Expert Unveils 'Scary' VoIP Hack

Kurtz'sKompund passed us a link to a Techworld article on a frightening new vulnerability for VoIP. The UK's Peter Cox has put together a proof-of-concept software package to illustrate the flaw, a program he's calling SIPtap. "The software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well. The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."

Holy hyperbole, Batman!

[plover (150551)]

Not only that, but ethernet data traffic can be read [ethereal.com] by someone else on the network, and wi-fi traffic can be monitored [kismetwireless.net] by someone even without wires.

In other news, experts have revealed that water is scarily wet, the sun is frighteningly hot, and occasionally rain terrifyingly falls from the sky. We'll interrupt your surfing with more news as it unfolds. Meanwhile, please continue to tremble in fear of the obvious.

Re:

[NoxNoctis (936876)]

This is why I SSH tunnel any truly sensitive traffic to as close as I can get to the destination.

Re:Holy hyperbole, Batman!

[Inda (580031)]

I put a handkerchief over the mouth piece on the phone. I sometimes lower my voice to a whisper. Simple solutions beat all technology.

Re:Holy hyperbole, Batman!

[aproposofwhat (1019098)]

So some bloke who's about to start up a VOIP consultancy firm has made a SIP traffic sniffer, which he claims will allow the recording of SIP calls on a network.

I'm sure he's set up his test network appropriately (hubs not switches, no VLANs in sight, every Ethernet packet visible at each node...) to spread FUD and market his services.

Very l33t, I'm sure.

Just a Slashdot advertisement feature again - there seem to be more and more of these appearing.

I'm waiting for the announcement that a program to increase penis size has been written by a bloke in the pharmaceutical industry - that'll make the fromt page for sure :P

Re:

[Antique Geekmeister (740220)]

If you think that's necessary, I urge you to look up the PCAP software and how it can be used to monitor the traffic to arbitrary MAC addresses on your network unless your switches are very sophisticated and very carefully programmed.

Re:

[Feyr (449684)]

you're thinking ettercap, pcap works passively and wouldnt fool a switch

Re:

[MoogMan (442253)]

Wireshark [wireshark.org] has the ability to reconstruct RTP streams, and has been able to for some time. "SIPtap" is doing the same thing. Hyperbole indeed.

sensationalized wording of mundane "discovery"

[commodoresloat (172735)]

The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."

Wow -- even by date!! What evil genius was able to come up with a clever way to get a computer to tell you what day it is? These kids are too smart for their own good. All hackers and potential hackers - hell, everyone under 30 - should be jailed forthwith.

Re:

[Poltras (680608)]

I still see some port 23 opened on machines on the internet (scarse but not non-existent) or local networks (much more popular)... I don't see those people implementing a secure VoIP system anytime soon.

Wow

[telchine (719345)]

The german police will be pleased!

Others will be pleased

[JonTurner (178845)]

The telecom companies will be pleased. They're terrified of VOIP, and are holding on to their monopoly customer-no-service business models as long as they can. So any "bad news" that scares customers away from internet phone and back into their clutches is welcomed.

Re:

[octal666 (668007)]

phone calls can be tapped (but don't tell anyone, it's a secret)

Re:

[Evan Meakyl (762695)]

Maybe the beginning of a new /. meme... congratulations!

zfone

[illogic (52099)]

A perfect time to mention...

Zfone [zfoneproject.com] - free (as in beer) encrypted VoIP.

Get it while it's still legal!

Re:

[JackMeyhoff (1070484)]

How do you know? From their advertisement or have you checked? I never take things on face value. Anyway, if they really want to listen you stand no chance.

This is soo old!

[Kris2k (676294)]

I recall seeing a project on freshmeat in 1999-2000 about the exact same functionnality. Granted, it wasn't as refined as this one, but it did exactly what it had to do; sniff packets over the wire, decode them, and send them to your DSP.

This is old, and that's why people today use VLAN tagged phones to seperate VOIP traffic onto another network, combined with switches that don't allow promiscuous activities, intrusion detection systems, picky switches that don't like MAC changes, and voilà, problem solved for the distribution networks.

