Slashdot Mirror

← Back to Stories (view on slashdot.org)

VoIP Security

Posted by CmdrTaco on from the this-is-the-future-people dept.

An anonymous reader writes "Whitedust are running an interesting article on the security aspects of VoIP. From the article: "The fact that VoIP operates across standard networks makes it vulnerable to all manner of IP hacking - including man in the middle attacks,sniffing, session hijacking, etc." Considering it's recent growth, how secure is VoIP?" PCM2 sent us a wired bit about Phil Zimmerman of PGP working on a privacy system for Voice over IP calling

15 of 188 comments (clear)

  1. The Dumbing-Down of America...part XXVII by TripMaster+Monkey · · Score: 5, Informative

    From TFA:
    is an umbrella term used forthesoftware
    some more introductionary information
    Considerating the stability and reliability of the tradional telephony networks
    so it's roll out is most likely inevidable.
    particular relevence to most
    VoIP and it's implementation.
    And all these errors are in just the introduction.

    Now, I don't expect perfection, but the sheer amount of errors present here is beyond the pale, and renders the reader incapable of trusting the subject matter presented, or taking the author seriously.

    Mr. Anderson, about 98% of the errors in your article could have been avoided by the use of a simple spell-checker. Nowadays, people don't actually need to know how to spell, as we have software to do that for us...but you have to actually use the software.
    --
    ____

    ~ |rip/\/\aster /\/\onkey

  2. Man in the middle. by matt21811 · · Score: 5, Interesting

    I have never worried about man in the middle attacks on the internet. To be successful, it requires very good access to my ISP or the backbone carrier's network which is hard to do. Even if they can get that access all they can do is listen to my calls, have a chat with me and the other person or maybe hang up the call. Any attacker listening to my calls is going to get very bored very quickly. If they do the later two, it could cause them to get caught because I'll complain about the problem.

    The only security problem I see is if the attacker can learn information that lets him make calls billed to my account. This becomes the VOIP vendors problem anyway. When I notice something wrong with the bill I'll do a chargeback on my credit card for the bill and simply change VOIP providers. If this happens a lot, the VOIP vendor will do something about their security problem.

    Or am I missing something?

    1. Re:Man in the middle. by rednuhter · · Score: 3, Interesting

      and what about at the other end ?
      If an attacker has access to a router beyond your isp/backbone but before the signals reciever then the contents can be subverted.
      Admittedly, if all you do is argue about the sports scores then there is not much risk.
      But if you were using VOIP as a transparent replacement to POTS (Plain Old Telephone Service) and were ordering a new car or dicussing your new pin number with the bank then things are quite different.

      --
      ERR 411[Max number of witty sigs reached]
    2. Re:Man in the middle. by Tony+Hoyle · · Score: 5, Informative

      If you're using VOIP as a transparent replacement to POTS there's no change.

      POTS is wide open to MIM attacks.. in fact anyone with a cheap earpiece can do it - no need for a PC even.

    3. Re:Man in the middle. by Shakrai · · Score: 4, Insightful

      Unless you were targeting one specific person, the above will work fine

      My whole point was that it's much harder to target one specific person with POTS then it is with VoIP. What's easier? Finding my pair or capturing packets from/bound for my IP address?

      The article was dealing with security, and the security for both is the same. You would have to do the same for VoIP as you do for POTS if you want security. Harden the conduit, and encrypt and decrypt the message at the TX side and RX side.

      And you still have the problem of the person at the other end who is on his speaker phone while the cubemate next door listens. Ultimately the only end of the line you know is secure is your end (POTS or VoIP) and this is all for highly paranoid people anyway.

      As much as I am arguing against VoIP (and cell phones) security is not the reason why. I worry about more reliability and quality of service -- both of which seem to be lacking at this time.

      --
      I want peace on earth and goodwill toward man.
      We are the United States Government! We don't do that sort of thing.
  3. Paranoia by tod_miller · · Score: 4, Funny

    Hi Hun, I am gonna be a bit late tonight

    I thought you were going to give me a lift to Tinas?

    Thats tomorrow, have you been taking my pain killers again?

    No... erm... ok I'll see you later

    *click*

    Wait, we are being line-tapped

    Oh my god! Execute the Omega 13 Device!

