dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6597
share rss forum feed

snowpeas
I Need Fiber

join:2003-02-09

Ooma Security

Hi guys,

I recently purchased a ooma unit and it's actually being delivered to the house today. I probably should've inquired about the security risks involved in using a ooma before making such purchase, but it never crossed my mind. Anyway, from reading one of Pandora's posts, he/she mentioned that calls made within oomas network (ooma subscriber to another) are encrypted, while making calls outside of the network the voice data isn't encrypted. I am trying to figure the ramifications of how this might impact a user like myself.

How easy would it be for a hacker to get a hold of the voice data? If I were to call the credit card company, which would involve in divulging great deal of personal information, what are the security risks? And are there any methods to prevent such security flaws, if any besides calling with my cell phone?

Also, being a current subscriber to vonage, this question also popped in to mind. Does vonage also apply the same kind of model for their security system? IE, vonage to vonage is encrypted, vonage to others unsecure.

Thanks
Rob


dbmaven
There's no shortage
Premium,Mod
join:1999-10-26
Sty in Sky
kudos:3
POTS calls aren't encrypted. Have you ever talked to your credit card company over a POTS line ?

I don't believe any of the other VoIP providers encrypt their data stream - others will chime in if that's inaccurate.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to snowpeas
The only VOIP service I know of which manages to keep its traffic off internet is Comcast Digital Voice. Which in my area runs about $40-$45 per month.

POTS doesn't encrypt, but generally isn't hacked as for a non-government agency to listen into a POTS call usually requires attaching a device somewhere on your wire connection to the telephone company.

Ooma encrypts SIP credentials and set up via Open VPN, which means the account information Ooma uses is very secure. It is most helpful to Ooma as it protects the company from other people trying to use its service.

Ooma also encrypts voice data with SRTP between the Ooma hub and Ooma servers. I believe Skype does something similar, but I don't know if Skype uses anything like SRTP.

Most if not all other SIP based VOIP providers use RTP, and do not encrypt.

Ooma is secure between Ooma users, most other VOIP (except as mentioned above) is not.

Ooma is secure between the Ooma server and the Ooma hub. However once an Ooma server goes to complete a call, outside of the Ooma network, then it may be unencrypted.

It is a security / privacy issue, and represents a significant issue which I don't think most VOIP providers have addressed.

Currently for SIP, Ooma is probably the most secure provider. Its security isn't perfect, and you do risk possibly having your phone conversation listened into.

How likely or easy it would be to listen in is up to debate. Let us hope someone with a greater understanding of VOIP security adds to this thread and helps us understand both VOIP security and Ooma security better.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use."


gdm
Premium,MVM
join:2001-06-15
Mchenry, IL
kudos:3
AT&T U-Verse & any cable provider (Charter, TWC) works similarly to CDV service.


TinghALingh

@afsontario.com
reply to pandora
It's early days for voip, but there must be a market for encryption, what with the erosion of privacy that you read about every day.

It would be nice to have a cordless phone that will encrypt all calls to and from other, similarly equipped cordless phones, whether or not they are used with voip.

I don't know why the cordless phone makers don't get together to craft a standard, and then have a big advertising campaign screaming about how the neighbors can hear you giving your credit card information to a vendor, etc.

If they made the ads scary enough, they could sell such phones like hotcakes. Hell, I'd buy 3 of them - 2 for our voip connections, one for our landline.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
Ooma to Ooma calls are encrypted hub to hub. When the Ooma Telo is released I think we will have encryption handset to handset (with better audio quality than POTS as well).

An Ooma forum discussion about encryption is here - »forums.ooma.com/viewtopic.php?f=···on#p8114

The post content of most interest to me was this - "Between our servers and our carrier partners, the stream is not encrypted. Whether they should be depends on your level of paranoia. Unfortunately, I don't think any carriers support SRTP, so the only way to do protect the voice stream end-to-end is to stay on-net (ooma-to-ooma)."

If I read the above post correctly it is saying the PSTN carrier partners for Ooma do not encrypt. Until the folks who make the magic happen between internet and PSTN start to encrypt, we will not be able to have highly secure connections generally IMO.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use."


usa2k
Blessed
Premium,MVM
join:2003-01-26
Redford, MI
kudos:3
reply to TinghALingh
Even PSTN can use VoIP for some of its routing of the call.

snowpeas
I Need Fiber

join:2003-02-09

2 edits
reply to snowpeas
So are you guys saying that using OOMA is no better than talking on a landlines in terms of security risks involved? I guess that's what I am trying to figure out... if the security level is just as good or better than regular landlines, I think it would alleviate a lot of the paranoia.

