bigunk
Gort, Klattu Birada Nikto
join:2001-02-10
Santa Clarita, CA | Excellent!!
Since this is what I do for a living, the more I can learn, the better for my clients. |
|
quetwo
That VoIP Guy
Premium
join:2004-09-04
East Lansing, MI
| Well..
People in the industry have known about the risks of VoIP since day one. Like the original cellular telephones, it was seen as a convenience (and possibly cost-savings) effort, rather than a solid, secure one.
Many vendors don't secure their signaling or bearer channels. Most open-source don't even give the option to provide TLS or SSL encryption for their signaling (let alone anything with the voice channels). Many of the major vendors (Cisco, Nortel) don't turn on encryption by default. If you inter-operate with Microsoft OCS, there is no possibility for encryption (unless you use one of their line-side T1 devices, which isn't VoIP).
It's a problem with the industry. We let the OSS guys create and make popular standards that had to be hacked to make secure. SIP, while very interoperable, is very easy to parse and intercept/redirect. Other standards by the telecom working groups, like H.323 and H.248 were built around security. Yet, the industry has moved to the SIP world because it is 'cooler' and 'more popular'. |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
 ·Sprint Mobile Broa..
 ·Comcast
| reply to bigunk
Re: Excellent!!
said by bigunk  :Since this is what I do for a living, the more I can learn, the better for my clients. And many businesses tell their employees that they can and will listen in to voice calls and internet traffic made using office devices. A tool like this would make that easier to do. Security departments in large companies often monitor both voice and data communications of their employees. And as long as they let their employees know this it has been ruled legal.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? |
|
fcisler
Premium
join:2004-06-14
Riverhead, NY
| news?
This is news?
My job did not want to allocate another subnet for VoIP. We setup a demo on a regular subnet and my boss used it for the day.
I forwarded him wave files of all his calls at the end of the day.
The next day I had a completely separate subnet for ALL VoIP services.
They then didn't want to invest in a proper firewall for the voice subnet and wanted to be able to access it on any subnet.
I called in sick that day and emailed my boss another copy of all his calls which I retrieved from home over the VPN.
There is now a very tight ACL list on the voice subnet. It's not able to get to the internet and a very select number of PC's are able to get into it. The next step is OpenVPN with certificates and NOTHING getting routed into it.
It goes without saying that it was trivial previously to tap into a pair of copper wires and listen in on any call. With the move to digital, however, one must be extremely cautions as to what tubes can get to where. This does not apply exclusively to voice, though. |
|
quetwo
That VoIP Guy
Premium
join:2004-09-04
East Lansing, MI
| reply to TKJunkMail
Re: Excellent!!
But what about the people that are not supposed to have access to this data/voice? What about the guy who is there fixing your printer, running Wireshark, and is taking dumps of all of your traffic? There are no longer just policy issues, but real security issues.
Would you go to a banking website that didn't offer SSL? Would you call them? Sure! But if you/your company didn't secure their VoIP, it is just as secure as plain HTTP. |
|
pandora
Premium
join:2001-06-01
Outland |  Ok, try this. I'm a Future-Nine customer, using a PAP2T. How exactly do I get secure VOIP communication on my calls?
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
nitzan
Premium,VIP
join:2008-02-27
 ·ViaTalk
·Comcast
| said by pandora :Ok, try this. I'm a Future-Nine customer, using a PAP2T. How exactly do I get secure VOIP communication on my calls? You cannot at this point. Secure RTP is not developed enough to implement at this point in time unfortunately.
We do intend to implement it once readily available though.
Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time.
If a third-party wanted to spy on you specifically, in 99% of cases they can't.
--
Nitzan Kon, CEO
Future Nine Corporation |
|
nitzan
Premium,VIP
join:2008-02-27
·ViaTalk
·Comcast
| reply to quetwo
said by quetwo :Would you go to a banking website that didn't offer SSL? Would you call them? Sure! But if you/your company didn't secure their VoIP, it is just as secure as plain HTTP. Totally agreed. The problem however is that Secure RTP is not mature enough at this point, so it is simply not available as a widespread solution. It'll be some time (and probably a lot more demonstrations of vulnerability) before this area gets the attention it deserves.
--
Nitzan Kon, CEO
Future Nine Corporation |
|
pandora
Premium
join:2001-06-01
Outland
·ooma
·Future Nine Corpor..
·Comcast
|  reply to nitzan
Thanks for the information. I have another question about security. My thought was my cable Internet service is shared with about 60-100 of my neighbors. Wouldn't any of my neighbors on our shared Comcast cable node be able to listen into my VOIP calls?