There will always be ways to tap coversations, and if you think you pots land line is secure *chuckle*, get real.

Re:

[man_of_mr_e (217855)]

In fact, there are entire open source and commercial products predicated on being able to do this.

For example:

http://www.orecx.com/ [orecx.com]

Re:

[hanshotfirst (851936)]

that's why people today use VLAN tagged phones to seperate VOIP traffic onto another network, combined with switches that don't allow promiscuous activities, intrusion detection systems, picky switches that don't like MAC changes, and voilà, problem solved for the distribution networks.

I'm not up on IP phone networking/security concerns. Should I be concerned that staff at this office just dropped the shiny new IP phones on the same network as the PC's? I have one port in my cube: CAT-5 daisy-chain

Re:

[rcw-home (122017)]

I'm not up on IP phone networking/security concerns. Should I be concerned that staff at this office just dropped the shiny new IP phones on the same network as the PC's? I have one port in my cube: CAT-5 daisy-chains from the wall to IP phone to PC. Or do I just need to ask for more tin foil in the supply cabinet?

More tin foil. Most phone system vendors will set a company's office phone system up on a separate VLAN, then allow access to that VLAN through any port on a wall that a phone was supposed to g

Re:

[rcw-home (122017)]

I work for a consulting company and every network I deal with with has separate VLANs for VoIP and data traffic.

Sorry, I could have phrased that better. What I meant to say is that, yes, companies' networks use separate VLANs for VoIP, but I've never seen such a network configured to effectively prevent a rogue device, such as a PC, from accessing that VLAN. Yes, my own observations are anecdotal - I'm sure a few people out there are doing things the right way.

Is your office on a switched network?

[CFD339 (795926)]

Most networks now are switched, not using open hubs. In a switched network, you can't just stick a network card in promiscuous mode and hear all the traffic. The switch connects two two ends that are talking, (e.g. your phone and pbx) and excludes that traffic from anyone else on that switch.

The vulnerable points come after the switch, for example if all the phones use a switch, and that switch has a connection to the PBX, than if you could insert a hub between the pbx and the switch you could use this ha

More Info?

[TheGreatDonkey (779189)]

I read TFA and I didn't see any information that makes this any different than using Wireshark to capture and reassemble the packets and do this (it is fairly easy)? What is so drastically advanced about this discovery? Additionally, isn't a switched network generally protected by this unless a port is specifically configured for packet forwarding? That would be one spiffy trojan to hack into the switch as well and configure this. Also, most VOIP installs I have seen have, at the vendors install requirement, the VOIP phones be on their own VLAN from the data side of the network, further limiting the exposure?

Re:

[jav1231 (539129)]

I was wondering the same thing. The hacker would not only have to infect a PC on the network, it would have to be on the voice span. That's something that is not likely since you generally separate your user segment and your voice segment. The two only share WAN pipes to move from one network to another. Then again, this is a proof of concept.

Re:

[slashflood (697891)]

What is so drastically advanced about this discovery?

From the summary (emphasis mine):

The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."

;-)

Re:

[Fred_A (10934)]

From the summary (emphasis mine):

The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."

;-)

I suppose we can count ourselves lucky that it's not advanced enough to figure out the exact time of the calls (yet).

Still, technology is frightening (ooooh, lookat all em numbers)

Obvious but a wake-up call

[whamett (917546)]

Although this is obvious to many—if you're transmitting data unencrypted from A to B, someone monitoring the communication channel can of course read the data too—the reality is that it probably takes a concrete, real-world package like this, plus media coverage, to before many organizations will grasp the risk.

In other words, although much of the slashdot crowd will say "well, duh", this is a very practical wake-up call for real-world organizations that have deployed VoIP. Of course they'll need to either use encryption of trust everyone and all machines on the network.

Coming up next: An attacker with appropriate radio gear can eavesdrop on cell phone conversations!

