Slashdot Mirror
VoIP Security Threats Defined
Zonorph writes "Information week is reporting that the recently formed industry group Voice over IP Security Alliance (VOIPSA) just published their first draft of a VoIP Security Threat Taxonomy for public comment. From the VOIPSA, 'This VoIP Security Threat Taxonomy is meant to define the many potential security threats to VoIP deployments, services, and end users. Part of the challenge of devising effective VoIP security protections requires first identifying these threats in the first place.'"
"This is fairly easy money, let's think of stuff to keep ourselves busy"
This is the sig that says NI (again)
If everyone somehow thinks VOIP on the internet is some magicly secure channel, they'll use it carelessly and lots of security problems will occur.
If they think it's a public chatroom (like an IRC channel) they'll be careful what they say, and fewer problems will result.
Same for email - if it were only widely known that email can be forged by anyone and read by anyone, the nigerian spammers wouldn't have any luck finding a mark. But the damn "email security" industry and ISPs set peoples expectations incorrectly and a lot of people get hurt.
...I was a child. A bit of packet sniffing here, and they would have known all my secret plans to take over the world!
Somehow noone get's all excited about those security holes; but somehow computers have some mystical aura that makes people expect them to be locked down to a far greater extent than their physical phone or mailbox. This seems pretty odd, since my physical mailbox gets lots of stuff in it that's far more valuable than my email.
The encryption apporach should allow for easier quicker change of algos. We are now playing a game where we are fighting both crackers and govs.
I prefer the "u" in honour as it seems to be missing these days.
Allow me to rephrase:
Well...duh....
Public VoIP security issues are more or less the same as in the plain old public telephone service.
If someone really cares about security (and "privacy") issues, she will provide for her own private VoIP service.
Very few people knows whether the communication will travel safely through the net and related servers.
Yes, my link to my favourite VoIP carrier is encrypted with a zillion bits encryption key. And what happens after?
The solution is to avoid using public services for security and privacy concerned communications.
There is very little to do if you dictate your credit card numbers by phone, whatever technology you use!
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
You think the public switched telephone network is any more secure than VOIP? Hackers have been playing around in the phone system since it's inception, via switchboard pranks, then devices like blueboxes, and finally hacking the DMS-100 switch used to route your telephone calls. Free service, free features, unbillable numbers, untracable calls, phone taps, and even controlling dial-in lines to win radio call-in prizes. This is all old hat, and VOIP is simply the new playground.
SecureThe.Net - Practical Resources for Securing Systems
I have wireless broadband, and for a split second I WAS going to consider getting VOIP for local phone calls and such. Just last week, my dad and brother said they wanted to use Skype for audio (ie microphone) talk, so that the whole family (yes all 11 of us) could chat at once (possibly). I got this Skype thing (well Firefly has been around longer but anyway), and as SOON as I made my first call, the DAMN microphone didn't work! AAARRGH! So I found out that Skype automatically MUTED my damn microphone as SOON as I made a call or someone called me! Looking at the skype forum for an answer (http://forum.skype.com/search.php?mode=results&si d=83696fae9b3425f540f3148286a72448), I found out that heaps of other people have this problem too. The second person I ever rang up on Skype has the EXACT same microphone muting problem.
My point is, what's the damn use of buying VOIP when it is STILL BUGGY! Btw, I tried a 3-way conference call, and there was horrible feedback and echoing occurring. So again, what's the damn use? Nothing! At least if I used a normal phone line (ie from PABX or whatever), I would still be able to call people, without relying on my wireless connection. Thanks to those lovely raindrops and the extra surface area they have, I can't rely on using VOIP during even a damn rain shower cause my wireless net would cut out. Ahhh dear..
http://www.psychopanic.com
If everyone somehow thinks VOIP on the internet is some magicly secure channel, they'll use it carelessly and lots of security problems will occur.
Actually, while it's not "magically" secure, it would be possible to make VoIP a lot more secure than about any other communication system. Just think encryption, plus the fact that you can say the key fingerprint out loud so that a "man in the middle" would actually need to imitate your voice in real-time in order to gain access. Of course, you're still vulnerable to mics in your own house...
Opus: the Swiss army knife of audio codec
I run a business which supplies telephone systems. All our systems run VoIP and all can be remotely accessed. It doesn't matter how much I jump up and down about social/network/hardware security, the customers just don't get it.
Luckily, we do.
Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then copies the voice traffic off elsewhere.
Hypothetical: One of their PCs gets compromised. It runs packet sniffing software which then registers with the switch and proxys external connections out over the customer's PSTN/VoIP trunks, at the customer's expense.
None of these have happened yet (in fact, one compromised machine we were called in to look after could have given the cracker access to 30 PSTN lines, but was just used for IRC botting), but I'm just waiting for the day when the customer's trunks are attacked. Of course, when this happens, there is a tangible cost element (in terms of the telco charges for the calls made).
