Slashdot Mirror
VoIP Security
An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling
From TFA:And all these errors are in just the introduction.
Now, I don't expect perfection, but the sheer amount of errors present here is beyond the pale, and renders the reader incapable of trusting the subject matter presented, or taking the author seriously.
Mr. Anderson, about 98% of the errors in your article could have been avoided by the use of a simple spell-checker. Nowadays, people don't actually need to know how to spell, as we have software to do that for us...but you have to actually use the software.
____
~ |rip/\/\aster /\/\onkey
I have never worried about man in the middle attacks on the internet. To be successful, it requires very good access to my ISP or the backbone carrier's network which is hard to do. Even if they can get that access all they can do is listen to my calls, have a chat with me and the other person or maybe hang up the call. Any attacker listening to my calls is going to get very bored very quickly. If they do the later two, it could cause them to get caught because I'll complain about the problem.
The only security problem I see is if the attacker can learn information that lets him make calls billed to my account. This becomes the VOIP vendors problem anyway. When I notice something wrong with the bill I'll do a chargeback on my credit card for the bill and simply change VOIP providers. If this happens a lot, the VOIP vendor will do something about their security problem.
Or am I missing something?
Hi Hun, I am gonna be a bit late tonight
I thought you were going to give me a lift to Tinas?
Thats tomorrow, have you been taking my pain killers again?
No... erm... ok I'll see you later
*click*
Wait, we are being line-tapped
Oh my god! Execute the Omega 13 Device!
*end of world*
Really - if you want security, talk in tongues, or use a third party audio scrambler, plus encrypt the session. (then unencrypted it will just sound like noise). Plus standon one foot while you talk, and occassionally look through the venetian blinds for snipers across the rooftops.
#hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
There is a program called Cain that can sniff VoIP traffic (as well as other things) and turn it into a wav file if it understands the codec. There is a video on how it works at: http://www.irongeek.com/i.php?page=videos/cainvoip 1
Cant we just stick to regular telephones? I dont want my 911 call to be interrupted by a denial of service attack...
Indeed. I have spoken about this before. In fact from TFA:
Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.
I couldn't agree more! All the power to people who use VoIP or cell phones as a primary line. But anyone who completely abandons POTS at this point is jumping off the diving board with no idea of how deep the water is. POTS is damn near 100% reliable (short of drunk guy hitting pole outside your house), it survives power outages and I don't think it can be brought down by a buggy TV in your neighbors house. A friend of mine lost Roadrunner and TW's digitial phone service for two days because of a TV next door that was leaking RF onto the coax network.
More to the point, if these services are going to be sold as a replacement for your POTS line then they damn well ought to be regulated like your POTS line -- with requirements for reliability and appeals processes if you get hosed.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Because there is no way in the world I could just go to you telephone access box with a phillips head screwdriver and pull your connection.
Your welcome to try it at my house. The lines are underground and all of the NIDs are in the utilities room downstairs which only the teleco and my landlord have a key too.
Despite that your point would be valid if it wasn't for the fact that a VoIP phone can be brought down the same way. And a cell phone can be jammed. If somebody is out to get you then you have bigger problems then which type of phone to use.
The point the grandparent was making is that a POTS line is just about bulletproof. Whereas a VoIP line can be brought down by a DDoS on your ISP, the script kiddie with kazaa using all the bandwidth or just the stupidity of your ISP.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Of course, now ask how many cable compaines are actually deploying fully PacketCable-compliant systems with all the security turned on the way it was designed to be.
Please visit the VoIPsec archives, before assuming that any one article could cover it all. There you could find links and comments from some of the most pertinent contributors to this subject.
== With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
Was a neat little app a few years back for simple IP-IP VoIP that was (supposedly, never checked) well encrypted, it converted the key in to english words that you could say in your own voice to confirm that you weren't a victim of a MITM attack
http://web.mit.edu/network/pgpfone
/* FUCK - The F-word is here so that you can grep for it */
The advantages of VoIP is amazing... the cost on Long Distance is ridiculous... POTS might not be broken.. but what happens when those wires do need to be replaced... i'm positive nobody is going to be jumping in and re-laying the wire..
