Snooping on VOIP

EvilAlien writes "SecurityFocus is running an article on a joint Justice Department and FBI filing to the FCC which asks for broader communications interception powers: FBI seeks Internet telephony surveillance. The move is very similar to the Lawful Access Consultation launched by the Canadian Government in August 2002. Both initatives discuss technological challenges and fears of communication "safe havens" for criminals on broadband services such as Internet, VoIP, and wireless services. Holes in existing legislation, such as Communications Assistance for Law Enforcement Act (CALEA), can provide unintended exclusions for services such as Free World Dialup."

Encryption?

[byolinux]

What's the encryption like on VOIP? Would something like PGP be possible?

Re:Encryption?

[bmongar]

Well there is PGPFone

Re:Encryption?

[Max+Romantschuk]

What's the encryption like on VOIP? Would something like PGP be possible?

In theory, the following applies... in practice I have no idea :)

Since VOIP is transferred in IP packets and packets can be encrypted encryption should be possible.

Since PGP is public key encryption and this is fairly standard there shouldn't be any problems there either.

The real issue is that whatever the solution it has to be part of the standard... otherwise it's pretty meaningless, unless your dodgy friend also has a custom encryption solution, and then I guess one could tunnel VOIP through an SSH tunnel just as well.

I suspect that VOIP technologies have incorporated encryption, but I'm not educated on the subject. Would someone care to fill in?

Re:Encryption?

[jackb_guppy]

Since it is packets.

You can direct it though VPN or SSH tunnels to add another layer of encryption.

Monitoring ?

[koh]

In other news, criminals are now able to use "cars", new transportation means that allow them to quickly escape after perpetrating crimes. FBI is looking for a way to monitor all cars in order to ensure security.

This is getting boring. Really.

Re:Monitoring ?

[diablobynight]

I actually think people are this stupid. Do we really believe that more big brother will be a help in stopping terrorist? I am sure that lovely gentleman that the FBI says is the head of what happened on 9/11, was talking on an IP phone to cordinate all of this. Fuck the FBI and the horse they road in on, this is just another way for the voyeuristic freaks to get their grubby little hands into more of our privacy. The 9/11 terrorist, came into our country legally, took flight lessons, worked out, and didn't have jobs for months. Last time I checked, flight lessons are about 100$ per hour of flight time. And according to my calculations, people with very little income can't afford that. Maybe this could have been the FBIs clue as apposed to needing to tap the IP phone systems. I am sure that they'll be at my door in minutes and tomorrow my face will be on the news as "suspected of a plot of terrorism."

Time to revive pgpfone?

[mstockman]

Won't people who value their privacy (which, sadly, may also include criminals) just revive a project like PGPfone? I don't think it's been updated in a while, but the source code is still there...

What would they do if..

[3.5+stripes]

people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?

Re:What would they do if..

[pesc]

...people used ssh to tunnel their calls (assuming it's possible), or made calls over VPNs?

They would use traffic analysis. This allows you chart how the criminal networks are organized. There have been several convictions in Sweden where criminals used mobile phones during their crimes and traffic analysis provided the needed evidence. Traffic analysis has several benefits; it is very easy to automate it in computers (compared to having computers that actually analyze the spoken content), it is cheap (very little data is produced), and it doesn't matter if the content is encrypted or if you can't break the encryption.

Sometimes (when I'm feeling paranoid) I think there is a grand conspiracy from FBI, NSA, etc. They talk about encryption, make half-hearted attempts to ban it, etc. So that people in general think they are secure once they encrypt their communication. And then they can use traffic analysis to watch over the general public. ;-)

farming in 84

[Syncroswitch]

In other news, orwell rolled over in his grave today, as a confused nation scrambled to hand over their individual freedoms for the sake of percieved security.

Do not surrender your freedoms, granting increased voip snooping is just one more step to a totalitarian nation, where we justify acts like pre-emptive wars, racial profiling, internetwide snoop network with evil McCarthy databases,...

Oh shit it already happened...

Re:Free World Dialup?

