VoIP Security

An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling

Re:So much safer.

[Shakrai]

Because there is no way in the world I could just go to you telephone access box with a phillips head screwdriver and pull your connection.

Your welcome to try it at my house. The lines are underground and all of the NIDs are in the utilities room downstairs which only the teleco and my landlord have a key too.

Despite that your point would be valid if it wasn't for the fact that a VoIP phone can be brought down the same way. And a cell phone can be jammed. If somebody is out to get you then you have bigger problems then which type of phone to use.

The point the grandparent was making is that a POTS line is just about bulletproof. Whereas a VoIP line can be brought down by a DDoS on your ISP, the script kiddie with kazaa using all the bandwidth or just the stupidity of your ISP.

Re:Man in the middle.

[Shakrai]

POTS is wide open to MIM attacks.. in fact anyone with a cheap earpiece can do it - no need for a PC even.

Yeah because it's so much easier to pick the correct pair of wires out of several dozen or hundred on the local loop then it is to setup a router rule to capture VoIP packets.

Unless they are hanging off the pole outside your house (which would be rather brazen) I don't worry myself too much with MIM attacks on POTS. In fact unauthorized bugs on POTS can usually be detected fairly easy (they cause a voltage drop) if you are that paranoid about them.

Of course you can't do anything about central office taps (law enforcement) or the other end of the line -- but no matter which technology you use I don't think you can ever trust the remote end of the conversation to be secure.

Re:Hmm...

[Shakrai]

The advantages of VoIP is amazing... the cost on Long Distance is ridiculous... POTS might not be broken.. but what happens when those wires do need to be replaced... i'm positive nobody is going to be jumping in and re-laying the wire..

And exactly what kind of wires do you think your internet connection is coming in on? Do you worry about the wires when you talk about VoIP? And, yes, they will replace the wires. Pretty much the only copper part of the PSTN left is the local loop from the CO to your house. And Verizon is even trying to fix that. Who do you trust more to deliver bulletproof service? The phone company who has a history, experienced people and several layers of regulation -- or the cable company who has no history in telecommunications, not as many experienced people and absolutely no regulatory oversight whatsoever.

I think it's somewhat telling that even Time Warner isn't yet brave enough to offer their VoIP service to businesses. Businesses tend to complain and sue when they lose communications.

One has to wonder...

Wouldn't it be simpler, more effective and thus cheaper to secure IP communication instead of securing Voice over IP, HTTP over IP, SMTP over IP, FTP over IP and whathaveyou over IP? There even is a standard for secure IP communications, inconspicuously called IPSec. Stop the nonsense and start using encryption where it benefits all protocols.

Re:Man in the middle.

[Shakrai]

Unless you were targeting one specific person, the above will work fine

My whole point was that it's much harder to target one specific person with POTS then it is with VoIP. What's easier? Finding my pair or capturing packets from/bound for my IP address?

The article was dealing with security, and the security for both is the same. You would have to do the same for VoIP as you do for POTS if you want security. Harden the conduit, and encrypt and decrypt the message at the TX side and RX side.

And you still have the problem of the person at the other end who is on his speaker phone while the cubemate next door listens. Ultimately the only end of the line you know is secure is your end (POTS or VoIP) and this is all for highly paranoid people anyway.

As much as I am arguing against VoIP (and cell phones) security is not the reason why. I worry about more reliability and quality of service -- both of which seem to be lacking at this time.

Re:Man in the middle.

[SatanicPuppy]

The thing is, that person has to be physically out in the world, splicing himself into your line. Sure, it can be done, but the motivation needed to put someone to that kind of trouble is pretty intense.

Used to be that way with a lot of information crimes, but the internet makes them possible on a whole new scale. Imagine a mim attack that compromises a couple of major VoiP hops, and sorts out the calls to banks and creditcard companies based on phone number, or whatever. That can be automated now, so a guy who could have listened to 20 calls a night can now sort through thousands of calls an hour to find the one or two that are interesting.

All that being said, it's still a hell of a lot easier to steal that information some other way. Voice is a very inneficient medium for data.

Anonymous Diffie-Hellman would be "good enough"

[pp]

I mean, negotiating a private key between two hosts is trivial, just use the good old DH key exchange thing. Could even use IPSEC for the actual encryption, no need to reinvent the wheel and add crypto to the VOIP protocols, just do those security associations when you setup a call.

The downside is, that a MITM is possible to get the key, but that's pretty damn unlikely compared to people just sniffing and listening to your call or blindly injecting data to an existing one. From what information is available about Skype, it does something like this, I believe.

But, designing horribly complicated systems that cover the corner cases seems to be the norm, and those get ignored due to complexity and thus everyone does the unencrypted thing in the end :(

Re:Hmm...

[Shakrai]

Well the VOIP provider has one important motivator that the phone company lacks.

Yeah, because between VoIP, the cable company and cell phones (none of which are regulated or held to the same standard) the baby bells have no competition at all. Do you really beilive that?

The bells seem to think that whatever they want to do is okay. Youre stuck with them, they dont have to be honest in their billing, It costs the telcos nothing to enable caller-ID, indeed it is an integral part of the POTS system, so why do they charge extra for it?

Really? It's been my experience with Verizon that they are a million times more responsive to me then Time Warner. You think they purposefully screw people on billing? What fantasy world are you living in? The FCC, FTC and PSC would come down on them like a ton of bricks.

The phone company has a long history of fraud, lackluster service, and hostile customer service. I'm glad im no longer stuck with them.

As opposed to the cable company (your other main provider, lest you forget) who has a long history of being honest, great service and friendly people that put Wal-Mart greeters to shame. And even if your local phone company still has these monopolistic attitudes you have an appeals process through your state regulatory agency. The NYPSC has never once failed me and the three times I've gone to them I had my problem solved within two hours. Try that with VoIP or cable.

TW's serice sucks? Try vonage or any of a dozen other providers.

And where do you think the internet connection for vonage is coming from? Oh, that's right! DSL or cable!

Re:Hmm...

[rbarreira]

Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.

[sarcasm] Yeah, fuck progress! [/sarcasm]

Re:The Dumbing-Down of America...part XXVII

[Programmer_In_Traini]

As a bilingual french guy, I often have to write in english. I'm sure just about anything I write in english has errors in it but that doesn't mean I don't know what I'm talking about, it only means I lack the syntaxical and grammatical knowledge to write it properly in english.

I think it is not correct that you discredit the author about the seriousness of his article. After all, from what i can see, most mistakes in there are the usual typos and common mistake from those having english as their second/third/fourth language.

This doesn't excuse the fact the he didn't use a spellchecker but i certainly dont think it (and i quote) renders the reader incapable of trusting the subject matter presented.