Slashdot Mirror

← Back to Stories (view on slashdot.org)

Expert Unveils 'Scary' VoIP Hack

Posted by Zonk on from the keep-it-close-to-your-chest dept.

Kurtz'sKompund passed us a link to a Techworld article on a frightening new vulnerability for VoIP. The UK's Peter Cox has put together a proof-of-concept software package to illustrate the flaw, a program he's calling SIPtap. "The software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well. The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."

18 of 103 comments (clear)

  1. Holy hyperbole, Batman! by plover · · Score: 5, Insightful
    Not only that, but ethernet data traffic can be read by someone else on the network, and wi-fi traffic can be monitored by someone even without wires.

    In other news, experts have revealed that water is scarily wet, the sun is frighteningly hot, and occasionally rain terrifyingly falls from the sky. We'll interrupt your surfing with more news as it unfolds. Meanwhile, please continue to tremble in fear of the obvious.

    --
    John
    1. Re:Holy hyperbole, Batman! by NoxNoctis · · Score: 2, Informative

      This is why I SSH tunnel any truly sensitive traffic to as close as I can get to the destination.

      --
      "You're awefully cute, but unfortunately for you, you're made of meat."
    2. Re:Holy hyperbole, Batman! by aproposofwhat · · Score: 4, Insightful
      So some bloke who's about to start up a VOIP consultancy firm has made a SIP traffic sniffer, which he claims will allow the recording of SIP calls on a network.

      I'm sure he's set up his test network appropriately (hubs not switches, no VLANs in sight, every Ethernet packet visible at each node...) to spread FUD and market his services.

      Very l33t, I'm sure.

      Just a Slashdot advertisement feature again - there seem to be more and more of these appearing.

      I'm waiting for the announcement that a program to increase penis size has been written by a bloke in the pharmaceutical industry - that'll make the fromt page for sure :P

      --
      One swallow does not a fellatrix make
    3. Re:Holy hyperbole, Batman! by Inda · · Score: 4, Funny

      I put a handkerchief over the mouth piece on the phone. I sometimes lower my voice to a whisper. Simple solutions beat all technology.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
  2. Wow by telchine · · Score: 5, Funny

    The german police will be pleased!

    1. Re:Wow by Evan+Meakyl · · Score: 2, Funny

      Maybe the beginning of a new /. meme... congratulations!

  3. This is soo old! by Kris2k · · Score: 3, Informative

    I recall seeing a project on freshmeat in 1999-2000 about the exact same functionnality. Granted, it wasn't as refined as this one, but it did exactly what it had to do; sniff packets over the wire, decode them, and send them to your DSP.

    This is old, and that's why people today use VLAN tagged phones to seperate VOIP traffic onto another network, combined with switches that don't allow promiscuous activities, intrusion detection systems, picky switches that don't like MAC changes, and voilà, problem solved for the distribution networks.

    There will always be ways to tap coversations, and if you think you pots land line is secure *chuckle*, get real.

  4. More Info? by __aajwxe560 · · Score: 4, Interesting

    I read TFA and I didn't see any information that makes this any different than using Wireshark to capture and reassemble the packets and do this (it is fairly easy)? What is so drastically advanced about this discovery? Additionally, isn't a switched network generally protected by this unless a port is specifically configured for packet forwarding? That would be one spiffy trojan to hack into the switch as well and configure this. Also, most VOIP installs I have seen have, at the vendors install requirement, the VOIP phones be on their own VLAN from the data side of the network, further limiting the exposure?

    1. Re:More Info? by jav1231 · · Score: 2, Insightful

      I was wondering the same thing. The hacker would not only have to infect a PC on the network, it would have to be on the voice span. That's something that is not likely since you generally separate your user segment and your voice segment. The two only share WAN pipes to move from one network to another. Then again, this is a proof of concept.

  5. Others will be pleased by JonTurner · · Score: 4, Insightful

    The telecom companies will be pleased. They're terrified of VOIP, and are holding on to their monopoly customer-no-service business models as long as they can. So any "bad news" that scares customers away from internet phone and back into their clutches is welcomed.

  6. Obvious but a wake-up call by whamett · · Score: 4, Insightful

    Although this is obvious to many—if you're transmitting data unencrypted from A to B, someone monitoring the communication channel can of course read the data too—the reality is that it probably takes a concrete, real-world package like this, plus media coverage, to before many organizations will grasp the risk.