And exactly what kind of wires do you think your internet connection is coming in on? Do you worry about the wires when you talk about VoIP? And, yes, they will replace the wires. Pretty much the only copper part of the PSTN left is the local loop from the CO to your house. And Verizon is even trying to fix that. Who do you trust more to deliver bulletproof service? The phone company who has a history, experienced people and several layers of regulation -- or the cable company who has no history in telecommunications, not as many experienced people and absolutely no regulatory oversight whatsoever.
I think it's somewhat telling that even Time Warner isn't yet brave enough to offer their VoIP service to businesses. Businesses tend to complain and sue when they lose communications.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
If you have a set of aligator clips and a phone. Or a set of diaganol cutters (DoS attack).
I mean, really
- Brian Roach
Wouldn't it be simpler, more effective and thus cheaper to secure IP communication instead of securing Voice over IP, HTTP over IP, SMTP over IP, FTP over IP and whathaveyou over IP? There even is a standard for secure IP communications, inconspicuously called IPSec. Stop the nonsense and start using encryption where it benefits all protocols.
Can't something like OTR (Off The Record messaging - http://www.cypherpunks.ca/otr/) be applied to SIP or IAX conversations? I know it was designed for slow, IM-type packet traffic, but the crypto is there. It can't be that hard :)
I mean, negotiating a private key between two hosts is trivial, just use the good old DH key exchange thing. Could even use IPSEC for the actual encryption, no need to reinvent the wheel and add crypto to the VOIP protocols, just do those security associations when you setup a call.
:(
The downside is, that a MITM is possible to get the key, but that's pretty damn unlikely compared to people just sniffing and listening to your call or blindly injecting data to an existing one. From what information is available about Skype, it does something like this, I believe.
But, designing horribly complicated systems that cover the corner cases seems to be the norm, and those get ignored due to complexity and thus everyone does the unencrypted thing in the end
Their website lists their numbers as: "Tel: 00353 - (0)87 - "...etc numbers, so they're not in North America.
This: (Mon, 14 Feb 2005 16:57:12 +0000) also suggests a European country (I think). So maybe English isn't their first language.
Well the VOIP provider has one important motivator that the phone company lacks.
Yeah, because between VoIP, the cable company and cell phones (none of which are regulated or held to the same standard) the baby bells have no competition at all. Do you really beilive that?
The bells seem to think that whatever they want to do is okay. Youre stuck with them, they dont have to be honest in their billing, It costs the telcos nothing to enable caller-ID, indeed it is an integral part of the POTS system, so why do they charge extra for it?
Really? It's been my experience with Verizon that they are a million times more responsive to me then Time Warner. You think they purposefully screw people on billing? What fantasy world are you living in? The FCC, FTC and PSC would come down on them like a ton of bricks.
The phone company has a long history of fraud, lackluster service, and hostile customer service. I'm glad im no longer stuck with them.
As opposed to the cable company (your other main provider, lest you forget) who has a long history of being honest, great service and friendly people that put Wal-Mart greeters to shame. And even if your local phone company still has these monopolistic attitudes you have an appeals process through your state regulatory agency. The NYPSC has never once failed me and the three times I've gone to them I had my problem solved within two hours. Try that with VoIP or cable.
TW's serice sucks? Try vonage or any of a dozen other providers.
And where do you think the internet connection for vonage is coming from? Oh, that's right! DSL or cable!
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Since when have good old fashioned telephone systems been secure? I can't count the number of times I've picked up a neighbor's conversation from their cordless phone. Although I'll agree that the scope of the attack may be broader with VOIP (after all, my neighbors phone only puts out enough power to be picked up within a certain proximity), I think an expectation of privacy on any current phone system is a flawed assumption at best.
Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.
