VPN or SSH tunnels to add another layer of encryption.

    4. Re:Encryption? by Albanach · · Score: 2, Informative

      There is in fact PGP fone which does just that: Link here There's aslo SpeakFreely available here. Both support secure encryption, so unless they really do ahve those factoring machines and we don't yet know it...

    5. Re:Encryption? by pdjohe · · Score: 2, Informative

      Sure VoIP can be encrypted.

      However, encryption and decryption take time, and when using VoIP, LATENCY can be a big factor. A delay time of 250ms can be somewhat annoying and the term 'real time' communication is somewhat lessened.

      So the slower the en/decryption, the more delay time you would have no matter how big the pipeline between the two people is.

      I haven't tried PGPfone for a number of years, and computer speeds are quite a bit faster now. Maybe en/decryption time isn't much of a problem now. Whatever the case, I imagine this will become less and less of an issue in the future as computers get faster.

  2. Free World Dialup? by pmsr · · Score: 2, Funny

    Let me guess. Previously known as French World Dialup. /Pedro

    1. Re:Free World Dialup? by PerlGuru · · Score: 5, Informative

      There is a company I use called Vonage. They provide you with a free Cisco ATA when you signup. You aren't renting it, you own it. You pay $10 for shipping (I got mine two days later) and your first month and your good to go. Has caller-id, three way calling, voicemail and some really powerful forwarding features that can make your phone bounce all over the place and then back to your voicemail with them. One draw back is they have a cancellation fee (about $39 I think). All in all, they have been great for us... it is our only phone now. Upstream requirement is 90kbs. And no, I don't work for them... just a satisfied customer.

    2. Re:Free World Dialup? by rixster · · Score: 2, Interesting

      I use vonage as well. I live in the UK and my SO in NY. I get unlimited international (i.e. UK US) calling for 30 usd a month. Plus she can call me for the "cost" of a local phone call and the line is nothing short of excellent quality. OK - a few times they've had problems, but in the space of around 8 months I can only think of 2-3 times this has happened. It is definitely a fantastic server. (recommend me and get 40 USD free!!)

      --
      Two wrongs may not make a right, but three ....
  3. Monitoring ? by koh · · Score: 5, Funny

    In other news, criminals are now able to use "cars", new transportation means that allow them to quickly escape after perpetrating crimes. FBI is looking for a way to monitor all cars in order to ensure security.

    This is getting boring. Really.

    --
    Karma cannot be described by words alone.
    1. Re:Monitoring ? by diablobynight · · Score: 4, Insightful

      I actually think people are this stupid. Do we really believe that more big brother will be a help in stopping terrorist? I am sure that lovely gentleman that the FBI says is the head of what happened on 9/11, was talking on an IP phone to cordinate all of this. Fuck the FBI and the horse they road in on, this is just another way for the voyeuristic freaks to get their grubby little hands into more of our privacy. The 9/11 terrorist, came into our country legally, took flight lessons, worked out, and didn't have jobs for months. Last time I checked, flight lessons are about 100$ per hour of flight time. And according to my calculations, people with very little income can't afford that. Maybe this could have been the FBIs clue as apposed to needing to tap the IP phone systems. I am sure that they'll be at my door in minutes and tomorrow my face will be on the news as "suspected of a plot of terrorism."

      --
      Anonymous Cowards - Oh God, How I hate you
  4. Time to revive pgpfone? by mstockman · · Score: 3, Informative

    Won't people who value their privacy (which, sadly, may also include criminals) just revive a project like PGPfone? I don't think it's been updated in a while, but the source code is still there...

  5. What would they do if.. by 3.5+stripes · · Score: 4, Interesting

    people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?

    --


    He tried to kill me with a forklift!
    1. Re:What would they do if.. by pesc · · Score: 3, Informative

      ...people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?

      They would use traffic analysis. This allows you chart how the criminal networks are organized. There have been several convictions in Sweden where criminals used mobile phones during their crimes and traffic analysis provided the needed evidence. Traffic analysis has several benefits; it is very easy to automate it in computers (compared to having computers that actually analyze the spoken content), it is cheap (very little data is produced), and it doesn't matter if the content is encrypted or if you can't break the encryption.

      Sometimes (when I'm feeling paranoid) I think there is a grand conspiracy from FBI, NSA, etc. They talk about encryption, make half-hearted attempts to ban it, etc. So that people in general think they are secure once they encrypt their communication. And then they can use traffic analysis to watch over the general public. ;-)

      --

      )9TSS
  6. farming in 84 by Syncroswitch · · Score: 5, Insightful

    In other news, orwell rolled over in his grave today, as a confused nation scrambled to hand over their individual freedoms for the sake of percieved security.

    Do not surrender your freedoms, granting increased voip snooping is just one more step to a totalitarian nation, where we justify acts like pre-emptive wars, racial profiling, internetwide snoop network with evil McCarthy databases,...