The ooma package is sitting in my kitchen stove right now... wondering if i should open it or not...


nick digger

@verizon.net
reply to snowpeas
I would be most concerned about someone upstream sniffing/snorting DTMF signals from all the voip/pstn traffic passing through their networks. The data they compiled would be potentially much more compromising than simple credit card receipts or credit applications:
- called # (financial institution)
- account #
- password
- last 4 of SSN, or other verification data
- possibly, calling #


dbmaven
There's no shortage
Premium,Mod
join:1999-10-26
Sty in Sky
kudos:3
Reviews:
·VOIPO
·Optimum Online
reply to snowpeas
said by snowpeas:

So are you guys saying that using OOMA is no better than talking on a landlines in terms of security risks involved? I guess that's what I am trying to figure out... if the security level is just as good or better than regular landlines
ooma to ooma = better than any other service
ooma to any other service = the same as any other service

Someone can hack into a telco box and listen in on any conversation (even record it) with a set of headphones with attached alligator clips.

With VOIP, they'd have to hack in to something, have a packet sniffer, and decode the log.

IMO, it's no different than POTS. Some might argue that it's more secure (digital vs. analog) but I don't see that being significant.

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
reply to snowpeas
Telco and Comcast probably are the most secure products. Skype and Ooma seem to have worked a bit on security, the problem is the industry hasn't. Most other VOIP providers don't currently support any encryption.

The area of internet where Ooma calls could be intercepted is between the Ooma servers and the Ooma PSTN carrier. If I understand correctly this is usually a large pipe with many aggregated calls. If it is hacked, it's not only a problem for you but for many others.

Now, go have some fun and open that box. Once you have an Ooma phone number (in about 10-15 minutes after you open the box) you'll be able to get an Ooma forum account and ask questions of the Ooma staff online.

Good luck!
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use."

PX Eliezer7
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms

1 edit
reply to snowpeas
And you're probably going to use a cordless phone, anyway. Now that's a security issue, even with DECT.

So quit worrying so much.

Credit card numbers are stolen by the tens of millions these days. Literally.

»www.nytimes.com/2008/08/06/busin···eft.html

So unless you are Miss California USA, or Chris Pine, or Zachary Quinto, nobody's gonna be targeting your phone calls specifically.


sream
Premium
join:2002-08-17
Portage, MI
reply to snowpeas
Unless you're using an end to end encryption product like zfone you're exposed somewhere.


kieranmullen
Premium
join:2005-12-12
Portland, OR
reply to PX Eliezer7
Zachary Quinto Why? Because he couldnt make the vulcan sign?

A thousand nerd voices cried out all at once and were suddenly silenced.

snowpeas
I Need Fiber

join:2003-02-09
reply to snowpeas
Hah, some funny replies. Thanks to everyone, my fears have somewhat subsided and quelled. thanks!

josephf

join:2009-04-26
reply to pandora
Why is Comcast considered more secure than other VOIP providers (apparently even other cable co's)?

pandora
Premium
join:2001-06-01
Outland
kudos:2
Comcast runs its VOIP on a seperate network. It's VOIP isn't on internet.

josephf

join:2009-04-26
What "network" is Comcast running its VOIP over?

So if someone is a Comcast customer for internet and phone, they have 2 different "networks" running over the same pipes?

pandora
Premium
join:2001-06-01
Outland
kudos:2
Reviews:
·ooma
·Google Voice
·Comcast
·Future Nine Corp..
Comcast has it's HSI network for internet, and it's DV (digital voice as in Comcast Digital Voice) network for VOIP. Comcast runs 2 networks on the same cable.
--
"People demand freedom of speech as a compensation for the freedom of thought which they seldom use."


usa2k
Blessed
Premium,MVM
join:2003-01-26
Redford, MI
kudos:3
That is their story and they are sticking to it

PX Eliezer7
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms
reply to josephf
For services such as Comcast Digital Voice, and Optimum Voice, your signal is not travelling over the general internet. It is essentially in a separate channel.

Consider being a railroad passenger. Some passengers are just sitting in regular seats in the main car, while other passengers are in private compartments....


MikePea

@verizon.net
reply to snowpeas
What you really need to do is get a straight answer from Ooma. When they started, they touted their "distributed termination" capability (or sometimes called peer-to-peer") as how they were going to provide free service. It worked by routing your calls via another Ooma subscriber's box, and out their phone line. That meant that they could relatively easily listen into your call in the privacy of their home. No need to attach equipment onto your line on a pole or at the Central Office. Ooma continued to deny that this eavesdropping was possible, but anyone with a little technical knowledge knows that it is possible.

There have been recent posts that Ooma has dropped this "distributed termination" idea. You need to get an absolute promise from Ooma that none of your calls will be routed via someone else's Hub and out over their phone line.