[PerlGuru]

There is a company I use called Vonage. They provide you with a free Cisco ATA when you signup. You aren't renting it, you own it. You pay $10 for shipping (I got mine two days later) and your first month and your good to go. Has caller-id, three way calling, voicemail and some really powerful forwarding features that can make your phone bounce all over the place and then back to your voicemail with them. One draw back is they have a cancellation fee (about $39 I think). All in all, they have been great for us... it is our only phone now. Upstream requirement is 90kbs. And no, I don't work for them... just a satisfied customer.

Wouldn't you want your VoIP encrypted anyway?

[Kjella]

Seriously. I know most people send postcards (e-mail) and not letters (encrypted e-mail) but wouldn't you at least do a simple public key exchange for VoIP? I feel I have much more privacy in a phone call than I do on an unencrypted Internet chat that is being relayed through a bunch of unknown servers.

Even the simplest of key exchanges would stop any eavesdroppers, and making a man-in-the-middle attack requires so much more work, not to mention being detectable if verified through a secure channel.

That being said, I can understand the law enforcement agencies. It's not like it's the difference between a postcard and an envelope - it's the difference between a postcard and an indestructable envelope. Giving the police special permissions (e.g. to open your letters with a court order) doesn't work well in a world where encryption is in black and white - secure and insecure. Escrow keys and stuff like that to make it work like in the "real world" doesn't work well either.

Personally, I think I'd just write a AES wrapper if I'm busy planning to Take Over The World(tm Pinky & the Brain). Either that or I'll just send some PGP'd blueprints over freenet through a proxy from a webcafe wearing gloves or something ;)

Kjella

Re:Wouldn't you want your VoIP encrypted anyway?

[680x0]

I might be wrong, but I thought VOIP traffic was primarily UDP, not TCP. TCP is used for the call setup and teardown, but the actual stream of voice packets is UDP for speed's sake.

You're partially right. The sound data is indeed carried over UDP, almost always encapsulated by a UDP-based protocol called RTP (Real Time Protocol). RTP can also carry other time-based media like video.

There are 2 mail competing standards for call setup and tear-down:

• SIP - Session Initiation Protocol - Which can be carried atop TCP or UDP (usually UDP, though). Very similar in format to HTTP, actually. A simple protocol to generate and parse, but got a later start.
• H.323 - An ITU standard, which is actually composed of several standards for various parts of the call negotiation:
  • H.225 - Handles placing of calls (modified version of Q.931 (phone company protocol)) and dealing with "gatekeeper" (entity which manages name lookups and bandwidth allocation - via a protocol called RAS).
  • H.245 - Handles negotiation of media encodings. Deals with things like whether the call involves video and/or audio, and which encoding/compression to use for each.
  If I recall correctly, the Q.931 and H.245 use TCP usually, and RAS uses UDP (since gatekeepers are sometimes "discovered" via multicast).

And the RTP standard does mention how to handle encryption, though it doesn't specify an algorithm to use.

Sigh...the only tech needed.

[siasl]

We can give up all our remaining freedoms but the only "tech" a "terrorist" really needs is the commitment to die for their cause. How do you 100% guard against that? I fear for our children's children.

Orwell was wrong.

[the_other_one]

He was completely off by about 19 years.

I'll take terrorism over totalitarianism

[leereyno]

The law enforcement community has been begging for the unrestricted right to spy on the american people for some time now. I don't know about the rest of you, but I'm much more fearful of government agents with gestapo-like powers than I am of deluded wackos from the 3rd world. The intelligence community already spies on the rest of the world, which is where the threat is coming from. That should be enough. If not, then that is what our military is for, to defend the country against our enemies...which are OUT THERE, not HERE. I'd rather have terrorists over to my house for dinner three nights a week than see law enforcement aquire unnecessary powers that are a greater danger to the public than the terrorism they are purported to prevent.

The abundance of those who would trade freedom for the temporary illusion of security are proof positive that 50% of the population is of below average intelligence.

If you're interested...

[GeorgeH]

You too can listen in to VOIP with voice over misconfigured internet telephones or vomit for short. It only works for Cisco IP phones, but I hear that this Cisco company may become a medium to large business in the networking industry.