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
sporkme
drop the crantini and move it, sister
Premium,MVM
join:2000-07-01
Morristown, NJ
·Optimum Online
| reply to fcisler
Re: news?
said by fcisler :This is news? Exactly. I'm sure there are better tools, but wireshark is pretty darn easy, and it will spit out a .wav file of the RTP stream. This is common sense... |
|
Rogue Wolf
Is Kind Of A Big Deal In Yemen
join:2003-08-12
Troy, NY
·RoadRunner Cable
| reply to fcisler
You're lucky you had an understanding boss. I've known a few who would've fired you for taking the liberty and would've ended up doing nothing about the security problem.
--
Attention. Attention, please. We have the funk. I repeat, we are in full possession of the funk. |
|
Kearnstd
Elf Wizard
Premium
join:2002-01-22
Mullica Hill, NJ
| reply to bigunk
Re: Excellent!!
afaik no, i dont think they can get your packets to come through their cable modem. atleast not in the current versions of DOCSIS. id imagine their CDV service would be harder to "hack" unless of course you have access to the switch or some other point where your calls are no longer on the DOCSIS network and are on a normal IP network.
that said if someone wants to get at your calls they will, there is no such thing as absolute communications security unless you have an empty sound proof room that is also a Faraday cage, and fires off an EMP in the room before you start talking(to fry any micro-recorders).
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports |
|
anony101
@comcast.net
| reply to nitzan
Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. |
|
anony101
@comcast.net
| reply to pandora
Thanks for the information. I have another question about security. My thought was my cable Internet service is shared with about 60-100 of my neighbors. Wouldn't any of my neighbors on our shared Comcast cable node be able to listen into my VOIP calls? It depends whether your VOIP provider uses SRTP to encrypt RTP packets from you to their proxy. Some do and some don't. You should call them and ask.
Keep in mind that encrypted VOIP calls lose the encryption once they reach the PSTN. |
|
knightmb
Everybody Lies
join:2003-12-01
Franklin, TN
 ·AT&T DSL Service
| reply to anony101
said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. Does that mean all Cable calls are unencrypted by default? How would a customer turn on encryption?
--
Fight NebuAD and the like:
Click Here to pollute their data |
|
pandora
Premium
join:2001-06-01
Outland
·ooma
·Future Nine Corpor..
·Comcast
| reply to anony101
said by anony101 :Thanks for the information. I have another question about security. My thought was my cable Internet service is shared with about 60-100 of my neighbors. Wouldn't any of my neighbors on our shared Comcast cable node be able to listen into my VOIP calls? It depends whether your VOIP provider uses SRTP to encrypt RTP packets from you to their proxy. Some do and some don't. You should call them and ask. Keep in mind that encrypted VOIP calls lose the encryption once they reach the PSTN. If you read this thread, you'll see my provider has posted and indicated there is no security for my VOIP content.
»Re: Excellent!!
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use." |
|
nitzan
Premium,VIP
join:2008-02-27
·ViaTalk
·Comcast
| reply to anony101
said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. I could be wrong, but AFAIK your neighbors CANNOT sniff your packets. Unless they have access to the switch - which they don't - they cannot listen in on you. |
|
TKJunkMail
Enjoy the sun
Premium
join:2002-03-03
Avalon, NJ
·Sprint Mobile Broa..
·Comcast
1 edit | said by nitzan :said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. I could be wrong, but AFAIK your neighbors CANNOT sniff your packets. Unless they have access to the switch - which they don't - they cannot listen in on you. You couldn't do it on the PC side of the cable modem. But if you hook up a device directly to the cable and bypass the cable modem altogether with a sniffer device, you could see and capture the packets on your local node.
--
My BLOG .. .. Internet News .. .. My Web Page
Ask yourself one question: 'Do I feel lucky?' Well, do ya punk? |
|
nitzan
Premium,VIP
join:2008-02-27 | Interesting. Didn't know that.
So essentially, cable internet is inherently less secure than, say, DSL? or better yet - FTTH? |
|
Cabal
Premium
join:2007-01-21
Boston, MA
| reply to anony101
said by anony101 :Keep in mind however that the only ones who can "listen in" on your calls are your ISP, our ISP, and the phone companies on the way. None of which are going to bother filtering through millions of minutes of call time. That's not accurate. Cable customers can listen in to unencrypted VOIP calls within the same node they're in which means their neighborhood. False. Look up BPI+.
--
Do you care about network neutrality, the right to privacy, or patent system abuse? Obama used to. |
|