This isn't an attack

[brunes69 (86786)]

This is a tool. I have been looking for a way to log my home phone calls using my WRT54G to an external samba share - but havent found code I can build for the device. Maybe I should get in touch with these guys.

PS can any hack just say they are a security researcher nowadays?

Re:

[man_of_mr_e (217855)]

There's a GPL version of Orecx [orecx.com]

Re:

[gEvil (beta) (945888)]

Just make sure to add the "This call may be recorded for quality assurance purposes" thing to each conversation. : p

SIP Encrypt

[Krondor (306666)]

This has been known for awhile, but I'm assuming the program referenced just makes it easier.

At any rate, this is why I really wished SIP would have required a mandatory encryption scheme. Skype does, but I'd rather use a protocol that's open and interoperable. SIP does have encryption provisions (SRTP, TLS, etc..), but they are a bit difficult and not widely used (so completely pointless). It should have been something mandatory, though I can understand that encryption latency would have ramifications o

old news

[NynexNinja (379583)]

is this really news? vomit [xtdnet.nl] has been out since 2001 and etherreal has been doing this since about 2003...

Finally...

[Deliveranc3 (629997)]

the NSA will let us do away with $40 a month cell phone bills. Thank you mysterious hacker!

The future of VOIP isn't P2P, it looks more like Mail servers. Asterix boxes with a central lookup table, routing calls and availability based on specific connections to servers.

Unfortunately this system quickly becomes encrypted and impossible to monitor, so the fact that everyone could be using the 64kbps required for voip at the same time and not saturate a fraction of the wireless spectrum won't be enough to d

Uhh.. Yes..

[zoid.com (311775)]

We use this method to record call center traffic. Have a look at Orecx http://www.orecx.com/ [orecx.com] . This is not a hack. Also switches will not send the traffic to all systems on the network so you will have to turn on SPAN or use a dumb hub. No news here.

Doesn't take a genious

[Oriumpor (446718)]

Just some basic understanding of the networking stack. You can easily arp spoof to create a MITM attack against users on a common subnet.

http://www.watchguard.com/infocenter/editorial/135324.asp [watchguard.com]

Re:

[Oriumpor (446718)]

Even a properly configured Port secure network could be attacked.
Supposing the location has a high degree of security, only allows user level access to workstations and has auto lockout on screensaver on every workstation. Just presuming perfect, or nearly perfect, physical security on the user access side. The users still having a common vlan...

Presuming the above and having 2 open network drops to shove a pocket system onto.

For instance, physical access attacker:
Nic 1 listens for arp from the target and

Re:Uhh.. Yes..

[silas_moeckel (234313)]

And it is impossible to do with a decent switch. Cisco and the like are more than capable of stopping this sort of attack. This is not to say that we should not continue down the path to encrypted sip.

Need help from service providers to fix this!

[compumike (454538)]

I run a small business VoIP phone system with 5 hardware phones, some small number of software phones, and an Asterisk setup. Sniffing traffic and reassembling conversations could definitely happen. The protocols to secure this are already out there:

• encrypted SIP - would make sure the information about who you're calling stays encrypted
• secure RTP (SRTP) - would encrypt the actual call audio (and video)
• encrypted IAX - would do both, though only between Asterisk endpoints

The current problem for anyone using VoIP is that it's necessary to pay some outside company to do the termination into "real world phone service", aka PSTN, so that you can make and receive calls to the normal phone network. Until the VoIP service providers start letting you do encryption all the way to their end, there's a lot of people who can listen to your phone calls much easier than in the analog days. However, this is going to cost them CPU time. But is this something that people would pay more for? I think the answer might be yes...

In any case, slightly off-topic, I highly recommend Voicepulse Connect [voicepulse.com] as an IAX/SIP termination/originiation provider to anybody who can run their own Asterisk PBX and who wants to punt the local phone company.

--
Educational microcontroller kits for the digital generation -- a great gift! [nerdkits.com]

Re:

[sirket (60694)]

I second the Voicepulse Connect recommendation. Their web page sucks, a lot of information is missing, but in the end they're not doing that to hit you with hidden fees, their web department just looks to be incompetent :)

sip has always been insecure.

