Expert Unveils 'Scary' VoIP Hack

Kurtz'sKompund passed us a link to a Techworld article on a frightening new vulnerability for VoIP. The UK's Peter Cox has put together a proof-of-concept software package to illustrate the flaw, a program he's calling SIPtap. "The software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well. The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."

Holy hyperbole, Batman!

[plover]

Not only that, but ethernet data traffic can be read by someone else on the network, and wi-fi traffic can be monitored by someone even without wires.

In other news, experts have revealed that water is scarily wet, the sun is frighteningly hot, and occasionally rain terrifyingly falls from the sky. We'll interrupt your surfing with more news as it unfolds. Meanwhile, please continue to tremble in fear of the obvious.

Re:Holy hyperbole, Batman!

[aproposofwhat]

So some bloke who's about to start up a VOIP consultancy firm has made a SIP traffic sniffer, which he claims will allow the recording of SIP calls on a network.

I'm sure he's set up his test network appropriately (hubs not switches, no VLANs in sight, every Ethernet packet visible at each node...) to spread FUD and market his services.

Very l33t, I'm sure.

Just a Slashdot advertisement feature again - there seem to be more and more of these appearing.

I'm waiting for the announcement that a program to increase penis size has been written by a bloke in the pharmaceutical industry - that'll make the fromt page for sure :P

Re:Holy hyperbole, Batman!

[Inda]

I put a handkerchief over the mouth piece on the phone. I sometimes lower my voice to a whisper. Simple solutions beat all technology.

Wow

[telchine]

The german police will be pleased!

More Info?

[__aajwxe560]

I read TFA and I didn't see any information that makes this any different than using Wireshark to capture and reassemble the packets and do this (it is fairly easy)? What is so drastically advanced about this discovery? Additionally, isn't a switched network generally protected by this unless a port is specifically configured for packet forwarding? That would be one spiffy trojan to hack into the switch as well and configure this. Also, most VOIP installs I have seen have, at the vendors install requirement, the VOIP phones be on their own VLAN from the data side of the network, further limiting the exposure?

Others will be pleased

[JonTurner]

The telecom companies will be pleased. They're terrified of VOIP, and are holding on to their monopoly customer-no-service business models as long as they can. So any "bad news" that scares customers away from internet phone and back into their clutches is welcomed.

Obvious but a wake-up call

[whamett]

Although this is obvious to many—if you're transmitting data unencrypted from A to B, someone monitoring the communication channel can of course read the data too—the reality is that it probably takes a concrete, real-world package like this, plus media coverage, to before many organizations will grasp the risk.

In other words, although much of the slashdot crowd will say "well, duh", this is a very practical wake-up call for real-world organizations that have deployed VoIP. Of course they'll need to either use encryption of trust everyone and all machines on the network.

Coming up next: An attacker with appropriate radio gear can eavesdrop on cell phone conversations!

Uhh.. Yes..

[zoid.com]

We use this method to record call center traffic. Have a look at Orecx http://www.orecx.com/ . This is not a hack. Also switches will not send the traffic to all systems on the network so you will have to turn on SPAN or use a dumb hub. No news here.