    Oh shit it already happened...

  7. Wouldn't you want your VoIP encrypted anyway? by Kjella · · Score: 5, Insightful

    Seriously. I know most people send postcards (e-mail) and not letters (encrypted e-mail) but wouldn't you at least do a simple public key exchange for VoIP? I feel I have much more privacy in a phone call than I do on an unencrypted Internet chat that is being relayed through a bunch of unknown servers.

    Even the simplest of key exchanges would stop any eavesdroppers, and making a man-in-the-middle attack requires so much more work, not to mention being detectable if verified through a secure channel.

    That being said, I can understand the law enforcement agencies. It's not like it's the difference between a postcard and an envelope - it's the difference between a postcard and an indestructable envelope. Giving the police special permissions (e.g. to open your letters with a court order) doesn't work well in a world where encryption is in black and white - secure and insecure. Escrow keys and stuff like that to make it work like in the "real world" doesn't work well either.

    Personally, I think I'd just write a AES wrapper if I'm busy planning to Take Over The World(tm Pinky & the Brain). Either that or I'll just send some PGP'd blueprints over freenet through a proxy from a webcafe wearing gloves or something ;)

    Kjella

    --
    Live today, because you never know what tomorrow brings
    1. Re:Wouldn't you want your VoIP encrypted anyway? by 680x0 · · Score: 3, Informative
      I might be wrong, but I thought VOIP traffic was primarily UDP, not TCP. TCP is used for the call setup and teardown, but the actual stream of voice packets is UDP for speed's sake.
      You're partially right. The sound data is indeed carried over UDP, almost always encapsulated by a UDP-based protocol called RTP (Real Time Protocol). RTP can also carry other time-based media like video.

      There are 2 mail competing standards for call setup and tear-down:

      • SIP - Session Initiation Protocol - Which can be carried atop TCP or UDP (usually UDP, though). Very similar in format to HTTP, actually. A simple protocol to generate and parse, but got a later start.
      • H.323 - An ITU standard, which is actually composed of several standards for various parts of the call negotiation:
        • H.225 - Handles placing of calls (modified version of Q.931 (phone company protocol)) and dealing with "gatekeeper" (entity which manages name lookups and bandwidth allocation - via a protocol called RAS).
        • H.245 - Handles negotiation of media encodings. Deals with things like whether the call involves video and/or audio, and which encoding/compression to use for each.
        If I recall correctly, the Q.931 and H.245 use TCP usually, and RAS uses UDP (since gatekeepers are sometimes "discovered" via multicast).
      And the RTP standard does mention how to handle encryption, though it doesn't specify an algorithm to use.
  8. P2P VOIP? by rickthewizkid · · Score: 2, Insightful

    What if the VOIP program was directly from my computer to the other party's computer with no "central server" as such that all the traffic flows through. As I see it, CALEA is only feasable on systems such as POTS or cellular where all calls go through a switch of some sort. If one were to set it up so that my computer talks directly to your computer over an encrypted link (maybe with SSL etc) there is no central switch to be compromised...

    Of course, one can always use a pay phone. Cash still works.

    Just my please-deposit-nintey-cents-for-the-first-three-mi nutes'-worth
    RickTheWizKid

    1. Re:P2P VOIP? by jmagar.com · · Score: 2, Interesting

      VoIP is Point to Point already for on net calls. If you leave to the POTS them you are working with a media gateway in the middle.

      CALEA works on the call manager. Heres a quick and dirty run down:
      1)You pick up the phone
      2)the MTA (you IP phone) sends an off hook to the call manager
      3) the call manager send back dial tone.
      4) you dial
      5) the call manager hunts for a route either on net of to the SS7 network
      6a) if on net the call manager send ring to other MTA
      6b) if off net call manager send ring over SS7 (POTS)
      7) other end picks up
      8) call manager receives other end off hook
      9) call manager connects the call by sending directly to the other MTA (on net) of the media gateway (POTS)

      CALEA is implemented on the call manager by controling the MTA that is being "bugged" by forcing the call through a media gateway with recording capabilities, or by forking the stream and connecting an additional endpoint to the call.

      How do you beat it? First off you need to be able to tell the difference of end point so snooping the SIP (session initiation protocol) and watching for a change in MTA endpoint. If you know the other parties IP and you are going somewhere else then you are probably being bugged.

      The other way, is to build your own Call Manager. The SIP protocol is not too complex, and if you don't want to do funky telco stuff like call waiting... then a bare bones connection manager shouldn't be too tough. Your call manager would only work for on net calls, but I think you've already decided that P2P is what you wanted in the first place.

      --
      www.jmagar.com
      -
  9. And non-criminals by truthsearch · · Score: 2, Interesting

    "safe havens" for criminals

    Us non-criminals can't have a safe haven either? Thanks.