[sarcasm] Yeah, fuck progress! [/sarcasm]
The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
>POTS is damn near 100% reliable
My phone company charges $12 for my no-frills service. Somehow the bill I pay is $45 after all the fees and taxes. Those extra charges are the main reason I'm considering bailing from POTS to VoIP. They'll catch up sooner or later, but for a time, I can keep some of my money.
Heck I might have some cash to enter the sucker mill^H^H cell phone subscriber pool.
Considering I can walk up to 90% of the houses on the street. open up the phone box, and plug a lineman's handset (or anything else) into the phone line...how secure is the PSTN?
If you think the PSTN is really secure, you might want to look through some old issues of 2600...
-- OpenVerse Visual Chat: http://openverse.com
Um if you hang up and 30 seconds later are still connected it means someone else on the line [on your side] is still off hook.
Check your house for nosy people and failing that call your telco to have it looked at.
Of course I've never heard of that problem before. Doesn't mean you're making it up but more than likely the reason is more than a "remote DoS" attack.
Mostly call-centers can only fake their CID information [but not ANI] which makes call display all fucked up [but not their billing]. That's about it. They don't have magical technology to jam your phone line. Once you hang up the call is released and both sides are disconnected.
Tom
Someday, I'll have a real sig.
" In the case of a business, I think it would be a good idea to keep at least one POTS line, to prevent a total outage of phone service. VOIP would be very useful in the business world to keep down the cost of long distance calls, and the quality is good enough."
It is good enough, and that's exactly what we do. I have a VoIP "line" from AT&T at our business for outgoing long distance, plugged right into our phone system. It saves us probably $200 - $300 a month in long distance (You should see what business LD costs - it's ridiculous).
- Brian Roach
"few seconds". It usually takes 3-4 seconds to hang up. Anything longer and your phones and/or telco is broken.
Tom
Someday, I'll have a real sig.
Folks, you have to remember that this article talks about the so-called nomadic voIP-services.
I've been using VoIP for the better part of two years now, and it's maintained by my ISP. I run it over the Ethernet hookup I have, and as far as functionality is concerned I hardly notice the difference from POTS.
Outages? I've had two. Once when my apartment lost power (thus the VoIP-box lost power) and once when some major link in my ISP's chain went down. As a matter of fact, I've had FEWER problems with VoIP than POTS. My ISP/Telco also didn't charge for the days (two) of outages, of course.
As for packet priority, I can max my line, and since the phone is a non-nomadic VoIP the sound is still crystal clear since the ISP uses traffic-shaping (or something) to always put priority on the VoIP-packets.
I enjoy large posteriors and I cannot prevaricate.
I wonder how long it will be until things like VoIP encryption is illegal to implement on the user-to-user end. Once the government catches wind via some wacked-out organization, they're going to be pushing legislation to ban such products - all in the name of preventing terrorism, of course.
Heck, my opinion is it's only because of the history of the open nature of computing that this industry is allowed to have encryptions like SSL where the government can't tap the line.
And if you don't believe me, see the recent treaty discussions going on in the senate right now that requires participating nations to take up laws which include wiretapping.
A community-oriented lyrics site
I would have thought the obvious solution would be something like SIP over SSL {which should be easy enough to set up, if Asterisk doesn't already have such a feature}, but maybe I'm missing something obvious about SSL that would preclude it.
PGP-type encryption would be good {key servers, if you use them properly, are incredibly powerful: post your out-of-date private keys and now nothing you ever signed using any of them can be authenticated!}, but it isn't transparent.
Whatever solution is adopted, it must be network-transparent, and the user must have the right to view the source code. The Authorities no doubt would love us to be using something they can tap, on the basis of "protecting" us from terrorists and drug dealers; but if terrorists and drug dealers are known not to be using the system because they know it can be tapped, then there's no point tapping it in the first place!
Je fume. Tu fumes. Nous fûmes!
VoIP is *more* secure then your PSTN... with the PSTN any doofis with a butt-set can climb the pole outside your house... or worse yet go OUTSIDE your house and tap into your line.
With VoIP you have to actually be on the network.. and not just on the network.. but IN the packet stream.
