Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Government Issues Report on VoIP Security Holes

Posted by CowboyNeal on from the good-bad-and-ugly dept.

ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

14 of 112 comments (clear)

  1. VOIP calls aren't encrypted? by Motherfucking+Shit · · Score: 5, Insightful
    From the article:
    Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping.
    This amazes me, I can't believe that the calls are floating around in raw audio. Would a little encryption add so much overhead that it would bog down the system? Or is this due to CALEA or other laws?
    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    1. Re:VOIP calls aren't encrypted? by IWannaBeAnAC · · Score: 4, Insightful
      If there is no documentation, then it is almost certainly snake oil.

      Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls. Moderately easy to break, but obscure, encryption is exactly what they would be looking for. 99% of criminals will be too dumb to break it, and the other 1% are needed to justify the homeland security budget.

    2. Re:VOIP calls aren't encrypted? by CodeBuster · · Score: 4, Insightful

      The Rijndael algorithm, with is now the federal advanced encryption standard (AES), is a fast symmetric block cipher which is both public domain and spreading quickly in use. It would not be difficult for the phones to use a public key scheme such as RSA to exchange a session key for Rijndael. The FBI doesn't waste their time intercepting your network traffic and cracking the encryption by brute force computation. They simply bug the keyboard or the room and recover your key. Why waste time picking a complicated lock when you can easily steal the key?

  2. Damned if you do, damned if you don't by wcitech · · Score: 3, Insightful

    I can find a little bit of humor in the situation... If the government finds that a communications system is insecure, they make reports complaining about it (motivating engineers to secure it). If the government finds that a communications system is too secure, they go to court so they can tap into it. (remember the voip wire-tapping ordeal?)

  3. VOIP nope not for me by Grand+Facade · · Score: 3, Insightful

    I'm not giving up my copper! No way! It is protected by law. And it is more insecure than most any other form of communication. But has a high degree of reliablity. So I'm sticking to it.

    Big buisness is who wants VOIP cause they want to get rid of the expensive telcom infrastructure and gain a higher degree of control.

    --
    Rick B.
    1. Re:VOIP nope not for me by IANAAC · · Score: 2, Insightful
      I'm not giving up my copper! No way! It is protected by law.

      Give it time. VoIP will become every bit as protected. There's already too much money flowing in the biz to let it go by the wayside now.

      What I think WILL happen is a mass consolidation of most of the current small VoIP companies. Then, of course, prices will rise.

  4. woulda been nice to know it was PDF ... by 2TecTom · · Score: 3, Insightful

    ... sigh, here we go again.

    Imagine this, you're far, far away in some distant, lost, Internet cafe. You are deeply in the backwoods of the third world. Your cellular 911, for some reason, isn't working. You see a /. story, with a link to an applicable article. You've just desperately clicked the link to the aforementioned article. Five minutes later, you begin to wonder three different and distinct things.

    1) Is the system locked up?
    2) How much is this going to cost now?
    3) Is that MODEM actually starting to smoke?

    IMHO, PDFs or links, especially unlabelled ones, are less than professional. Please, just say no.

    --
    Words to men, as air to birds.
  5. Gun in a field by deathcloset · · Score: 5, Insightful

    Security through obscurity is one of those strange concepts.

    Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.

    When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.

    Virtually, but not completely.

    That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.

    Is it?

    1. Re:Gun in a field by MoralHazard · · Score: 2, Insightful

      This is a great explanation, and ought to be modded up. I guess you would call it a kind of collective action problem.

      Each individual looks at the situation and determines that their own costs are very, very low--while getting hacked/shot is annoying, the odds of it happening a pretty outside. Taking the "cost" as being the actual cost of an incident times the likelihood of an incident, and you get a pretty low number.

      But considering the same question from a group point-of-view, it's not a question of weighted risks, so much--we know that SOMEone in the group will get hit/hacked, probably several if we're talking about hacking. So you determine the total societal "cost" as the cost per incident times the number of incidents that will likely occur.

      It's not really possible to rationally do risk-assessment in the first situation, because the minute individual cost to me is so low that it's basically noise. But at a group level, it IS possible to weigh the total cost of our collective behavior against alternatives.

      I'm not saying that increasing security measures will always be a good idea, here, though--the cost of additional security might be greater than the losses of the status quo, in which case it would make more sense to leave things alone. But at least you can make an informed decision.

      I'm also not taking a socialist, collectivist tack, here. There's a lot of room for market-based solutions that use this kind of thinking: Symantec sees millions of individual malware sufferers and provides a product that helps decrease the damage--they market and advertise and push the product to customers like us, adjusting our behavior to something better.

  6. So what was I supposed to learn? by modemboy · · Score: 3, Insightful

    Ok I didn't read the 99 page report (probably some good info in there) but this PC World article is pointless.
    Ok so they can DOS your network connection and kill your VOIP. Uhhh, if you're being succesfully DOS'ed you've got bigger problems than your VOIP not working.
    Oh and the other horror? They can listen to your calls? As the article points out this is currently trivial with the POTS, and again if someone can succesfully listen in on your full network connection you've got bigger problems than your VOIP not working.
    So why should I be scared again? Sounds like anti-VOIP F.U.D. to me.

  7. We need dedicated boxes by delirium+of+disorder · · Score: 4, Insightful
    As a former phreaker kiddie, http://angelfire.com/linux/the1 I know how trivial it is to "tap" or disable someone's phone with physical access to the outside of their home or the TNI in their neighborhood. This is not a major threat, because someone whould have to directly be targeting your phone to 0wn it...and if you knew people (non-government) were after your phone conversations, you can put a lock on the grey customer access box on your house, and ask your CO to secure your TNI. Perhaps someone could theoretically compromise the CO's switching equiptment, but that required either good social engneering or real leet skills. But your phone is just your phone, nothing else, so attacks are limited.

    VOIP is actually more physically secure then PSTN. You can't just hook a speaker up to a DSL line and hear the conversation on it. The problem is, your computer, and every router between you and your VOIP provider, is a general purpose device. Other people and services have access to it for all kinds of legitimate reasons; each of these provides places where people/programs can input data that can potentially directly effect your voice communications or get privilage escilation on the device and indirectly effect it. ANY security person knows to be wary of input! And think of all the ways of getting input to (and theoretically compromising) a PC. What we need is a dedicated physical console for VOIP (a small linksys network device running OpenBSD or Linux and asterix sounds good). The actual VOIP data should be sent through an SSH tunnel or some kind of VPN.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  8. Ain't No Magic, here. by iritant · · Score: 2, Insightful

    This report says absolutely nothing new. If you're going to take VoIP seriously, you need to recognize the application's needs. In this case, some amount of QoS is important, particularly at conjestion points such as the last hop to the consumer. You also need to recognize that like any other application on the Internet DDOS is a possibility. Ain't no different.

    On the other hand, IPv6 will solve all our problems, right? ;-)

  9. Re:Obscurity by unixfan · · Score: 2, Insightful

    In the security field, obscurity is not at all considered secure.

  10. The government has a good reason to say this... by i_want_you_to_throw_ · · Score: 2, Insightful

    Sending your calls over VoIP is more difficult to tap. Wiretaps grew by 19% last year (pops new window) and not a one was turned down.

    VoIP is much tougher to tap by comparison. Remember kids, "Terrorism" is the new "Communism"(tm)