Slashdot Mirror

← Back to Stories (view on slashdot.org)

U.S. Government Issues Report on VoIP Security Holes

Posted by CowboyNeal on from the good-bad-and-ugly dept.

ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

22 of 112 comments (clear)

  1. VOIP calls aren't encrypted? by Motherfucking+Shit · · Score: 5, Insightful
    From the article:
    Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping.
    This amazes me, I can't believe that the calls are floating around in raw audio. Would a little encryption add so much overhead that it would bog down the system? Or is this due to CALEA or other laws?
    --
    "BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
    1. Re:VOIP calls aren't encrypted? by Spetiam · · Score: 4, Informative

      Skype says its calls are encrypted.

      The calls... are highly secure with end-to-end encryption.

      Whether their scheme is snake oil or for real, I don't know, as I can't find any documentation on it, much less source code.

    2. Re:VOIP calls aren't encrypted? by Bananatree3 · · Score: 4, Informative
      According to Skype's FAQ, all of their VoIP calls are encrypted:

      Calls between Skype software users (PC-to-PC calls) are secure and encrypted. Calls to standard telephone or mobile numbers are encrypted until they reach public switched telephone network. Note that in a conference call where one participant is a PSTN (regular telephone or mobile phone) number/phone number, the padlock icon will not appear indicating that the call is not encrypted.

    3. Re:VOIP calls aren't encrypted? by Anonymous Coward · · Score: 3, Interesting

      The fact that you know what calea is, says that you already know more than you are letting on. Yes, the average /.er knows about the patriot act, but few know about calea.

      But for the record, calea has nothing to do with VOIP/SIP being encrypted or not. It was more about keeping it simple. Then you are free to add encryption at a lower layer. Much easier to add encryption just prior to the net.

    4. Re:VOIP calls aren't encrypted? by IWannaBeAnAC · · Score: 4, Insightful
      If there is no documentation, then it is almost certainly snake oil.

      Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls. Moderately easy to break, but obscure, encryption is exactly what they would be looking for. 99% of criminals will be too dumb to break it, and the other 1% are needed to justify the homeland security budget.

    5. Re:VOIP calls aren't encrypted? by CodeBuster · · Score: 4, Insightful

      The Rijndael algorithm, with is now the federal advanced encryption standard (AES), is a fast symmetric block cipher which is both public domain and spreading quickly in use. It would not be difficult for the phones to use a public key scheme such as RSA to exchange a session key for Rijndael. The FBI doesn't waste their time intercepting your network traffic and cracking the encryption by brute force computation. They simply bug the keyboard or the room and recover your key. Why waste time picking a complicated lock when you can easily steal the key?

    6. Re:VOIP calls aren't encrypted? by Talennor · · Score: 5, Informative

      CALEA says:

      "ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

      Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?

      --

      //TODO: signature
    7. Re:VOIP calls aren't encrypted? by Anonymous Coward · · Score: 5, Informative

      Any system which hides key management completely is snake oil, to a certain extent. Encryption without authentication is useless, and the best authentication you can get with completely hidden key management is that an attacker has to be in the middle from the start and all the time to be undetectable. Better than nothing, but not really secure either. The achievable level is about the same as an SSH account where you never check if the server fingerprint is OK.

    8. Re:VOIP calls aren't encrypted? by sd_spot · · Score: 3, Interesting

      Ain't this grand?

      6-8 weeks ago I exchanged email with Vonage on this very subject. What security protocols do they follow for protecting signaling/bearer traffic? big black hole getting meaningful information - but was _assured_ they used 256 bit encryption with a xx bit nonce. Now I read a Vonage representative is asserting they do not perform encryption? Somebody was not telling the truth.

      Regarding CALEA: when you make a phone call (UMTS,GSM,VoIP- doesn't matter), your connection is routed via a switch. Between your phone and the switch is where encryption, if used, is applied. Once your traffic reaches the switch edge, it is decrypted. Afer it is decrypted and in the switch is where CALEA gets it's hands on it. The traffic is then (depending on the destination leg), encrypted using that leg's session key.

