Slashdot Mirror
Overlooked VoIP Security Issues?
penciling_in asks: "Voiponder is running an informative article identifying VoIP attacks, which are applicable to current systems but lack public awareness and are, for the most part, misunderstood. The author's primary purpose is to 'discuss two of the most well known attacks that can be carried out in current VoIP deployments. The first attack demonstrates the ability to hijack a user's VoIP Subscription and subsequent communications. The second attack looks at the ability to eavesdrop in to VoIP communications.' This leaves me begging the question: What other not-so-publicized VoIP security issues should companies be watching out for?"
Ask your boss if he would be more concerned with the government listening in on the company's VIOP calls, or if a Russian hacker spammed your voice mail system with a demand for $50,000 or the system would be shut down(dos'd)?
It's a common enough occurrence in digital service providers. Get a zombie net together, threaten a company with a demand they can afford, shut them down for a day, then wait for the money. The same attack style that the RIAA uses against college students. Sure, losing $3k as a student (or $50k as a company) sucks, but you can survive it, and it's significantly cheaper then trying to fight it.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
People have trusted their telephone lines for years.
It's easy for someone to listen in on your phone call. All they need to do is be in a position of trust between your handset and the other person's handset. You wouldn't even know they were there. Do you really trust all the line techs and the people who run the telecoms networks not to snoop on you?
Admittedly, it's not as easy to hijack a phone line unless you are in the same position of trust. VoIP makes stealing the connection a little easier. Software faults lead the way to security issues and the ability to break into VoIP servers or just do nasty things to the data on the wire.
I liken VoIP to having a cordless phone on your line. With the right equipment I can sniff a corless phone call and play back the parts of it that tell the base station the handset wants to make a phone call. DECT is a littler harder, but apparantly still doable. If you're still using a 30MHz FM cordless phone then the right equipment is available for tens of dollars at your local rat shack!
Phil Zimmermann recently released some encrypted VoIP software that solves the eavesdropping problem with a good level of security. I can imagine that phone companies and governments will soon be trying like shit to outlaw encrypted VoIP comms because it means all those wiretaps they are so fond of doing become useless.
I trust my VoIP provider, currently. I log into their SIP server which is at the other end of my DSL connection. They are also my ISP so I know my data never leaves their network except when it is put back on the PSTN. This also has advantages for downstream QoS (they implement it for their own SIP server) so I don't ever get dropouts.
I drink to make other people interesting!
The potential problem is that encryption of the voice stream adds latency to the transmission of the stream. Optimally you want 150 ms or less to pass in transmission, otherwise Bad Things can occur.
That being said, we have just switched Freeswitch to use SRTP in the past few days, which appears to support keyed transport. Does anybody else have experience using this library and can tell about your experience encrypting SIP and/or RTP with it?