Hacker A who is on a server off the switch can't listen to your conversation... they woudl have to interrupt the packet stream flowing through the router.
We work with a bunch of local phone vendors who always dictate that for site to site voip to be used, we need to setup a site to site VPN (or point to point circuit). It is my suspicion that they do this so that
1. they don't have to be bothered with trying to figure out what ports to forward on the firewall and
2. they have so much difficulty in troubleshooting their own systems that they love to blame everything on us.
In any event, I picked up the new o'reilly book on voip and they talk a lot about avoiding vpn as it creates lag. They also indicate that sending all of your QOS flagged traffic down a VPN tunnel eliminates the ability of the upstreams to "see" the QOS flags as they are encrypted. Anyone else have experience with this?
"Who could blame him [Phil Zimmerman] for laying low for a while after the Justice Department launched a three-year criminal investigation of him in 1993? Officials accused him of violating a ban on exporting cryptography when he made PGP available for download on the internet. The government finally dropped its investigation in 1996."
The Justice Department officials who "investigated" Zimmerman (persecuted him) set back the availability of privacy tech by at least half a decade, right when the Internet exploded into everyone's private and professional lives. They never found anything bad on Zimmerman, and crypto export restrictions were sensibly lifted in light of the extremely favorable cost:benefit to American economic security (the basis of all national security). But those officials, who did such damage, suffered no repercussions for their fruitless persecution of Zimmerman.
How long, after Zimmerman's VoIP privacy tech gets some buzz, will it take for some new Justice Department freak to target Zimmerman this time? With the context of "cyberterrorists", portrayed as "out of government reach" with Internet cryptophones, so easily saleable to the American public terrorized daily by government actions in the Terror War? Zimmerman's willingness to reenter that war, after being burned, shows that he's the kind of patriot that the government can only pretend to be when naming laws and missiles.
--
make install -not war
I care about security as much as the next guy but comparing POTS or even centrix security to VoIP is ridiculous. What about physical security that many have mentioned? I want to maintain 99.999 without having to worry about some jagoff with a backhoe whether he is driven by some virulent strain of Islam or is just a stupid ass. Much less a single leaky capacitor that has no backup system in place. So far it seems that even above ground, in my area, the ISPs have put more into redundant paths than the PSTN.
Hell, we ran into a single point of failure 120 miles away at a NOC on a cellular data network back haul router. Which took 6 hours to pinpoint by AT&T -> Sprint -> SBC -> Cingular -> AT&T/Cingular -> AT&T finger-pointing. At which point it was determined that the endpoint (AT&T GPRS private APN firewall router middleman) was flaky.... but they were totally able to loop up the T1 from the TELCO which proved there was no problem, bah!
The tech support were friendly but clueless and equipped with all the right info from the first minutes of the outage by myself...which WE detected 30 min after it happened through our own standard public safety system troubleshooting, and they were still totally unaware of it. Yeah 30 minutes is quite a lag time but consider I had to dial in from 3 towns away(26,400) after 10 minutes on the phone to verify dispatch wasn't just crazy. It took 10 minutes for them to notice the problem and qualify it for emergency service.
Yet a simple ISP with some nagios running would've found it faster but had dual paths to prevent (more than 30 seconds of) downtime. We intentionally took down our Internet link in an infrastructure replacement and the poor guy in the ISP NOC dug through outdated contact info for a while until he called his boss and eventually my cellphone to report the outage THAT'S SERVICE. He was actually concerned when he called too, could've been related to his boss but still. *I* had to calm *him* down, and there was definitely a sigh of relief on his end when I explained. I felt bad for not notifying him. He insisted I call back when we were done to verify connectivity. Where do you find that type of service?
TELCO didn't see the problem, or go to the trouble of calling us if they had. When we called them they were courteously-flippant and blamed us at every turn until they found they were wrong. Guilty until proved innocent is definitely their modus operandi.
Maybe my region is better, but I'm pretty much in Podunk. My vote is for VoIP. I realize that the cost is much more significant for the telco to do the same thing with available technology and infrastructure, that is my point exactly.