Slashdot Mirror
Is Security Holding VoIP Back?
phoneboy writes "Voxilla is running a piece I wrote on security issues present in Voice over IP. While an increasing number of people are ditching their ILEC in favor of using Voice over IP from companies like Vonage, VoicePulse, Packet8, and Broadvox Direct, there are a number of potential security issues to be aware of. Is VoIP secure enough to replace the PSTN as we know it?"
First and this one goes for cell phones too.
With most voip app's they just shutoff the microphone when the person isn't talking. This produces an weird silence. Cell phones have to do the same thing to conserver power but what they do is, Place confort noise. This keeps the person thinking that the call is still going. (This is what really turns me off about VOIP)
Another beef I have with voip.. NOthing seems to be standerdised. One voip app does not work with another.
I just think its not the correct way of going about creating a network that is designed to be directly connected. The network that pstn is based on has a niche. Where else are you doing to get a virtual connection without having to bury your own lines to every office. (forgot the terms at moment)
It's extremly hard to talk to someone when A. You have a delay. B. You have missing packets that interupt the signal, Thus you get dropouts.
Now I do like voip in games.. That confort noise I was talking about, Is now takin over by the sound the game makes, and so the silence inbetween isn't so weird.
I have heard about sprint doing voip networks with their own network to get around the ping/packetloss/QOS that is not a garantee on public networks. But I view it as if They want to have a packet based voice network they need to design it from the groundup to just work instead of just layering it ontop of IP. They then need to submit this to the standerd association, So that phone companys don't have to convert/recompress and signal with eath in and out on the network. Otherwords a more lossless operation.
Well thats my beef.
So which way are we headed?
It's quite ironic that the internet spread as rapidly as it did because people were able to use internet over dialup, and today, the discussion is about how to replace the existing PSTN architecture with VoIP.
However, I think sooner, or later, people will make ALL there phone calls using internet enabled mobile phones. So what protocol are they going to use? Or is it going to be a mix of protocols, say, if a Canadian were to talk to a friend in Australia?
Nothing to see here
I agree. I also think the cost of POTS is still pretty cheap, especially so with today's low LD rates. Example: I live in Oklahoma and it's costs me $0.08/minute to talk to my in-laws in Beijing and $0.07/minute to talk to my sister in Minneapolis. Go figure.
There has to be a real economic incentive to a household or company to roll out new systems to implement VoIP. It ain't here yet, but it'll come.
-----------------
And now, for something completely off-topic:
As of 10:57:22 PST, the last contender(The Golem Group) went to status Disabled.
A total of 28 miles were collectively traversed, with no participants getting past the 7 mile mark.
Thank you all for participating; we hope to see you all back here in 2006 for another try.
The 2006 event should be a real treat as we'll have clowns, jugglers and dancing girls. We'll also be introducing a new competing class called "Autonomous Disabled Autonomous Vehicle Tranport." The race for this class will begin 1 hour after the start of the main competion.
Well, you can't send an html email to a phone that tricks the user to click a link that installs a trojan that records all your phone calls and uploads them to an IRC chat room at midnight, all without leaving your parents basement. So even though there is no security on current phones, it takes a bit more effort to listen in on their calls. The minimal physical ability required to climb the phone poll rules out most chee-toe eating script kiddies from tapping your phone line.
You try getting a trunk that has SS7. Oh wait you can't.
You say that you the pstn is insecure.. Have you tried lately to 'hack' into one, well besides being able to listen to whats on a analog line. Tell me how a cellphone is insecure (They have encryption and cdma is pretty secure by itself.), or how a isdn line is insecure.. Those are circuit based networks. (well cellphones are a hybrid)
Tell me how would you go about overhearing a circuit in this circuit based network? You can't. The fbi can, But that hardly makes it insecure. Circuit based networks by their very nature are actually highly secure networks. The only person you really have to worry about is the one in control of the line, if you dont' trust them you go with someone else and use encryption..
Now packet based networks are the ones you really should be worried about. Anyone that is on your network segment can sniff your packets. Now if they are encrypted or not is really kinda beside the point.
The modern ptsn network has out of band signaling (ss7) So you can't do alot of the attacks that the old phone networks were vurnable to. LIke playing your own tones (inband signaling.) So tell me again why a circuit based network out of band signaling is insecure?. (oh you can't get into the out of band signalling other then to dial and thats with isdn which uses isup for its out of band. Which is really limited and firewalled {for lack of a better term at the moment} the switch)
Spend some time using VOIP and you'll want to poke yourself in the eye. And that's on an internal network with QoS. You can put up with a delay on your mail, web, ftp, etc, or even jitter on video, but when audio starts to fart and burp, you'll go mad (MAD I SAY).
And with the cost of long distance nowadays, why would you want to drive the cost of your Internet access up by overloading the network with traffic that is doing perfectly well on it's current medium? I guess it comes back to the question of 'What are you trying to fix anyway?'
-- I care not for your foolish signatures.
It bugs me that the vast majority of cordless phones for sale and purchased are unencrypted mini-radios.
Digital Spread Spectrum phones provide a reasonable amount of security, certainly orders of magnitude better than 'regular' cordless phones. DSS phones have been around for years, but for the sake of a few bucks and a lack of product knowledge, way too many people buy the $49.99 special at Walmart.
One of these day's I should buy or modify something to pickup analog signals so that I can scare/shock my friends/relatives/customers into buying better phones...
Well, the problem is a bit more difficult than that. IPSec can be used with VoIP, but it isn't particularly efficient. There are special IPSec for VoIP specifications, so the problem isn't encryption, but the lack of certificates. Public key encryption is always vulnerable to man-in-the-middle attacks, be it SSH or SSL web traffic.
I'm guessing this might hold VoIP back for a little while, but when VoIP will be deployed large-scale, we will for sure see people having personal certificates. Right now, a real non-test certificate from verisign for a company web server costs 895 $ but I could see the prices going down for personal certificates, when markets for those would start to appear.
Or then there's the Finnish model, where you can get an electronic ID just like you can get a regular ID from the government. The electronic ID is the regular plastic ID card with a smart card chip. You get two certificates from the government-operated CA. All this for the measley price of 40 euros. This would be a viable choice for private persons too.
There is also a SIM card version (a WIM card) designed that will come out in the future.