Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Government Issues Report on VoIP Security Holes

Posted by CowboyNeal on from the good-bad-and-ugly dept.

ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

36 of 112 comments (clear)

  1. VOIP calls aren't encrypted? by Motherfucking+Shit · · Score: 5, Insightful
    From the article:
    Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping.
    This amazes me, I can't believe that the calls are floating around in raw audio. Would a little encryption add so much overhead that it would bog down the system? Or is this due to CALEA or other laws?
    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    1. Re:VOIP calls aren't encrypted? by Spetiam · · Score: 4, Informative

      Skype says its calls are encrypted.

      The calls... are highly secure with end-to-end encryption.

      Whether their scheme is snake oil or for real, I don't know, as I can't find any documentation on it, much less source code.

    2. Re:VOIP calls aren't encrypted? by Bananatree3 · · Score: 4, Informative
      According to Skype's FAQ, all of their VoIP calls are encrypted:

      Calls between Skype software users (PC-to-PC calls) are secure and encrypted. Calls to standard telephone or mobile numbers are encrypted until they reach public switched telephone network. Note that in a conference call where one participant is a PSTN (regular telephone or mobile phone) number/phone number, the padlock icon will not appear indicating that the call is not encrypted.

    3. Re:VOIP calls aren't encrypted? by MikeSingee · · Score: 2, Interesting

      That is a very good point, also we may want to consider the implications for the patriot act. Would this fall under the internet guidelines, or the phone guidelines, or neither?

    4. Re:VOIP calls aren't encrypted? by Anonymous Coward · · Score: 3, Interesting

      The fact that you know what calea is, says that you already know more than you are letting on. Yes, the average /.er knows about the patriot act, but few know about calea.

      But for the record, calea has nothing to do with VOIP/SIP being encrypted or not. It was more about keeping it simple. Then you are free to add encryption at a lower layer. Much easier to add encryption just prior to the net.

    5. Re:VOIP calls aren't encrypted? by IWannaBeAnAC · · Score: 4, Insightful
      If there is no documentation, then it is almost certainly snake oil.

      Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls. Moderately easy to break, but obscure, encryption is exactly what they would be looking for. 99% of criminals will be too dumb to break it, and the other 1% are needed to justify the homeland security budget.

    6. Re:VOIP calls aren't encrypted? by cduffy · · Score: 2, Informative

      There are standards for running encryption on top of SIP (see SRTP), but almost nobody implements them. Much more common is to avoid running SIP on the open Internet -- my company uses SIP for VoIP, but we only run it within a closed LAN or tunneled through OpenVPN.

    7. Re:VOIP calls aren't encrypted? by CodeBuster · · Score: 4, Insightful

      The Rijndael algorithm, with is now the federal advanced encryption standard (AES), is a fast symmetric block cipher which is both public domain and spreading quickly in use. It would not be difficult for the phones to use a public key scheme such as RSA to exchange a session key for Rijndael. The FBI doesn't waste their time intercepting your network traffic and cracking the encryption by brute force computation. They simply bug the keyboard or the room and recover your key. Why waste time picking a complicated lock when you can easily steal the key?

    8. Re:VOIP calls aren't encrypted? by Talennor · · Score: 5, Informative

      CALEA says:

      "ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

      Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?

      --

      //TODO: signature
    9. Re:VOIP calls aren't encrypted? by Anonymous Coward · · Score: 5, Informative

      Any system which hides key management completely is snake oil, to a certain extent. Encryption without authentication is useless, and the best authentication you can get with completely hidden key management is that an attacker has to be in the middle from the start and all the time to be undetectable. Better than nothing, but not really secure either. The achievable level is about the same as an SSH account where you never check if the server fingerprint is OK.

    10. Re:VOIP calls aren't encrypted? by CodeBuster · · Score: 2, Interesting

      They bug the room for audio conversations that you have when you use your IP phone. You do speak when you have a phone conversation don't you? Perhaps you are deaf and use the keyboard or teletype terminal instead. In either case a bug of the appropriate type can be used to either eavesdrop on the audio conversation or intercept the keystrokes. The point was that physical access to your hardware, which the FBI can almost certainly arrange, trumps transmission security arrangements such as encryption.

    11. Re:VOIP calls aren't encrypted? by sd_spot · · Score: 3, Interesting

      Ain't this grand?

      6-8 weeks ago I exchanged email with Vonage on this very subject. What security protocols do they follow for protecting signaling/bearer traffic? big black hole getting meaningful information - but was _assured_ they used 256 bit encryption with a xx bit nonce. Now I read a Vonage representative is asserting they do not perform encryption? Somebody was not telling the truth.

