IT Jobs
Expert scares world with VoIP hacking proof
Ex-BorderWare guru strips IP calls naked.
By John E. Dunn, Techworld | Techworld
Published: 11:47 GMT, 22 November 07
An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.
Called SIPtap, the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well.
The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date. Running from August this year until the most recent tap on 21 November, SIPtap had no problems in extracting enough information on the test network to prove that call recording of any and every VoIP call at a hypothetical company was now a trivial exercise.
SIPtap demonstrates that the worst-case nightmares of VoIP vulnerability are now well within the capabilities of organised crime, which could use such a program to steal confidential data from companies, governments and even the police.
The demonstrator is the work of UK-based VoIP expert, Peter Cox, who co-founded and was CTO of firewall vendor BorderWare, before leaving the company last summer to start his own VoIP consultancy, due to be up and running by Spring 2008. He was inspired to write the software after conversations with encryption guru Phil Zimmermann, creator of Zfone, the latter designed to protect against SIPtap-like hacking by using VoIP call encryption.
"We are in the early days of VoIP, but there is a knowledge gap," said Cox, lamenting the naivety about VoIP's inherent security weaknesses among the mostly telecoms-oriented engineers building such systems. "Companies using VoIP internally think they are protected."
"The threat is that an attacker engineers a Trojan and has it sit there passively [on a network], recording calls from anywhere on the Internet," says Cox.
His advice was simple. "Apply the same vigour when building a VoIP network you would when building a website."
Cox is currently running a series of workshops on VoIP threats in conjunction with SIP Services Europe, and has published his own Video podcast on the topic.
.gif)
Add your commentComments
James | Published: 18:40 GMT, 06 December 2007
I assume SIPtap only work on SIP? So H.323 or IAX would not be affected. If you only have Cisco gateways talking to each other, how would a computer on the network infect a gateway? Also on a closed network this would not be a security issue. The encription Cisco has called TLS would 100% eliminate this security issue.
David Ellis, COMPUTERLINKS Director of e-Security, | Published: 09:19 GMT, 03 December 2007
Hackers may utilise VoIP security holes to hijack calls or gain access deeper into your network. Each VoIP element on the network is vulnerable, including PBXs, gateways and IP phones. An IP handset is vulnerable to the same threat from worms and Trojans. Attacks of such nature could bring the entire business to a stand still if they are not protected against. A resilient security offering must support the benefits that VoIP brings. IP telephony vendors such as Swyx and security vendors are already facing this challenge and providing specific support for VoIP. For example, security vendor Check Point already provides support for VoIP protocols where the Swyx solution sits behind the router and the firewall on a separate server. Skills in data, security and voice will be required to deliver a truly secure VoIP solution. Whether that is voice resellers improving skills from a security and data perspective; data resellers training up from a voice perspective, is still to be seen.
Dr. John | Published: 03:54 GMT, 29 November 2007
For those of you who think switch traffic cannot be sniffed, think again. Keep in mind that switches are just computers. See www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/sfblu_wp.pdf. Encryption is the answer right now providing you have sufficient bandwidth and own the whole network. Encryption requires decryption, doesn't it? How are you going to do that with a non-VOIP instrument at the other end?
SmartHide.com | Published: 02:19 GMT, 28 November 2007
SIP over SSL and don't problem!
Rick McCharles | Published: 15:09 GMT, 27 November 2007
"All that the criminal would need would be to infect a single PC"...REALLY? How about a little perspective? Can the single PC record all calls in a switched network environment, when voice and data traffic is segmented, when it's encrypted, when all of the other well know security best practices are employed? Enough with the silly hype already!
jeff | Published: 23:43 GMT, 26 November 2007
I dont see trojans/malware being much of an issue due to the already mentioned traffic usually being segmented. That does not make the threat level much lower though. The majority of "hacking" comes from inside a network. It would not be that difficult to spoof the vlan a host belongs too and take the phone out of the loop. I dont know about you but i think it might be somewhat interesting to have a recording of what my manager says over the phone.
jeff | Published: 22:55 GMT, 26 November 2007
I dont see trojans/malware being much of an issue due to the already mentioned traffic usually being segmented. That does not make the threat level much lower though. The majority of "hacking" comes from inside a network. It would not be that difficult to spoof the vlan a host belongs too and take the phone out of the loop. I dont know about you but i think it might be somewhat interesting to have a recording of what my manager says over the phone.
reswob | Published: 20:50 GMT, 26 November 2007
I noticed that Peter Cox did respond to comments, but he didn't answer a key question that was brought up: If the voice traffic is segregated between a data VLAN and a voice VLAN, will SIPtap work? Does SIPtap have a tool a la voiphopper (voiphopper.sourceforge.net)? If it doesn't, I agree that this tool is mostly show, simply pointing out nothing security professional didn't already know. Even though a small percentage of implementations do not encrypt, I would bet that a much higher percentage do separate traffic onto multiple VLANs which would render SIPtap ineffective without a VLAN hopping mechanism.
reswob | Published: 20:50 GMT, 26 November 2007
BTW, if the VoIP phone is in front of the PC, putting the PC NIC card in promiscuous mode will not enable it to receive VoIP traffic. The VoIP phone LAN connection is typically a switch, thus any VoIP traffic sent down the single physical wire would stop at the phone and not be sent to the PC. The switch in the VoIP phone would only forward traffic to the PC meant for the PC.
chasefranklin765 | Published: 17:30 GMT, 26 November 2007
The real issue is we're placing a sophisticated network solution in the hands of under qualified network people and thinking they have the needed expertise to make our VoIP PBX safe. What companies need to do is rethink the PBX on site model and adopt a hosted VoIP PBX solution. This leaves the question of security up to the vendor and with size, volume and unlimited capacity the cost of security is more easily spread out. A solution such as one found at www.dls.net offers the best of both worlds.