    *end of world*

    Really - if you want security, talk in tongues, or use a third party audio scrambler, plus encrypt the session. (then unencrypted it will just sound like noise). Plus standon one foot while you talk, and occassionally look through the venetian blinds for snipers across the rooftops.

    --
    #hostfile 0.0.0.0 primidi.com 0.0.0.0 www.primidi.com 0.0.0.0 radio.weblogs.com
    1. Re:Paranoia by mwilliamson · · Score: 3, Funny
      -SNIP-
      and occassionally look through the venetian blinds for snipers across the rooftops.
      -SNIP-

      Dude, why not stick your head out the door for a few seconds too while your at it? If you take paranoia seriously, you seriously need to set up outdoor pinhole cameras, like I have. I love the espressions of frustration on the sniper's faces. Also, keep in mind your location can be determined by a tempest brainwave triangulation attack, so wear the proper protection. (you have been warned)

  4. Cain and VoIP Sniffing by Anonymous Coward · · Score: 5, Informative

    There is a program called Cain that can sniff VoIP traffic (as well as other things) and turn it into a wav file if it understands the codec. There is a video on how it works at: http://www.irongeek.com/i.php?page=videos/cainvoip 1

  5. Re:Hmm... by Shakrai · · Score: 4, Interesting

    Cant we just stick to regular telephones? I dont want my 911 call to be interrupted by a denial of service attack...

    Indeed. I have spoken about this before. In fact from TFA:

    Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.

    I couldn't agree more! All the power to people who use VoIP or cell phones as a primary line. But anyone who completely abandons POTS at this point is jumping off the diving board with no idea of how deep the water is. POTS is damn near 100% reliable (short of drunk guy hitting pole outside your house), it survives power outages and I don't think it can be brought down by a buggy TV in your neighbors house. A friend of mine lost Roadrunner and TW's digitial phone service for two days because of a TV next door that was leaking RF onto the coax network.

    More to the point, if these services are going to be sold as a replacement for your POTS line then they damn well ought to be regulated like your POTS line -- with requirements for reliability and appeals processes if you get hosed.

    --
    I want peace on earth and goodwill toward man.
    We are the United States Government! We don't do that sort of thing.
  6. PacketCable VoIP security by N7DR · · Score: 4, Interesting
    This is why the PacketCable 1.0 VoIP security spec runs to nearly 400 pages. (www.packetcable.com)

    Of course, now ask how many cable compaines are actually deploying fully PacketCable-compliant systems with all the security turned on the way it was designed to be.

  7. No discussion about this, w/out VoIPsec list by papaia · · Score: 5, Informative

    Please visit the VoIPsec archives, before assuming that any one article could cover it all. There you could find links and comments from some of the most pertinent contributors to this subject.

    --
    == With enough Will Power, one could move mountains. With enough Brains, one would just leave them where they are ==
  8. What about something like OTR? by Ikester · · Score: 3, Interesting

    Can't something like OTR (Off The Record messaging - http://www.cypherpunks.ca/otr/) be applied to SIP or IAX conversations? I know it was designed for slow, IM-type packet traffic, but the crypto is there. It can't be that hard :)

  9. So what? by j-tull · · Score: 4, Interesting

    Since when have good old fashioned telephone systems been secure? I can't count the number of times I've picked up a neighbor's conversation from their cordless phone. Although I'll agree that the scope of the attack may be broader with VOIP (after all, my neighbors phone only puts out enough power to be picked up within a certain proximity), I think an expectation of privacy on any current phone system is a flawed assumption at best.

  10. Re:Hmm... by rbarreira · · Score: 3, Insightful

    Considerating the stability and reliability of the tradional telephony networks - a product of decades of work - it seems foolhardy to replace it.

    [sarcasm] Yeah, fuck progress! [/sarcasm]

    --

    The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
  11. How secure is the PSTN? by Sketch · · Score: 5, Interesting

    Considering I can walk up to 90% of the houses on the street. open up the phone box, and plug a lineman's handset (or anything else) into the phone line...how secure is the PSTN?

    If you think the PSTN is really secure, you might want to look through some old issues of 2600...

    --
    -- OpenVerse Visual Chat: http://openverse.com