      Regarding CALEA: when you make a phone call (UMTS,GSM,VoIP- doesn't matter), your connection is routed via a switch. Between your phone and the switch is where encryption, if used, is applied. Once your traffic reaches the switch edge, it is decrypted. Afer it is decrypted and in the switch is where CALEA gets it's hands on it. The traffic is then (depending on the destination leg), encrypted using that leg's session key.

      As for why Vonage (and except for Skype - maybe others) are not following basic principles for information assurance? I'd say cost. Nobody is screaming for it and they aren't losing sales. Maybe that will change. I really don't think the processing burden could be so great - look at GSM and UMTS. Both are spec'd to do originating/terminating leg encryption.

      What I find the most irritating about all this is the canard about a guy with alligator clips tapping my line. Other than breaking into a phone company box - the only place to tap that line (except lawfully in the switch) is at the edge of my house (something I would not react favorably to). But, tapping a VoIP session on a cable-modem local loop (say, by my neighbor) is far less obvious. Maybe more difficult - but more covert. Would it be so difficult to build a protocol analyzer that looks for 1-800 #'s corresponding to phone-order sales and only record those calls?

      I'm glad to seee this getting attention. I will admit, if it wasn't for security concerns, I'd have left my POTS by now.

      sd_spot

      --
      Tell me what you know, tell me what you don't know - but never tell me you know what you don't know
  2. Discussed on the Vonage VoIP Forum by kamikaze-Tech · · Score: 5, Informative

    This has been discussed at great lengths on the Vonage VoIP Forum here: http://www.vonage-forum.com/ftopic5604.html and also here: http://www.vonage-forum.com/ftopic3422.html

  3. 99 Pages, and a bitch aint one by MikeSingee · · Score: 4, Funny

    Chances of slashdoters reading that 99 page government report are about the same as VoIP being secure.

  4. stop the presses! by to_kallon · · Score: 3, Funny

    "As VoIP is rolled out en masse, we're going to see an increased number of subscribers and also an increased number of attackers," says David Endler, chairman of the VoIP Security Alliance

    it's easy to see he's an expert. i mean, who else could come up with such an idea? the very premise of it is far-fetched to the point of hillarity. to think that as a product becomes more widely used it is targeted by a larger population...craziness.

    --


    The only way to get rid of a temptation is to yield to it.
    -Oscar Wilde
  5. Damned if you do, damned if you don't by wcitech · · Score: 3, Insightful

    I can find a little bit of humor in the situation... If the government finds that a communications system is insecure, they make reports complaining about it (motivating engineers to secure it). If the government finds that a communications system is too secure, they go to court so they can tap into it. (remember the voip wire-tapping ordeal?)

  6. VOIP nope not for me by Grand+Facade · · Score: 3, Insightful

    I'm not giving up my copper! No way! It is protected by law. And it is more insecure than most any other form of communication. But has a high degree of reliablity. So I'm sticking to it.

    Big buisness is who wants VOIP cause they want to get rid of the expensive telcom infrastructure and gain a higher degree of control.

    --
    Rick B.
    1. Re:VOIP nope not for me by IANAAC · · Score: 2, Insightful
      I'm not giving up my copper! No way! It is protected by law.

      Give it time. VoIP will become every bit as protected. There's already too much money flowing in the biz to let it go by the wayside now.

      What I think WILL happen is a mass consolidation of most of the current small VoIP companies. Then, of course, prices will rise.

    2. Re:VOIP nope not for me by Lumpy · · Score: 2, Interesting

      feel free to keep your copper.

      I have switched to VoIP and have 1 copper line incoming for only failover during power outages.

      VoIP, at least from a decent provider can be awesome as soon as you plop an Asterisk box in front of it. ( the crappy providers will not let you use Asterisk so be sure to ask before you buy)

      This gives me services that no phone company on the planet can offer. my phones do not ring after 10pm unless the callerID matches a number in the important list. telemarketers never get through even the ones that are being legal and not blocking. they all get routed to a special message that start's with the three tone disconnected sound, then a special 'hello........ hello ..... I'm sorry we do not accept telemarketing calls....bla bla bla..."

      This works unbelieveably great. I get a predictable phone bill that is less than 20 bucks a month with all the long distance I want to call I am not being extorted for caller-id touchtone dialing or other "features" that certianly should be included. and reliability has been excellent. My provider (Broadvoice) allows 4 channels running from the same gear so if I'm taking to Grandma in California my daughter can be talking to her friends here in a conference call and we can still get an incoming call.

      all for less than the absolute lowest service plan that charges me $0.06 every time I pick up the phone line on the copper.

      I am so enamored with VoIP that I will be buying a second line from my provider soon.

      the problem is that the story talks about things that will remove the ability for me to use Asterisk as my Voip gear.

      and that will be a major step backwards.

      --
      Do not look at laser with remaining good eye.
  7. woulda been nice to know it was PDF ... by 2TecTom · · Score: 3, Insightful

    ... sigh, here we go again.

