Filed in archive
Dangers
by Dameon Welch-Abemathy on November 27, 2007
Back in March of 2004, I wrote a fairly detailed piece for Voxilla about VoIP and security issues. There are several things I did not cover in this rather lengthy article, reading back on it now, but some things remain true with SIP. More after the jump.
- Call Information Goes In The Clear: Yes with SIP, whom you are and whom you're calling does go in the clear. Yes, you can use Transport Layer Security (TLS) to encrypt this information.
- The Voice Data Goes In The Clear: What you're saying also goes in the clear as well. This can be mitigated by using SRTP to encrypt the data portion of the call.
Even if you don't employ encryption for either the call control information or the voice channel, here's the real truth: Unless you can somehow see all the traffic between the two parties, you can't sniff a VoIP call. And you know what? That's difficult to do. As I wrote in 2004:
In order to actually intercept the call setup or voice data for an in-progress SIP call, you have to be at a location where the call is traveling through, either at the telephone service provider or the ISP. Since it's possible for a connection to change routes midstream, there are only a couple of points where it is practical to intercept a SIP call: On either the SIP client or proxy's premises, or at the ISP used by either endpoint. This isn't unique to SIP: a PSTN call can be intercepted in similar locations.
If you're looking for more meat, Mr Blog's got it.
Bottom line: This SIPtap thing is overblown. Not only is it infeasible to employ, it can easily be worked around by employing encryption. What do you think?
Permalink: VoIP Can Be Sniffed? Get Real!
Trackback: http://publish.creative-weblogging.com/publish/mt-tb.pl/103802
Addthis
Ask
Blinklist
del.icio.us
Digg
Fark
Facebook
Google
Lycos
Ma.gnolia
Mr Wong
Netscape
Netvousz
Newsvine
Reddit
StumbleUpon
Slashdot
Tailrank
Technorati
Wink
Yahoo
Vote for VoIP Can Be Sniffed? Get Real!:
|
Rating: 7.00 out of 1 vote(s) cast.
|
Response from:
Rick McCharles
(11/27/07 8:16am)
Response from:
Tati
(11/27/07 1:40pm)
I go with you on this one, if they get the chance to run this in your network, then you have 100k more important issues to cover before someone tapping in your voip conversations is a priority. But, I'd be careful with what you say, even when they can tap in, they can record you without letting you know (www.hotrecorder.com, www.easyvoiprecorder.com, etc...)
Response from:
PhoneBoy
(11/27/07 8:16pm)
Recording one end of the call is not unique to VoIP, though it is easier to do on a computer than it is to do with a normal handset. Encryption doesn't make it impossible to do this, either, but it does make in-transit data a lot harder to capture.
Response from:
Discount International Calling
(12/03/07 1:40am)
Is it really possible to make wav files from voip phone conversation.?
Response from:
Dameon Welch-Abernathy
(12/03/07 1:47am)
It is possible if you can get to the right place(s) in the network and deploy the right tools.
Subscribe
Use the search to look for other interesting posts
| RSS |  See all blog subscribe options |
 What is RSS? | |
| Yahoo! |
|
| Addthis |
|
| Bloglines |
|
| Newsletter | |
| Follow us on Twitter! |
There is value in making the general public aware of the risks of an insecure environment. However, the vast majority of VoIP related security stories are repeated and sensationalized without any critical examination of the facts or assessment of the actual risk.
Peter Cox, the author of SIPtap stated in response to my post on the subject, http://www.ric.ca/blog/2007/11/your-voip-is-being-hacked-hang.html
that he designed the tool in order to raise VoIP security awareness and the need for encryption. Unfortunately, most authors who reported on the tool, seized the opportunity to grab attention-getting headlines and as a result have contributed to the myth that secure VoIP and IP Telephony is not possible.
Thanks,
Rick McCharles
http://www.ric.ca/blog