      As for why Vonage (and except for Skype - maybe others) are not following basic principles for information assurance? I'd say cost. Nobody is screaming for it and they aren't losing sales. Maybe that will change. I really don't think the processing burden could be so great - look at GSM and UMTS. Both are spec'd to do originating/terminating leg encryption.

      What I find the most irritating about all this is the canard about a guy with alligator clips tapping my line. Other than breaking into a phone company box - the only place to tap that line (except lawfully in the switch) is at the edge of my house (something I would not react favorably to). But, tapping a VoIP session on a cable-modem local loop (say, by my neighbor) is far less obvious. Maybe more difficult - but more covert. Would it be so difficult to build a protocol analyzer that looks for 1-800 #'s corresponding to phone-order sales and only record those calls?

      I'm glad to seee this getting attention. I will admit, if it wasn't for security concerns, I'd have left my POTS by now.

      sd_spot

      --
      Tell me what you know, tell me what you don't know - but never tell me you know what you don't know
  2. Discussed on the Vonage VoIP Forum by kamikaze-Tech · · Score: 5, Informative

    This has been discussed at great lengths on the Vonage VoIP Forum here: http://www.vonage-forum.com/ftopic5604.html and also here: http://www.vonage-forum.com/ftopic3422.html

  3. 99 Pages, and a bitch aint one by MikeSingee · · Score: 4, Funny

    Chances of slashdoters reading that 99 page government report are about the same as VoIP being secure.

  4. stop the presses! by to_kallon · · Score: 3, Funny

    "As VoIP is rolled out en masse, we're going to see an increased number of subscribers and also an increased number of attackers," says David Endler, chairman of the VoIP Security Alliance

    it's easy to see he's an expert. i mean, who else could come up with such an idea? the very premise of it is far-fetched to the point of hillarity. to think that as a product becomes more widely used it is targeted by a larger population...craziness.

    --


    The only way to get rid of a temptation is to yield to it.
    -Oscar Wilde
  5. Damned if you do, damned if you don't by wcitech · · Score: 3, Insightful

    I can find a little bit of humor in the situation... If the government finds that a communications system is insecure, they make reports complaining about it (motivating engineers to secure it). If the government finds that a communications system is too secure, they go to court so they can tap into it. (remember the voip wire-tapping ordeal?)

  6. VOIP nope not for me by Grand+Facade · · Score: 3, Insightful

    I'm not giving up my copper! No way! It is protected by law. And it is more insecure than most any other form of communication. But has a high degree of reliablity. So I'm sticking to it.

    Big buisness is who wants VOIP cause they want to get rid of the expensive telcom infrastructure and gain a higher degree of control.

    --
    Rick B.
  7. woulda been nice to know it was PDF ... by 2TecTom · · Score: 3, Insightful

    ... sigh, here we go again.

    Imagine this, you're far, far away in some distant, lost, Internet cafe. You are deeply in the backwoods of the third world. Your cellular 911, for some reason, isn't working. You see a /. story, with a link to an applicable article. You've just desperately clicked the link to the aforementioned article. Five minutes later, you begin to wonder three different and distinct things.

    1) Is the system locked up?
    2) How much is this going to cost now?
    3) Is that MODEM actually starting to smoke?

    IMHO, PDFs or links, especially unlabelled ones, are less than professional. Please, just say no.

    --
    Words to men, as air to birds.
  8. Gun in a field by deathcloset · · Score: 5, Insightful

    Security through obscurity is one of those strange concepts.

    Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.

    When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.

    Virtually, but not completely.

    That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.

    Is it?

    1. Re:Gun in a field by Creepy+Crawler · · Score: 3, Interesting

      Ok, we have "security by obscurity".

      Erm, isnt our current knowledge of encryption technology based much on secret numbers? Well, it is 1 in 2^128 or 2^256 or some huge number, but is this teh similar analogy you use?

      Well, first off security CAN be improved, but it uses the same techniques I use for software protections.

      There should be no meta-data telling what encrypted the data, what encryption schemes, or whatever to even start off. You should consider these to be the first 'shared secrets'. This has a side benefit as when a 3'rd party attempts to decrypt it, it just gives garbage in which SOMETHING has to interpet. It should not be as simple as "GPG v3.2 Diffie-Helman 4096 bit key" does not match .