    Imagine this, you're far, far away in some distant, lost, Internet cafe. You are deeply in the backwoods of the third world. Your cellular 911, for some reason, isn't working. You see a /. story, with a link to an applicable article. You've just desperately clicked the link to the aforementioned article. Five minutes later, you begin to wonder three different and distinct things.

    1) Is the system locked up?
    2) How much is this going to cost now?
    3) Is that MODEM actually starting to smoke?

    IMHO, PDFs or links, especially unlabelled ones, are less than professional. Please, just say no.

    --
    Words to men, as air to birds.
    1. Re:woulda been nice to know it was PDF ... by timboc007 · · Score: 2, Informative

      I would highly recommend Firefox plugin/extension TargetAlert. This extension places a small icon next to links to indicate the type of link it is, including a small PDF icon for PDF files, a Word icon for Word files etc.

      I knew it was a PDF link :-)

    2. Re:woulda been nice to know it was PDF ... by corpsiclex · · Score: 2, Funny

      ...Because when I'm lost in the backwoods of the third world and 911 doesn't seem to work, my next move is always to check slashdot for a relevant article.

      --

      eBayDig 1s a typo saerch engien
  8. Gun in a field by deathcloset · · Score: 5, Insightful

    Security through obscurity is one of those strange concepts.

    Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.

    When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.

    Virtually, but not completely.

    That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.

    Is it?

    1. Re:Gun in a field by MoralHazard · · Score: 2, Insightful

      This is a great explanation, and ought to be modded up. I guess you would call it a kind of collective action problem.

      Each individual looks at the situation and determines that their own costs are very, very low--while getting hacked/shot is annoying, the odds of it happening a pretty outside. Taking the "cost" as being the actual cost of an incident times the likelihood of an incident, and you get a pretty low number.

      But considering the same question from a group point-of-view, it's not a question of weighted risks, so much--we know that SOMEone in the group will get hit/hacked, probably several if we're talking about hacking. So you determine the total societal "cost" as the cost per incident times the number of incidents that will likely occur.

      It's not really possible to rationally do risk-assessment in the first situation, because the minute individual cost to me is so low that it's basically noise. But at a group level, it IS possible to weigh the total cost of our collective behavior against alternatives.

      I'm not saying that increasing security measures will always be a good idea, here, though--the cost of additional security might be greater than the losses of the status quo, in which case it would make more sense to leave things alone. But at least you can make an informed decision.

      I'm also not taking a socialist, collectivist tack, here. There's a lot of room for market-based solutions that use this kind of thinking: Symantec sees millions of individual malware sufferers and provides a product that helps decrease the damage--they market and advertise and push the product to customers like us, adjusting our behavior to something better.

    2. Re:Gun in a field by Creepy+Crawler · · Score: 3, Interesting

      Ok, we have "security by obscurity".

      Erm, isnt our current knowledge of encryption technology based much on secret numbers? Well, it is 1 in 2^128 or 2^256 or some huge number, but is this teh similar analogy you use?

      Well, first off security CAN be improved, but it uses the same techniques I use for software protections.

      There should be no meta-data telling what encrypted the data, what encryption schemes, or whatever to even start off. You should consider these to be the first 'shared secrets'. This has a side benefit as when a 3'rd party attempts to decrypt it, it just gives garbage in which SOMETHING has to interpet. It should not be as simple as "GPG v3.2 Diffie-Helman 4096 bit key" does not match .

      Next off, all decrption attempts should go through. What would you rather do: scan the encrypted files for headers in which to try dictionaries OR be forced to try all types of encryption to try to guess which one does what (if you can).

      The next, for network security, is 'knock knock' scripts. Whats safer: login/passwd prompt on ssh OR 10 timed packets aimed at different ports (that change on time of day) that then proceeds to open ssh until disconnect?

      I know what I'd choose if it was my security depended on hiding, firewalling THEN login/passwords.

      The whole point is OBFUSCATION is a valid security mechanism, not that is the end-all be-all or anything, but it does have its places.

      --
  9. How to Decrease PDF Load Time by AceViper · · Score: 3, Informative

    You can drastically speed up PDF load times if you disable all the unneeded plugins:

    1. Install Adobe Reader 6.0 and notice where it is installed.
    2. Navigate to that folder in Explorer, locate the plug_ins subfolder and rename this folder to plug_ins_disabled.
    3. Create a new plug_ins folder.
    4. Move the files EWH32.api, printme.api and search.api from plug_ins_disabled to plug_ins.