If they don't use this capability, then Ooma should be no less secure than the regular phone network, and may be more secure than other VoIP services.

dcdeadbeat5

join:2008-10-07
Washington, DC
reply to gdm
said by gdm:

AT&T U-Verse & any cable provider (Charter, TWC) works similarly to CDV service.
Cable companies work on a different channel on the cable line. This is not done for privacy but instead for QoS (quality of service). The dedicated channel means that the cable company has guaranteed bandwidth and low latency. This is similar to many companies that install a dedicated PRI/T1 just for voice instead of running their Voice over their internet connection. An example of this is Verizon Business which installs a PRI for its VOIP service. That way they can guarantee quality and call integrity throughout the entire path.

dcdeadbeat5

join:2008-10-07
Washington, DC

1 edit
reply to usa2k
said by usa2k:

Even PSTN can use VoIP for some of its routing of the call.
]

Yes but this traffic travels over private carrier networks and not the general public Internet. Because the carrier networks are private, it is not known whether or not they are encrypted. However, encryption would not be necessary on the carrier networks since you would basically have to hack the carrier to get into their private network.

However, once the call is sent to a peered network (sent over to the PSTN) the call is not encrypted.

lacklusterbb

join:2009-03-12
reply to snowpeas
snowpea,

If you are willing to use a POTS phone, then don't fear using Ooma. You can be too paranoid in this age of technology. Let's face it, POTS lines can be tapped, your cellular phone calls can be intercepted, even VOIP packets can be intercepted (so can your email). Heck, even snail mail can be intercepted, opened and read (remember the big bruhaha over the government's mail opening programs from the 50's and 60's that came out during the Church Committee hearings in the early 70's.) The government can do it legally, if they can lay the groundwork, which is fairly easy and straight forward. Others can do it illegally. The long and short of it is that you can drive yourself to distraction if you allow yourself to focus on all possible "bad" scenarios that could occur in your life. Use common sense. (If I were someone dealing with sensitive, proprietary information with a great monetary value, I'd certainly hesitate to use email to discuss the particulars and if absolutely necessary, I'd use encryption. In that scenario, I might also invest in encrypted telecommunications equipment, but you can bet it's expensive enough to limit it's use to large, wealthy corporations or governments),

PX Eliezer7
Premium
join:2008-08-09
Hutt River
kudos:13
Reviews:
·callwithus
·voip.ms

1 edit
Good advice.

And remember, folks, lots of people used to make their phone calls on PARTY LINES!!

The younger crowd probably have no idea what I'm talking about, so here, from Wikipedia:

-------------------------------------

In twentieth century telephone systems, a party line (also multiparty line or Shared Service Line) is an arrangement in which two or more customers are connected directly to the same local loop. Prior to World War II in the United States, party lines were the primary way residential subscribers acquired local phone service. British users similarly benefited from the party line discount....

Originally, in order to distinguish one line subscriber from another, operators developed different ringing cadences for the subscribers so that if the call was for the first subscriber to the line, the ring would follow one pattern such as two short rings, if the call was for the second subscriber, the ring would sound another way, such as a short ring followed by a long one, and so on. Other subscribers on the line heard the ring and might listen in...

# When the party line is already in use, if any of the other subscribers to that line pick up the phone, they can hear and participate in the conversation. Eavesdropping opportunities abounded, as shown in the 1959 film Pillow Talk....

# The completely non-private party lines were a cultural fixture of rural areas for many decades, and were frequently used as a source of entertainment and gossip, as well as a means of quickly alerting entire neighborhoods in case of emergencies such as fires....

josephf

join:2009-04-26
We still had a party-line in the late '80's, maybe early '90's, in our Catskills summer home.

foresto

join:2002-04-17
USA
reply to snowpeas
I understand the security (privacy) concern. The exposure is greater with VoIP than with traditional phone lines because of the ease with which a knowledgeable person can access your data stream. With POTS, someone had to leave a wire and equipment attached to your house, the phone pole, or a phone company office. With modern cell phones, they might also eavesdrop by standing somewhere in your vicinity with special equipment. Both those cases involve some difficulty and risk for the eavesdropper. With VoIP, someone just has to run software on any of the network segments through which your data is passing, which is fairly trivial to do and difficult to detect. It can be done (and automated) from the comfort of a desk on the other side of the world, or from a few tables away in your local internet cafe. This is why banks and online shops use HTTPS on their web sites.

Most of us are using VoIP services built upon SIP and RTP, which do have specifications for encrypting your voice traffic. Unfortunately, most providers and devices do not seem to have SRTP enabled today. There are a few exceptions. Gizmo, for example, claims to use it for calls between their softphones. I don't know how many PSTN gateways support it, so I wouldn't count on VoIP-to-PSTN calls being secure even when using these providers, unless I got more detailed information from them.

I notice that my PAP2T has configuration fields that imply SRTP support. I may have to generate some encryption keys and try it out some day with someone who has similar equipment.

I'm hoping that this issue will become more important to the VoIP community over the next few years and that end-to-end encryption will eventually become the rule instead of the exception. In the mean time, it's up to you to decide how comfortable you are reading your social security or credit card numbers over your VoIP line.