Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Government Issues Report on VoIP Security Holes

Posted by CowboyNeal on from the good-bad-and-ugly dept.

ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

5 of 112 comments (clear)

  1. Discussed on the Vonage VoIP Forum by kamikaze-Tech · · Score: 5, Informative

    This has been discussed at great lengths on the Vonage VoIP Forum here: http://www.vonage-forum.com/ftopic5604.html and also here: http://www.vonage-forum.com/ftopic3422.html

  2. Re:VOIP calls aren't encrypted? by Spetiam · · Score: 4, Informative

    Skype says its calls are encrypted.

    The calls... are highly secure with end-to-end encryption.

    Whether their scheme is snake oil or for real, I don't know, as I can't find any documentation on it, much less source code.

  3. Re:VOIP calls aren't encrypted? by Bananatree3 · · Score: 4, Informative
    According to Skype's FAQ, all of their VoIP calls are encrypted:

    Calls between Skype software users (PC-to-PC calls) are secure and encrypted. Calls to standard telephone or mobile numbers are encrypted until they reach public switched telephone network. Note that in a conference call where one participant is a PSTN (regular telephone or mobile phone) number/phone number, the padlock icon will not appear indicating that the call is not encrypted.

  4. Re:VOIP calls aren't encrypted? by Talennor · · Score: 5, Informative

    CALEA says:

    "ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

    Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?

    --

    //TODO: signature
  5. Re:VOIP calls aren't encrypted? by Anonymous Coward · · Score: 5, Informative

    Any system which hides key management completely is snake oil, to a certain extent. Encryption without authentication is useless, and the best authentication you can get with completely hidden key management is that an attacker has to be in the middle from the start and all the time to be undetectable. Better than nothing, but not really secure either. The achievable level is about the same as an SSH account where you never check if the server fingerprint is OK.