      Next off, all decrption attempts should go through. What would you rather do: scan the encrypted files for headers in which to try dictionaries OR be forced to try all types of encryption to try to guess which one does what (if you can).

      The next, for network security, is 'knock knock' scripts. Whats safer: login/passwd prompt on ssh OR 10 timed packets aimed at different ports (that change on time of day) that then proceeds to open ssh until disconnect?

      I know what I'd choose if it was my security depended on hiding, firewalling THEN login/passwords.

      The whole point is OBFUSCATION is a valid security mechanism, not that is the end-all be-all or anything, but it does have its places.

      --
  9. How to Decrease PDF Load Time by AceViper · · Score: 3, Informative

    You can drastically speed up PDF load times if you disable all the unneeded plugins:

    1. Install Adobe Reader 6.0 and notice where it is installed.
    2. Navigate to that folder in Explorer, locate the plug_ins subfolder and rename this folder to plug_ins_disabled.
    3. Create a new plug_ins folder.
    4. Move the files EWH32.api, printme.api and search.api from plug_ins_disabled to plug_ins.

    From http://www.mozilla.org/support/firefox/faq#acrobat

  10. So what was I supposed to learn? by modemboy · · Score: 3, Insightful

    Ok I didn't read the 99 page report (probably some good info in there) but this PC World article is pointless.
    Ok so they can DOS your network connection and kill your VOIP. Uhhh, if you're being succesfully DOS'ed you've got bigger problems than your VOIP not working.
    Oh and the other horror? They can listen to your calls? As the article points out this is currently trivial with the POTS, and again if someone can succesfully listen in on your full network connection you've got bigger problems than your VOIP not working.
    So why should I be scared again? Sounds like anti-VOIP F.U.D. to me.

  11. My VoIP calls are secure. by raehl · · Score: 3, Funny

    Iay cryptenay ithway igpay atinlay.

    --
    paintball
  12. We need dedicated boxes by delirium+of+disorder · · Score: 4, Insightful
    As a former phreaker kiddie, http://angelfire.com/linux/the1 I know how trivial it is to "tap" or disable someone's phone with physical access to the outside of their home or the TNI in their neighborhood. This is not a major threat, because someone whould have to directly be targeting your phone to 0wn it...and if you knew people (non-government) were after your phone conversations, you can put a lock on the grey customer access box on your house, and ask your CO to secure your TNI. Perhaps someone could theoretically compromise the CO's switching equiptment, but that required either good social engneering or real leet skills. But your phone is just your phone, nothing else, so attacks are limited.

    VOIP is actually more physically secure then PSTN. You can't just hook a speaker up to a DSL line and hear the conversation on it. The problem is, your computer, and every router between you and your VOIP provider, is a general purpose device. Other people and services have access to it for all kinds of legitimate reasons; each of these provides places where people/programs can input data that can potentially directly effect your voice communications or get privilage escilation on the device and indirectly effect it. ANY security person knows to be wary of input! And think of all the ways of getting input to (and theoretically compromising) a PC. What we need is a dedicated physical console for VOIP (a small linksys network device running OpenBSD or Linux and asterix sounds good). The actual VOIP data should be sent through an SSH tunnel or some kind of VPN.

    --
    ------ Take away the right to say fuck and you take away the right to say fuck the government.
  13. The big problem with VOIP by prisoner · · Score: 3, Funny

    isn't the security. Phone calls haven't been secure since shortly after the first one was made. No, the problem with VOIP is working with the fucking idiot phone vendors who do not understand what they are trying to do. I've gotten several calls from local phone guys who don't understand networking in the least and insist that they've assigned proper IP's to the phones at two seperate locations but they won't talk so it is my network problem. They then inform the customer that the problem is with the network and walk off. The phone at location #1 had an IP of 192.168.39.3 and the phone at location #2 192.168.40.5. No VPN between them. They were trying to route the traffic out over the internet connection.

    These dipshits sell the customer on thsese solutions and then when it doesn't work (routing probs or dropouts from no QOS) they call us in to sell the customer a couple thousand dollars worth of services and hardware to sell the problem. I don't mind the business but working with a customer who is on the brink of becoming an axe murderer isn't pleasant.