The worrying thing is that there are a number of telecomms wannabees starting up. These are typically IT companies who are seeing their margins disappear and wanting to branch out. These people are mainly selling Asterisk or some form of virtual PBX service. Sadly, these people don't understand telecomms and (much to my surprise), don't appear to understand basic network protocols and terminology (let alone security). These are the companies who'll give VoIP a bad name and who'll cost their customers a fortune.
Luckily, as with IT, when the sh1t hits the fan, companies like ours will be there to sort it out (and make more money from sorting it out than we would have done in the first place).
Ho hum.
Nick.
We're all IT pros or enthusiasts right? Are any of us really under the impression that anything is really secure? Given enough time and resources anything can be cracked - and if its not the computer system its the users that are the weakest link.
If you need to believe that what you are saying is secure, or need to advise people that need to believe that you can secure things, surely thats what you tell them.
VoIP is has a few killer advantages: reduced costs, CD quality sound, potential to expand to video and REDUCED COSTS.
The security surrounding it may stop pesky neighbourhood kids splicing into your phone line and listening in, but there is NO technology that will prevent a dedicated and skilled cracker from listening into anything you broadcast or keep on your computer. But they are few and far between and I like those odds (its not as if I have any real secrets). What really bothers me about this is the idea of government mandated backdoors.
How can a country that gives its citizens the right to bear arms and form militia not see that in the information age encryption is the next Smith and Western? In that respect its not designed to stop the police from arresting you, or to help you rob banks. Sure you can use it for such, but thats not what it was designed for, it is designed to help you protect yourself, your family and your possesions and act as a deterent. Just don't expect your six-shooter to defend you from a trained assasin.
I live in the UK, so I don't carry a gun (not that I would in the US either), but I do lock my house and my car - and I don't give the police a master key unless they ask me and provide a warrant. Thats fair. Builders don't look the other way whilst the police come on site and install a special secret door that only they can use and the reason that doesn't happen, is because there would be two sets of people that have the key, the police and the criminals. Its the same with encryption.
Scared of flying, pointy things snce 1979!
Let's face it: you can add all the security you want, but a determined thief/hacker/criminal will always find a way in. Always. Protect yourselves as much as you can, yes. Just don't expect anything to be 100% secure forever.
Looking at the VOIPSA Wiki, there is a section entitled "Social Threats." Naively I assumed this section would cover things like social engineering, telemarketing, etc. Instead it has such gems as "Modern interactive communication systems can include more than two people in a session and people can move fluidly from role-to-role, including: initiating contact; joining communication in progress; accepting contact; terminating communication in progress; refusing contact." This needs to be explained?
$nice = $webHosting + $domainNames + $sslCerts
Australian media are simplyfying the term "VoIP" to just "voice over internet", considered to be easier to understand. Additionally, "vee~owe~eye" is, i consider, more inclined for common usage (ie outside of power user zones) than "vooipp", as the latter is a very quickly spoken word that does not illict the same visual body motions of the lower face which are much easier to lip read. oh, and of course that acronym would be so much sweeter...VoISA...mmmm
Seriously, this really sounds like a load of bs to me. Perhaps auto-generated?
If they think it's a public chatroom (like an IRC channel) they'll be careful what they say, and fewer problems will result.
ROFLMAO Just how much time have you spent in IRC channels?
This will probably get bashed to high heavens, but Skype recently got their software reviewed by an independent security expert. Favourably.
Sounds like a ID-10T problem. Could also be PEBCAK, but I'm not sure. Have you tried changing the coffee-cup holder on your Hard Drive?
A host is a host from coast to coast...
Unless it's down, or slow, or fails to POST!
It never fails to amaze me that people are ready to jump on VoIP as being "insecure" when infact it is probably more secure then your POTS line. To tap into a POTS line all you need is a butt set. Climb your local pole (and look like you should be) and no one will question you. Or walk up and place a tap on the CO NID outside a building. If it's a business, look like you should be there, and again no one will question you.
To actually tap VoIP you need to be in the path of the packet somewhere. It isn't like you can just hack a server and sniff the traffic. You'd actually need to be on a router someplace, and have some way to get the packets off the router and into some form that you could make into an audio file.... Yeah, which would you do?
But for someone to tap your phone, they have to come with alligator clips to your phone line. This means that someone can't easily "screen" a lot of different phone lines without a lot of manpower. VoIP, on the other hand, could be tapped remotely without intervening with your installation at all, and the process can be automated.
Problem is you can't mass snoop on physical mailboxes, while you can do this on electronic comms.
"the next Smith and Western "
Nice post except for the minor mistake in names. By the way, the original six-shooter was actually a Colt. An earlier flintlock version of the revolver was created by Elisha Collier of Boston and manufactured by a London Company.
"The strongest reason for the people to retain their right
to keep and bear arms is as a last resort to protect
themselves against tyranny in government." --Thomas Jefferson--
Just change the word "arms" to "encryption".
Today's voice telecom network is relatively easy for governments to listen in on. Fearful governments who can only maintain power by limiting access to information will not be quick to give that up. The two examples that come to mind for me are the Peoples Republic Of China and Iran. Both of these governments are afraid of simple dissent and griping. Even the USA government is afraid of what will happen if they cannot wiretap phone calls between terrorists.