    --
    Developers: We can use your help.
  10. Re:Encryption? - ULER by mrmeval · · Score: 2, Insightful

    Speak freely has IDEA encryption built in and the client can exchange session keys with PGP. I doesn't use a PGP IDEA key to DO the encryption, it generates it's own but once the key exchange is done with PGP. *poof* fbi still AS ALWAYS needs to get off their fat ass and drop this Ubiqitous Law Enforcement Rampage and do the HUMAN INTELLEGENCE that they get paid to do.

    --
    I'd go on a Vegan diet but the delivery time from Vega is too long. --brownkitty
  11. Remember when ... by wytcld · · Score: 2, Interesting

    Remember when we used to have sigs that included keywords that were designed to attract the attention of spooks using Echelon to monitor e-mail traffic? Well, we can easily add recorded voice clips to the end of our VOIP calls to similar effect. Go to the library, check out a book of war poetry, and start recording those keyword-rich sound bites. Or select passages from Gravity's Rainbow.

    Hmm, we could put this stuff on our answering machines too. As a way of supporting America's martial spirit, of course.

    --
    "with their freedom lost all virtue lose" - Milton
  12. Sigh...the only tech needed. by siasl · · Score: 5, Insightful

    We can give up all our remaining freedoms but the only "tech" a "terrorist" really needs is the commitment to die for their cause. How do you 100% guard against that? I fear for our children's children.

  13. Orwell was wrong. by the_other_one · · Score: 4, Informative

    He was completely off by about 19 years.

    --
    134340: I am not a number. I am a free planet!
  14. I'll take terrorism over totalitarianism by leereyno · · Score: 4, Insightful

    The law enforcement community has been begging for the unrestricted right to spy on the american people for some time now. I don't know about the rest of you, but I'm much more fearful of government agents with gestapo-like powers than I am of deluded wackos from the 3rd world. The intelligence community already spies on the rest of the world, which is where the threat is coming from. That should be enough. If not, then that is what our military is for, to defend the country against our enemies...which are OUT THERE, not HERE. I'd rather have terrorists over to my house for dinner three nights a week than see law enforcement aquire unnecessary powers that are a greater danger to the public than the terrorism they are purported to prevent.

    The abundance of those who would trade freedom for the temporary illusion of security are proof positive that 50% of the population is of below average intelligence.

    --
    Muslim community leaders warn of backlash from tomorrow morning's terrorist attack.
  15. If you're interested... by GeorgeH · · Score: 3, Interesting

    You too can listen in to VOIP with voice over misconfigured internet telephones or vomit for short. It only works for Cisco IP phones, but I hear that this Cisco company may become a medium to large business in the networking industry.

    --
    Why can't I moderate something "Wrong" or at least "Grossly Misinformed"?
  16. If you don't want to be monitored ENCRYPT!! by ZPO · · Score: 2, Informative

    The only protection against eavesdropping is strong end-to-end encryption. We got the ECPA (86 - US) shoved down our throats so cellular companies could claim their systems were "protected" from unauthorized monitorin without having to actually spend money on embedding crypto hardware in subscriber units.

    CALEA was just a pitiful attempt to keep LE agencies from having to spend big bucks on upgrading their monitoring hardware.

    If an individual, organization, government agency, or other entity wants to monitor your communications badly enough they will. If you don't like that then use stong end-to-end encryption.

    --BEGIN RANT MODE--
    Instead of wringing you hands over the evil and unfair world we live in just deal with it and work around it.

    Its not exactly difficult to properly encypt just about anything you send. How many actually do it? Want to bet those same people that can't be bothered to use strong encryption are some of the first to whine about monitoring?
    --END RANT MODE--

    In God we trust -- All others we monitor

  17. IPSEC is a better choice by billstewart · · Score: 2, Insightful
    SSH is too far up the protocol stack - if you're going to wrap encryption around an unencrypted VOIP stack, IPSEC is the right layer to work at. There's still a bit of weirdness there (Cisco's cRTP Compressed RTP implementation doesn't work over IPSEC, unless they've updated it recently, so you need to use uncompressed headers, which inflates packets sizes a lot), but it's better than doing Layer 4/5 solutions.

    The right choice is to build the encryption into the VOIP protocols themselves, which the initial H.323 and (I think) SIP standards didn't do. That way, it's not something that might or might not get patched on later, it's secure by default. The amount of CPU overhead is trivial - RC4 is blazingly fast, but even if you're using Triple-DES, it's on data you've compressed down to 8-16kbps, and the voice compression takes a lot more horsepower than encryption. I think some of the later standards have some crypto, but I don't know if they're in use.

    Of course, crypto only covers the VOIP part - if you're using a VOIP-to-telco gateway in either direction, the telco side is unencrypted and subject to CALEA regulations, which are as technically onerous as they are invasive.

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks