U.S. Government Issues Report on VoIP Security Holes

ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."

VOIP calls aren't encrypted?

[Motherfucking+Shit]

From the article:

Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping.

This amazes me, I can't believe that the calls are floating around in raw audio. Would a little encryption add so much overhead that it would bog down the system? Or is this due to CALEA or other laws?

Re:VOIP calls aren't encrypted?

[Talennor]

CALEA says:

"ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?

Re:VOIP calls aren't encrypted?

Any system which hides key management completely is snake oil, to a certain extent. Encryption without authentication is useless, and the best authentication you can get with completely hidden key management is that an attacker has to be in the middle from the start and all the time to be undetectable. Better than nothing, but not really secure either. The achievable level is about the same as an SSH account where you never check if the server fingerprint is OK.

Discussed on the Vonage VoIP Forum

[kamikaze-Tech]

This has been discussed at great lengths on the Vonage VoIP Forum here: http://www.vonage-forum.com/ftopic5604.html and also here: http://www.vonage-forum.com/ftopic3422.html

Gun in a field

[deathcloset]

Security through obscurity is one of those strange concepts.

Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.

When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.

Virtually, but not completely.

That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.

Is it?