Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugging Catches Up To SIP Phones

Posted by kdawson on from the excuse-me-i'm-already-on-a-call dept.

SkiifGeek writes "After news at the end of last year that mobile phones could be remotely eavesdropped, and there being a long history of remote eavesdropping possible on normal telephones, it was only a matter of time until VoIP devices were found to be eavesdropable (whether intentionally or not). In the last week there have been several exploit code releases, and it seems that some vendors who chose to write their own SIP networking stacks are at risk of their devices being easily eavesdropped on."

8 of 70 comments (clear)

  1. Why no security as standard? by DamienMcKenna · · Score: 2, Interesting

    So why isn't there security implemented as standard? Come on, there are lots of perfectly good standards: SSL, TSL, SSH, etc.

    Damien

  2. Zfone? by hedley · · Score: 5, Interesting

    Should VoIP users consider using Phil Zimmermans Z-fone? possibly a bit more secure than what we have now
    I would wager.

    http://zfoneproject.com/

  3. Re:This is just a ruse by phone makers by digitalchinky · · Score: 2, Interesting

    I'm not quite sure if you are trolling, perhaps not. Here in the Philippines, most hospitals have overcome this simply by keeping up to date with modern equipment. Everything is shielded, there are no bans at all on cell phones in any part of the vast majority of hospitals. I'm not sure where you from, though I guess the difference could be somewhat cultural - in the US it seems to me that people like someone or something to blame, no matter how outlandish the logic. I know this is a stereotype, but it does exist.

    Haven't you seen enough stories here on slashdot that debunk the whole aircraft and fuel station dangers?

    I'm not sure what kind of cell phone you have that you might think it could be remotely activated to become a nice little spy toy. I don't know of any evidence that is indicative of off the shelf consumer device being able to do those things in their default state. I've been around active SIGINT for a lot of years, if it were that easy, it'd would have been exploited years ago. Symbian doesn't allow squat to get installed without a series of confirmation dialogs, if there were a remote way in over the air or otherwise, it would be have been exploited many times over. The unlocking scene has long since reverse engineered every aspect of most phones, they'd be the first to speak up if they found back doors of this magnitude, not for the spying ability, but simply because it would be fool proof way to bypass TPM.

  4. TLS!! by whardier · · Score: 2, Interesting

    Many phones and PBX's support SRTP by using TLS. This is still a huge privacy issue for most people, however encryption fixes privacy issues with most network tapping systems. You guys having a hard time with Comcast and BitTorrent? YOu can use IPSEC to get around a lot of that, or LogMeIn/Hamachi. If torrent sites existed in Hamachi networks (why not?) which is purely P2P as well as free and encrypted then you can go about your business with 802.3 segments encrypted and sent over completely dynamic IP ports.

  5. Re:Uhhh, not really by Anonymous Coward · · Score: 1, Interesting

    That's very shortsighted. Knowing which articles my team is reading and commenting on (not just "something on /." which is all TLS gives away) is pretty close to telepathy. Web searches are even more important. Almost every company I've ever worked for paid a bonded service to shred my printouts, and those don't give competitors nearly as much insight into my current work.

  6. This isn't listening in on calls by billstewart · · Score: 2, Interesting
    I'm not a lawyer, but I have played a politician on TV.


    This isn't the same thing as listening in on calls between your target and someone else. This is making a call to somebody and bugging their conversations. You're probably supposed to get a warrant, at least in pre-Bush America. (Though in the real pre-Bush America, that mainly mattered if you wanted to use what you heard in court or needed the telco's help for the wiretap; otherwise you just happen to have gotten "an anonymous tip" that your target met so-and-so and talked about such-and-such, which was enough evidence to get a real warrant from a judge.)

    --

    Bill Stewart
    New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
  7. Re:Combined with WiFI and no encryption by badfish99 · · Score: 2, Interesting

    the industry chooses not to deploy them
    Which is the whole problem. Section 26 of RFC3261 is entitled "Security Usage Recommendations" and describes a variety of security mechanisms that implementors may (or may not) choose to use.
    If I am in control of both ends of the SIP conversation, I can arrange things so that it is secure. But if I just call some random person on a SIP phone, it look like I've got no guarantee that the two ends will negotiate any sort of encryption, and if they do not, there is no feedback to tell me that my conversation is insecure. So in practise I've just got to assume that all SIP conversations are insecure.

  8. Encrypted Mobile Communications by Pooldraft · · Score: 2, Interesting

    With all of the wiretapping/easedropping going on in the US these days, I am looking for a mobile solution. ISPs and Telecom companies are now being directed by the government to keep these backdoors open for them to be able to listen in on communications.

    There has to be a way to get a secure/encrypted communication on a mobile device. I am thinking of VoIP on a mobile phone using service providers internet connection or if you are in Wifi range then use that. The idea is to create a system that secures wireless data communication in the US.

    Another idea I had was using Sonopia to mask the data. (for those that don't know Sonopia is a social networking system that allows you to create your own carrier, I think it buys wholesale from the big V). I didn't get too far into the Terms of Use yet.

    Does anyone have any-other ideas?