Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Government Issues Report on VoIP Security Holes

Posted by CowboyNeal on from the good-bad-and-ugly dept.

ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

9 of 112 comments (clear)

  1. VOIP calls aren't encrypted? by Motherfucking+Shit · · Score: 5, Insightful
    From the article:
    Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping.
    This amazes me, I can't believe that the calls are floating around in raw audio. Would a little encryption add so much overhead that it would bog down the system? Or is this due to CALEA or other laws?
    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    1. Re:VOIP calls aren't encrypted? by IWannaBeAnAC · · Score: 4, Insightful
      If there is no documentation, then it is almost certainly snake oil.

      Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls. Moderately easy to break, but obscure, encryption is exactly what they would be looking for. 99% of criminals will be too dumb to break it, and the other 1% are needed to justify the homeland security budget.

    2. Re:VOIP calls aren't encrypted? by CodeBuster · · Score: 4, Insightful

      The Rijndael algorithm, with is now the federal advanced encryption standard (AES), is a fast symmetric block cipher which is both public domain and spreading quickly in use. It would not be difficult for the phones to use a public key scheme such as RSA to exchange a session key for Rijndael. The FBI doesn't waste their time intercepting your network traffic and cracking the encryption by brute force computation. They simply bug the keyboard or the room and recover your key. Why waste time picking a complicated lock when you can easily steal the key?

  2. Damned if you do, damned if you don't by wcitech · · Score: 3, Insightful

    I can find a little bit of humor in the situation... If the government finds that a communications system is insecure, they make reports complaining about it (motivating engineers to secure it). If the government finds that a communications system is too secure, they go to court so they can tap into it. (remember the voip wire-tapping ordeal?)

  3. VOIP nope not for me by Grand+Facade · · Score: 3, Insightful

    I'm not giving up my copper! No way! It is protected by law. And it is more insecure than most any other form of communication. But has a high degree of reliablity. So I'm sticking to it.

    Big buisness is who wants VOIP cause they want to get rid of the expensive telcom infrastructure and gain a higher degree of control.

    --
    Rick B.
  4. woulda been nice to know it was PDF ... by 2TecTom · · Score: 3, Insightful

    ... sigh, here we go again.

    Imagine this, you're far, far away in some distant, lost, Internet cafe. You are deeply in the backwoods of the third world. Your cellular 911, for some reason, isn't working. You see a /. story, with a link to an applicable article. You've just desperately clicked the link to the aforementioned article. Five minutes later, you begin to wonder three different and distinct things.

    1) Is the system locked up?
    2) How much is this going to cost now?
    3) Is that MODEM actually starting to smoke?

    IMHO, PDFs or links, especially unlabelled ones, are less than professional. Please, just say no.

    --
    Words to men, as air to birds.
  5. Gun in a field by deathcloset · · Score: 5, Insightful

    Security through obscurity is one of those strange concepts.

    Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.

    When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.

    Virtually, but not completely.

    That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.

    Is it?

  6. So what was I supposed to learn? by modemboy · · Score: 3, Insightful

    Ok I didn't read the 99 page report (probably some good info in there) but this PC World article is pointless.
    Ok so they can DOS your network connection and kill your VOIP. Uhhh, if you're being succesfully DOS'ed you've got bigger problems than your VOIP not working.
    Oh and the other horror? They can listen to your calls? As the article points out this is currently trivial with the POTS, and again if someone can succesfully listen in on your full network connection you've got bigger problems than your VOIP not working.
    So why should I be scared again? Sounds like anti-VOIP F.U.D. to me.

  7. We need dedicated boxes by delirium+of+disorder · · Score: 4, Insightful
    As a former phreaker kiddie, http://angelfire.com/linux/the1 I know how trivial it is to "tap" or disable someone's phone with physical access to the outside of their home or the TNI in their neighborhood. This is not a major threat, because someone whould have to directly be targeting your phone to 0wn it...and if you knew people (non-government) were after your phone conversations, you can put a lock on the grey customer access box on your house, and ask your CO to secure your TNI. Perhaps someone could theoretically compromise the CO's switching equiptment, but that required either good social engneering or real leet skills. But your phone is just your phone, nothing else, so attacks are limited.

    VOIP is actually more physically secure then PSTN. You can't just hook a speaker up to a DSL line and hear the conversation on it. The problem is, your computer, and every router between you and your VOIP provider, is a general purpose device. Other people and services have access to it for all kinds of legitimate reasons; each of these provides places where people/programs can input data that can potentially directly effect your voice communications or get privilage escilation on the device and indirectly effect it. ANY security person knows to be wary of input! And think of all the ways of getting input to (and theoretically compromising) a PC. What we need is a dedicated physical console for VOIP (a small linksys network device running OpenBSD or Linux and asterix sounds good). The actual VOIP data should be sent through an SSH tunnel or some kind of VPN.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.