    From http://www.mozilla.org/support/firefox/faq#acrobat

  10. So what was I supposed to learn? by modemboy · · Score: 3, Insightful

    Ok I didn't read the 99 page report (probably some good info in there) but this PC World article is pointless.
    Ok so they can DOS your network connection and kill your VOIP. Uhhh, if you're being succesfully DOS'ed you've got bigger problems than your VOIP not working.
    Oh and the other horror? They can listen to your calls? As the article points out this is currently trivial with the POTS, and again if someone can succesfully listen in on your full network connection you've got bigger problems than your VOIP not working.
    So why should I be scared again? Sounds like anti-VOIP F.U.D. to me.

  11. My VoIP calls are secure. by raehl · · Score: 3, Funny

    Iay cryptenay ithway igpay atinlay.

    --
    paintball
  12. Bah! by cduffy · · Score: 2, Informative

    Yes, it has encryption -- but it's a closed, proprietary solution that's virtually impossible to integrate with anything else.

    Convincing all the SIP implementations to support SRTP is the Right Thing as a long-term solution -- heck, just implementing SRTP support for Asterisk would be a big improvement. As an immediate-term solution (particularly for companies using VoIP to connect with remote users or branch offices), running over a VPN (particularly with IAX trunking if you're connecting branch offices, such as to reduce the number of packets sent and so the damage done by per-packet VPN overhead) works well too.

  13. FUD from government by guardiangod · · Score: 2, Funny

    Since the government can't crack/control it, they release FUD to discourage the public from using the system.

    In this world only the paranoid survive.

  14. We need dedicated boxes by delirium+of+disorder · · Score: 4, Insightful
    As a former phreaker kiddie, http://angelfire.com/linux/the1 I know how trivial it is to "tap" or disable someone's phone with physical access to the outside of their home or the TNI in their neighborhood. This is not a major threat, because someone whould have to directly be targeting your phone to 0wn it...and if you knew people (non-government) were after your phone conversations, you can put a lock on the grey customer access box on your house, and ask your CO to secure your TNI. Perhaps someone could theoretically compromise the CO's switching equiptment, but that required either good social engneering or real leet skills. But your phone is just your phone, nothing else, so attacks are limited.

    VOIP is actually more physically secure then PSTN. You can't just hook a speaker up to a DSL line and hear the conversation on it. The problem is, your computer, and every router between you and your VOIP provider, is a general purpose device. Other people and services have access to it for all kinds of legitimate reasons; each of these provides places where people/programs can input data that can potentially directly effect your voice communications or get privilage escilation on the device and indirectly effect it. ANY security person knows to be wary of input! And think of all the ways of getting input to (and theoretically compromising) a PC. What we need is a dedicated physical console for VOIP (a small linksys network device running OpenBSD or Linux and asterix sounds good). The actual VOIP data should be sent through an SSH tunnel or some kind of VPN.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  15. Latency issues?! by grahamsz · · Score: 2, Informative

    i figured you'd be able to get a stream cipher in there without adding more than a couple of milliseconds.

    I'd imagine stream compression would be a harder problem than stream encryption.

    Of course you've still got to do some sort of shared key or PK exchange, but that's call setup latency so it's no big deal.

  16. Ain't No Magic, here. by iritant · · Score: 2, Insightful

    This report says absolutely nothing new. If you're going to take VoIP seriously, you need to recognize the application's needs. In this case, some amount of QoS is important, particularly at conjestion points such as the last hop to the consumer. You also need to recognize that like any other application on the Internet DDOS is a possibility. Ain't no different.

    On the other hand, IPv6 will solve all our problems, right? ;-)

  17. Re:Obscurity by unixfan · · Score: 2, Insightful

    In the security field, obscurity is not at all considered secure.

  18. The big problem with VOIP by prisoner · · Score: 3, Funny

    isn't the security. Phone calls haven't been secure since shortly after the first one was made. No, the problem with VOIP is working with the fucking idiot phone vendors who do not understand what they are trying to do. I've gotten several calls from local phone guys who don't understand networking in the least and insist that they've assigned proper IP's to the phones at two seperate locations but they won't talk so it is my network problem. They then inform the customer that the problem is with the network and walk off. The phone at location #1 had an IP of 192.168.39.3 and the phone at location #2 192.168.40.5. No VPN between them. They were trying to route the traffic out over the internet connection.

    These dipshits sell the customer on thsese solutions and then when it doesn't work (routing probs or dropouts from no QOS) they call us in to sell the customer a couple thousand dollars worth of services and hardware to sell the problem. I don't mind the business but working with a customer who is on the brink of becoming an axe murderer isn't pleasant.

  19. The government has a good reason to say this... by i_want_you_to_throw_ · · Score: 2, Insightful

    Sending your calls over VoIP is more difficult to tap. Wiretaps grew by 19% last year (pops new window) and not a one was turned down.

    VoIP is much tougher to tap by comparison. Remember kids, "Terrorism" is the new "Communism"(tm)