[Hybridmutant (995475)]

Well I just find this beggars belief that the article comes across as if theres a new hole in voip and in this case SIP.
SIP was never intended to be anything other than a means to negotiate RTP streams. Any decent voip sysadmin would know that SIP is only trusted as far as the wires it runs on.
'Wiretapping' a sip calls is not as difficult as people may assume it to be. Im sure you would find some relatively basic instructions on doing just that using Ethereal/Wireshark online.If you can capture the traffic,

Anyone know of a Vonage-compatible implementation?

[swillden (191260)]

My Vonage VOIP box sits behind a Linux-based router/home fileserver with 2TB of storage, and I'd love to have something that would automatically record, decode and store all of my phone conversations. In the same way that I find it useful to log IM chats and save all my e-mail, I think it could be very handy from time to time to have complete logs of my phone conversations. Not so much as proof of conversations but as a way to backstop my very poor memory and abysmal note-taking skills.

I experimented wi

Re:

[cullenfluffyjennings (138377)]

Most services like this use G.729. You can find code at www.vovida.org

Re:

[swillden (191260)]

Most services like this use G.729. You can find code at www.vovida.org

Thanks. Indeed, my VOIP box uses G.729 when in "low bandwidth" mode, some unidentified codec when in medium mode (RTP packet type 2) and PCMU when in "high bandwidth" mode. I haven't found a free G.729 implementation that runs on Linux, but I did find that orkaudio can already decode PCMU. I installed orkaudio, configured it to output pcmwav files, hacked a quick shell script to convert them to ogg and installed it in a crontab. Works perfectly.

Sometime I'll also have to write a script to parse the

Re:

[Fnord666 (889225)]

Sometime I'll also have to write a script to parse the tapelist.log file orkaudio generates, and make a nice little index associating the audio files to the phone number called, and then I'll have a nice history of all my phone conversations.

Just grab and install OrkWeb/OrkTrack [sourceforge.net]. It's part of the same software suite and handles all of that for you.

Re:

[karnal (22275)]

Make sure you're in a one-party state before you go recording all calls.

http://www.callcorder.com/phone-recording-law-america.htm [callcorder.com]

I was going to just post the states and whether they are 2 party or 1 party (see middle of link above) however Slashdot kicks me out with a Lameness filter. Derp.

Re:

[swillden (191260)]

Make sure you're in a one-party state before you go recording all calls.

I am (Utah). I looked up the law before I started trying to do it the first time.

Snake oil vendors?

[cullenfluffyjennings (138377)]

Borderware has more than one said things along these lines then pointed out they sell a product that solves all the problems. The little thing they forget to mention, SIP can run over TLS or not. When it is running over TLS, SIPtap and others like it don't work. This is the same as imap, pop, and http. If you don't run them over TLS (or SSL as it used to be known), well someone with a sniffer can read it. I'd like to point out that Cox would like to take credit for this but there has been a program that doe

*ahem* wireshark can do this too

[OeLeWaPpErKe (412765)]

And for over a year already.

Not new..

[sw155kn1f3 (600118)]

Ethereal had this for years.. Although not automatic. But you still can match calls by SIP URIs and reconstruct wavs from the stream.

This is pure crap

[skintigh2 (456496)]

First of all, SIP sniffers with GUIs that can monitor calls have been around a long time.

Second, if you already have direct access to the network, the victim has bigger problems than a SIP sniffer. Why not corrupt the TFTP server and own every phone?

Third, on any plausible network, having a trojan on one PC would only let you sniff that PC's traffic. I'm going to assume they set up a fake network with hubs from the 1990s.

That article is horrible, and obviously written by someone with zero VoIP experience.

Many ppl here probably believe that.

[WindBourne (631190)]

Yet, the NSA really does not need many backdoors, since so many are left in by MS windows, or any number of new protocols. In general, any new OS or protocol is designed for simplicity, and rarely makes security #1. Look at SNMP. It took 3 versions to get it right (neither snmp 2 was truly secured).