    In other words, although much of the slashdot crowd will say "well, duh", this is a very practical wake-up call for real-world organizations that have deployed VoIP. Of course they'll need to either use encryption of trust everyone and all machines on the network.

    Coming up next: An attacker with appropriate radio gear can eavesdrop on cell phone conversations!

  7. Uhh.. Yes.. by zoid.com · · Score: 4, Interesting

    We use this method to record call center traffic. Have a look at Orecx http://www.orecx.com/ . This is not a hack. Also switches will not send the traffic to all systems on the network so you will have to turn on SPAN or use a dumb hub. No news here.

    --
    Zoid.com
    1. Re:Uhh.. Yes.. by silas_moeckel · · Score: 3, Interesting

      And it is impossible to do with a decent switch. Cisco and the like are more than capable of stopping this sort of attack. This is not to say that we should not continue down the path to encrypted sip.

      --
      No sir I dont like it.
  8. Need help from service providers to fix this! by compumike · · Score: 2, Insightful
    I run a small business VoIP phone system with 5 hardware phones, some small number of software phones, and an Asterisk setup. Sniffing traffic and reassembling conversations could definitely happen. The protocols to secure this are already out there:
    • encrypted SIP - would make sure the information about who you're calling stays encrypted
    • secure RTP (SRTP) - would encrypt the actual call audio (and video)
    • encrypted IAX - would do both, though only between Asterisk endpoints

    The current problem for anyone using VoIP is that it's necessary to pay some outside company to do the termination into "real world phone service", aka PSTN, so that you can make and receive calls to the normal phone network. Until the VoIP service providers start letting you do encryption all the way to their end, there's a lot of people who can listen to your phone calls much easier than in the analog days. However, this is going to cost them CPU time. But is this something that people would pay more for? I think the answer might be yes...

    In any case, slightly off-topic, I highly recommend Voicepulse Connect as an IAX/SIP termination/originiation provider to anybody who can run their own Asterisk PBX and who wants to punt the local phone company.

    --
    Educational microcontroller kits for the digital generation -- a great gift!
    1. Re:Need help from service providers to fix this! by integral-fellow · · Score: 2, Interesting

      Has anyone else tried Phil ZimmermanN's Zfone? Available on OS X, Linux, and windows, it does end-to-end (up to applications) encryption, from the father of PGP. The code is available for review. The interface is quite slick and his reputation is platinum. Is there anyone else trusted more? It works with many sip clients: X-Lite, Gizmo, XMeeting, Google Talk VoIP client, SJphone, and Asterisk PBXs. It also works with iChat audio and video and these VoIP providers: Free World Dialup, iptel.org, and SIPphone. It does not work with Skype.

  9. sip has always been insecure. by Hybridmutant · · Score: 2, Insightful

    Well I just find this beggars belief that the article comes across as if theres a new hole in voip and in this case SIP.
    SIP was never intended to be anything other than a means to negotiate RTP streams. Any decent voip sysadmin would know that SIP is only trusted as far as the wires it runs on.
    'Wiretapping' a sip calls is not as difficult as people may assume it to be. Im sure you would find some relatively basic instructions on doing just that using Ethereal/Wireshark online.If you can capture the traffic, you can easily pull our the RTP stream and then decode into ulaw/alaw (or whatever it was encoded as) and listen to it. Though its nice that someone has taken the initiative to build an even easier means to do this.

    The internet Gods created things called vpns so that I can safely phone seX0r without the spooks getting off aswell

    --
    I have morals, If you dont like them, I have other ones.
  10. Re:zfone by JackMeyhoff · · Score: 2, Interesting

    How do you know? From their advertisement or have you checked? I never take things on face value. Anyway, if they really want to listen you stand no chance.

    --
    http://www.rense.com/general79/wdx1.htm
  11. Is your office on a switched network? by CFD339 · · Score: 2, Informative

    Most networks now are switched, not using open hubs. In a switched network, you can't just stick a network card in promiscuous mode and hear all the traffic. The switch connects two two ends that are talking, (e.g. your phone and pbx) and excludes that traffic from anyone else on that switch.

    The vulnerable points come after the switch, for example if all the phones use a switch, and that switch has a connection to the PBX, than if you could insert a hub between the pbx and the switch you could use this hack there. If your pbx uses VIOP to upstream the link to a VOIP provider, than someone could get on the WAN link between your PBX and provider.

    Both of these require way more access -- and likely physical access -- than this article makes out.

    --
    The problem with quotes on the internet, is that nobody bothers to check their veracity. -- Abraham Lincoln