Whole Network Companies Conferences Industry News Interviews IP Business Pho... New Application skype

« fringME! Gives A Whole Ne... | Main | Jangl Now Supports SMS »

VoIP Can Be Sniffed? Get Real!

Filed in archive Dangers by Dameon Welch-Abemathy on November 27, 2007

This mass hysteria about being able to make WAV files of VoIP conversations, while only recently brought into the forefront with a tool called SIPtap, is completely unwarranted. In short: if someone can run this tool on your network and make WAV files of your phone calls, you've got far bigger problems.

Back in March of 2004, I wrote a fairly detailed piece for Voxilla about VoIP and security issues. There are several things I did not cover in this rather lengthy article, reading back on it now, but some things remain true with SIP. More after the jump.

Call Information Goes In The Clear: Yes with SIP, whom you are and whom you're calling does go in the clear. Yes, you can use Transport Layer Security (TLS) to encrypt this information.

The Voice Data Goes In The Clear: What you're saying also goes in the clear as well. This can be mitigated by using SRTP to encrypt the data portion of the call.

Even if you don't employ encryption for either the call control information or the voice channel, here's the real truth: Unless you can somehow see all the traffic between the two parties, you can't sniff a VoIP call. And you know what? That's difficult to do. As I wrote in 2004:

In order to actually intercept the call setup or voice data for an in-progress SIP call, you have to be at a location where the call is traveling through, either at the telephone service provider or the ISP. Since it's possible for a connection to change routes midstream, there are only a couple of points where it is practical to intercept a SIP call: On either the SIP client or proxy's premises, or at the ISP used by either endpoint. This isn't unique to SIP: a PSTN call can be intercepted in similar locations.

If you're looking for more meat, Mr Blog's got it.

Bottom line: This SIPtap thing is overblown. Not only is it infeasible to employ, it can easily be worked around by employing encryption. What do you think?

Permalink: VoIP Can Be Sniffed? Get Real!
Tags: voip+security siptap voip 2007 call sniffed+real voip+sniffed openads+delivery

Trackback: http://www.creative-weblogging.com/cgi-bin/mt-tb.pl/103802

Bookmark this entry:

Addthis

Ask

Blinklist

del.icio.us

Digg

Fark

Facebook

Google

Lycos

Ma.gnolia

Mr Wong

Netscape

Netvousz

Newsvine

StumbleUpon

Slashdot

Tailrank

Technorati

Wink

Yahoo

No strings attached VoIP service from VoIP.com - 19 January 2007

Get your VoIP protected from SPIT - 14 February 2007

Can Verizon VoIP patents affect competing VoIP services? - 19 April 2007

SIPtap oder: VoIP Abhören leicht gemacht - 26 November 2007

Real VoIP? Is There Fake VoIP Out There? - 09 June 2008

Vote for VoIP Can Be Sniffed? Get Real!:

Currently 7.00/10
1
2
3
4
5
6
7
8
9
10

Rating: 7.00 out of 1 vote(s) cast.

Add your response to VoIP Can Be Sniffed? Get Real!: Response from: Rick McCharles (11/27/07 5:16am) Get Real! I couldn't agree with you more. Let's counter the hype! There is value in making the general public aware of the risks of an insecure environment. However, the vast majority of VoIP related security stories are repeated and sensationalized without any critical examination of the facts or assessment of the actual risk. Peter Cox, the author of SIPtap stated in response to my post on the subject, http://www.ric.ca/blog/2007/11/your-voip-is-being-hacked-hang.html that he designed the tool in order to raise VoIP security awareness and the need for encryption. Unfortunately, most authors who reported on the tool, seized the opportunity to grab attention-getting headlines and as a result have contributed to the myth that secure VoIP and IP Telephony is not possible. Thanks, Rick McCharles http://www.ric.ca/blog Response from: Tati (11/27/07 10:40am) I go with you on this one, if they get the chance to run this in your network, then you have 100k more important issues to cover before someone tapping in your voip conversations is a priority. But, I'd be careful with what you say, even when they can tap in, they can record you without letting you know (www.hotrecorder.com, www.easyvoiprecorder.com, etc...) Response from: PhoneBoy (11/27/07 5:16pm) Recording one end of the call is not unique to VoIP, though it is easier to do on a computer than it is to do with a normal handset. Encryption doesn't make it impossible to do this, either, but it does make in-transit data a lot harder to capture. Response from: Discount International Calling (12/02/07 10:40pm) Is it really possible to make wav files from voip phone conversation.? Response from: Dameon Welch-Abernathy (12/02/07 10:47pm) It is possible if you can get to the right place(s) in the network and deploy the right tools.
Name: *	Email: (will never be shown)*	URL:

(* marked fields are required)
Notify me if more comments appear?	Subscribe to The VoIP Weblog newsletter? (Newsletters are sent out weekly).	Remember me
Security Code: * (Please help us to sort out spam.)

Please enter your comment here: (Sorry, no HTML is allowed - URLs will be made clickable automatically if you add http:// to your URL.)


We welcome your comments, however all comments are moderated. Offensive or off-topic comments will be deleted and not displayed.

RSS	\| See all blog subscribe options
Google	\| What is RSS?
Yahoo!
Addthis
Bloglines
Newsletter
Grouptivity

Use the search to look for other interesting posts

Contributors (Last 90 days)
Jeff Goldman (11)
This site has 947 entries and is powered by Creative Weblogging since October 2005.
Do you want to start or edit an existing blog for us and get paid? More info.
Do you want to advertise on this blog? We have great ideas!
Do you have tips for us? Send them!

Advertise with us
Learn more about our advertising options or email advertising - at - creative-weblogging.com or give us a call at +1 (650) 331 4900.

Testimonials
'Yours is the one blog most tightly aligned with my interests, most "great articles" from my point of view'

'Cool site!'

'Great information especially nowadays where the development is amazingly fast.'

I find it very creative and with unique news, which I think is great compared to some other blogs that just copy other blog's content.
Rodrigue Ullens, Voxbone

Other blogs in the same channel in the Creative Weblogging Network

Technology
BlogWealth

The CIO Weblog

HackITLinux

Googlestack

Java Entrepreneur

Nanotechbuzz

On Storage

P2P File Sharing

Disclaimer
Some of the contents of this site are protected Creative Weblogging Inc. 2004-2009.

Tell a friend about VoIP Can Be Sniffed? Get Real!
Recipient email:*	Your email:*

(* Both email addresses are required for sending this article. They will never be shown or used for any marketing purposes)
Please enter a message which will be shown together with the article:

Security Code: (Please help us to sort out spam.)

VoIP Can Be Sniffed? Get Real!

Filed in archive Dangers by Dameon Welch-Abemathy on November 27, 2007

Bookmark this entry:

Related Entries:

Vote for VoIP Can Be Sniffed? Get Real!:

Add your response to VoIP Can Be Sniffed? Get Real!:

Tell a friend about VoIP Can Be Sniffed? Get Real!

Categories

Archives

Our Editors recommend

Contributors (Last 90 days)

Advertise with us

Most popular

Testimonials

Recent Comments

Other blogs in the same channel in the Creative Weblogging Network

Technology

Disclaimer

Find other popular posts from our other blogs:

BlogWealth

P2P File Sharing

On Storage

HackITLinux

Java Entrepreneur

Nanotechbuzz