Slashdot Mirror
VoIP Security
An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling
I have never worried about man in the middle attacks on the internet. To be successful, it requires very good access to my ISP or the backbone carrier's network which is hard to do. Even if they can get that access all they can do is listen to my calls, have a chat with me and the other person or maybe hang up the call. Any attacker listening to my calls is going to get very bored very quickly. If they do the later two, it could cause them to get caught because I'll complain about the problem.
The only security problem I see is if the attacker can learn information that lets him make calls billed to my account. This becomes the VOIP vendors problem anyway. When I notice something wrong with the bill I'll do a chargeback on my credit card for the bill and simply change VOIP providers. If this happens a lot, the VOIP vendor will do something about their security problem.
Or am I missing something?
Cant we just stick to regular telephones? I dont want my 911 call to be interrupted by a denial of service attack...
Indeed. I have spoken about this before. In fact from TFA:
Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.
I couldn't agree more! All the power to people who use VoIP or cell phones as a primary line. But anyone who completely abandons POTS at this point is jumping off the diving board with no idea of how deep the water is. POTS is damn near 100% reliable (short of drunk guy hitting pole outside your house), it survives power outages and I don't think it can be brought down by a buggy TV in your neighbors house. A friend of mine lost Roadrunner and TW's digitial phone service for two days because of a TV next door that was leaking RF onto the coax network.
More to the point, if these services are going to be sold as a replacement for your POTS line then they damn well ought to be regulated like your POTS line -- with requirements for reliability and appeals processes if you get hosed.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Of course, now ask how many cable compaines are actually deploying fully PacketCable-compliant systems with all the security turned on the way it was designed to be.
Can't something like OTR (Off The Record messaging - http://www.cypherpunks.ca/otr/) be applied to SIP or IAX conversations? I know it was designed for slow, IM-type packet traffic, but the crypto is there. It can't be that hard :)
Since when have good old fashioned telephone systems been secure? I can't count the number of times I've picked up a neighbor's conversation from their cordless phone. Although I'll agree that the scope of the attack may be broader with VOIP (after all, my neighbors phone only puts out enough power to be picked up within a certain proximity), I think an expectation of privacy on any current phone system is a flawed assumption at best.
Considering I can walk up to 90% of the houses on the street. open up the phone box, and plug a lineman's handset (or anything else) into the phone line...how secure is the PSTN?
If you think the PSTN is really secure, you might want to look through some old issues of 2600...
-- OpenVerse Visual Chat: http://openverse.com