A voip system that uses assymetric encryption seems like an unbeatable protection of individual liberties from government interference. Imagine that my brother and I exchange public keys and keep our private keys private. What can the government do to crack our phone call if doing so requires the private keys that we are smart enough not to share?
What you describe sounds the same for both technologies. In both cases you describe the interceptor must have access to the line that the call is traversing.
But, apparently you haven't thought it all through. Think about the fact that while you have to be physically present to operate a butt set, with VoIP you simply have to compromise any of the machines along the call path with a trojan or a worm and then run a sniffer or reflector. This allows you to monitor calls remotely rather than having to physically put alligator clips on the wires as you would with a butt set.
But, that's not all. Think about the issues of denial of service. How do you render a phone unusable without some form of physical access. With VoIP you can render a phone unusable from a remote location with something as simple as a smurf attack from anywhere on the planet. With VoIP, I can use my PDA to shutdown your phone and there is nothing you can do to stop me. There is also no way for you to trace the source of the attack back to me.
That may not sound like a big deal to you but, suppose you needed to call an ambulance at the particular moment that a script kiddie decided to DoS your phone. Suppose you were a business and this attack was used against your PBX, effectively disabling thousands of extensions. Suppose such an attack were launched against a hospital's PBX.
Then there are the more standard reliability issues. You may be surprised to hear that most internet connections are not nearly as reliable as most phone lines. This is a little secret that many of today's VoIP users are discovering. Here's just one example that happened to make the news. The fact is that it happens all the time but is rarely reported. However, this is rather rare with todays POTS service.
VoIP security is about a lot more than wire taps.
Part of the challenge of devising effective VoIP security protections requires, to begin with, first identifying these threats in the first place, for starters, at the outset, initially.
Proverbs 21:19
Seriously, this really sounds like a load of bs to me. Perhaps auto-generated?
Indeed. It's the new craze for trolls who lack the humour and creativity to actually come up with anything themselves. Personally I have a lot of sympathy for them - it must be terrible for one's self esteem to have the desire to troll but to lack the ability to do so. A kind of trolling impotence if you will.
true... but... the problem is physical location. Basically it boils down to connection oriented networks vs. connectionless networks. sure someone can tap a traditional pots line, but they had to be physically "on the line". with VoIP and programs like http://ettercap.sourceforge.net/ this physical domain it extended making it possible for someone to access the path of communications from almost anywhere in the network. I'm not saying that traditional phone security was any better, but VoIP not only suffers from those security issues (DoS, toll fraud, invalid subscribers...), but also from IP inherent problems too (DoS, man-in-the-middle, packet sniffing...) ps. if you want secure voice and you secure it at the handset.
pps. should read "if you want secure voice then secure it at the handset"
You might wanna read this article as well. It offers a great introduction to the VoIP security issues.
w00t
Protocols that allow both ends to negotiate what algorithms they use are very hard to get right; they may allow an active attacker to force both ends to use whatever is least secure. The most secure thing is probably to choose good algorithms, and stick to them.
Xenu loves you!
With any sort of telco system there are two distinct areas of security. First is the security of the equipment. If crackers gain access to your equipment (in the case of VoIP your servers) they can cost you a lot of money. The second is security of the conversation, if crackers/government can eavesdrop on your conversations it may cost you in other ways.
The PSTN is somewhat secure in the first area and totally insecure in the second. In my opinion the VoIP world needs to work on the security of equipment first. If we can be as secure from unauthorized access to our equipment and DoS attacks as the PSTN we'll have come a long way. Currently the phone provides no safeguards for privacy other than legislation, therefore it is not unreasonable to leave ourselves open in the same way for the time being.
Even now, if we must have secure conversations we can pass the audio and signalling through a VPN connection. In the end however, there is no absolute security. End users must be made aware that if they communicate information that information can be compromised.
Sig is on vacation
This means that someone can't easily "screen" a lot of different phone lines without a lot of manpower. VoIP, on the other hand, could be tapped remotely without intervening with your installation at all, and the process can be automated.
To remotely tap your Internet connection, this would typically be done at your Internet Service Provider.
To remotely tap your telephone connection, this would typically be done at your Telephone Service Provider.
There are lots of points where these things can be eavesdropped and they are both quite similar with the pros and cons of each comparable method.
Do you realise that almost all PSTN networks in the World now are digital packet switched? Screening a lot of different phone lines is now trivial for a telco. Do you trust your telco and its staff? I do not trust them any more than the public on the Internet. They ARE "the public" outside of 9-5 and there is lots of opportunity at a telco for the opportunistic. And hell, telcos have never been hacked remotely, right?
War crimes, torture, lies, illegal spying... Would someone give Bush a blowjob, already, so he can be impeached?
Umm then your setup sucks.I used Various VOIP Providers. AOL, Vonage, and even some internet only based ones (Ventrilo, teamspeak). And I get perfect reception, clearity and it sounds great.
So just because your machine/net connection/tech ability sucks, Don't label voip as crap.
oogly boogly!