Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

U.S. Government Issues Report on VoIP Security Holes

Posted by CowboyNeal on Thu May 05, 2005 11:12 PM
from the good-bad-and-ugly dept.
Security Communications IT
ranson writes "PC World is reporting on VoIP technology's threat of being manipulated by hackers, through call interception and DoS attacks on users' internet connections. While these threats are nothing new, the article cites an interesting government report on the topic, as well as its author, who believes a VoIP user's best protection is security by obscurity."
+ -
story

Related Stories

by
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

U.S. Government Issues Report on VoIP Security Holes 25 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • VOIP calls aren't encrypted? (Score:5, Insightful)

    by Motherfucking Shit (636021) on Thursday May 05 2005, @11:15PM (#12448589) Journal
    From the article:
    Intercepting Internet traffic is not new. Neither is DoS. But unlike more secure Internet transactions such as your Web connection for online banking, VoIP calls are not encrypted. That makes them susceptible to tapping.
    This amazes me, I can't believe that the calls are floating around in raw audio. Would a little encryption add so much overhead that it would bog down the system? Or is this due to CALEA or other laws?

    • Re:VOIP calls aren't encrypted? (Score:5, Informative)

      by Spetiam (671180) on Thursday May 05 2005, @11:24PM (#12448624) Journal
      Skype says its calls are encrypted.

      The calls... are highly secure with end-to-end encryption. [skype.com]

      Whether their scheme is snake oil or for real, I don't know, as I can't find any documentation on it, much less source code.

      • Re:VOIP calls aren't encrypted? (Score:5, Insightful)

        by IWannaBeAnAC (653701) on Thursday May 05 2005, @11:55PM (#12448740)
        If there is no documentation, then it is almost certainly snake oil.

        Anyway, it is hard to imagine the FBI allowing ordinary consumers to have encryption they cannot break on their telephone calls. Moderately easy to break, but obscure, encryption is exactly what they would be looking for. 99% of criminals will be too dumb to break it, and the other 1% are needed to justify the homeland security budget.

        • Re:VOIP calls aren't encrypted? (Score:5, Insightful)

          by CodeBuster (516420) on Friday May 06 2005, @12:22AM (#12448842)
          The Rijndael algorithm, with is now the federal advanced encryption standard (AES), is a fast symmetric block cipher which is both public domain and spreading quickly in use. It would not be difficult for the phones to use a public key scheme such as RSA to exchange a session key for Rijndael. The FBI doesn't waste their time intercepting your network traffic and cracking the encryption by brute force computation. They simply bug the keyboard or the room and recover your key. Why waste time picking a complicated lock when you can easily steal the key?

      • Re:VOIP calls aren't encrypted? (Score:5, Informative)

        by Anonymous Coward on Friday May 06 2005, @01:22AM (#12449021)
        Any system which hides key management completely is snake oil, to a certain extent. Encryption without authentication is useless, and the best authentication you can get with completely hidden key management is that an attacker has to be in the middle from the start and all the time to be undetectable. Better than nothing, but not really secure either. The achievable level is about the same as an SSH account where you never check if the server fingerprint is OK.

    • Re:VOIP calls aren't encrypted? (Score:4, Informative)

      by Bananatree3 (872975) on Thursday May 05 2005, @11:25PM (#12448631)
      According to Skype's FAQ [skype.com], all of their VoIP calls are encrypted:

      Calls between Skype software users (PC-to-PC calls) are secure and encrypted. Calls to standard telephone or mobile numbers are encrypted until they reach public switched telephone network. Note that in a conference call where one participant is a PSTN (regular telephone or mobile phone) number/phone number, the padlock icon will not appear indicating that the call is not encrypted.

    • Re:VOIP calls aren't encrypted? (Score:3, Interesting)

      by Anonymous Coward
      The fact that you know what calea is, says that you already know more than you are letting on. Yes, the average /.er knows about the patriot act, but few know about calea.

      But for the record, calea has nothing to do with VOIP/SIP being encrypted or not. It was more about keeping it simple. Then you are free to add encryption at a lower layer. Much easier to add encryption just prior to the net.
    • Iay cryptenay ithway igpay atinlay.
    • There are standards for running encryption on top of SIP (see SRTP), but almost nobody implements them. Much more common is to avoid running SIP on the open Internet -- my company uses SIP for VoIP, but we only run it within a closed LAN or tunneled through OpenVPN.

    • Re:VOIP calls aren't encrypted? (Score:5, Informative)

      by Talennor (612270) on Friday May 06 2005, @12:35AM (#12448882) Journal
      CALEA says:

      "ENCRYPTION- A telecommunications carrier shall not be responsible for decrypting, or ensuring the government's ability to decrypt, any communication encrypted by a subscriber or customer, unless the encryption was provided by the carrier and the carrier possesses the information necessary to decrypt the communication."

      Which in my first glance at this means that VoIP can be encrypted, though if the carrier handles too much of the private key generation, which would be necessary for any non-technical user, the carrier must keep the key for law enforcement use. (I'm thinking that a standalone VoIP phone would need a factory generated key on EEPROM, though software VoIP could use your average PC to generate a key itself.) But then again I'm not even sure if this applies to VoIP since this isn't exactly a service I'm currently familiar with. I'll note though that this is the only place "encryption" came up in a search of the law itself, so there's not much more to look at than the above quote. However, what the FBI and FCC have done in regulations may be a totally different matter. Can anyone clear this up more or is it just a regulatory mess?

  • Discussed on the Vonage VoIP Forum (Score:5, Informative)

    by kamikaze-Tech (871353) * on Thursday May 05 2005, @11:16PM (#12448593)
    This has been discussed at great lengths on the Vonage VoIP Forum here: http://www.vonage-forum.com/ftopic5604.html [vonage-forum.com] and also here: http://www.vonage-forum.com/ftopic3422.html [vonage-forum.com]

  • 99 Pages, and a bitch aint one (Score:4, Funny)

    by MikeSingee (881775) on Thursday May 05 2005, @11:18PM (#12448601)
    Chances of slashdoters reading that 99 page government report are about the same as VoIP being secure.

  • stop the presses! (Score:4, Funny)

    by to_kallon (778547) on Thursday May 05 2005, @11:25PM (#12448636)
    "As VoIP is rolled out en masse, we're going to see an increased number of subscribers and also an increased number of attackers," says David Endler, chairman of the VoIP Security Alliance

    it's easy to see he's an expert. i mean, who else could come up with such an idea? the very premise of it is far-fetched to the point of hillarity. to think that as a product becomes more widely used it is targeted by a larger population...craziness.

  • Damned if you do, damned if you don't (Score:3, Insightful)

    by wcitech (798381) on Thursday May 05 2005, @11:34PM (#12448671)
    I can find a little bit of humor in the situation... If the government finds that a communications system is insecure, they make reports complaining about it (motivating engineers to secure it). If the government finds that a communications system is too secure, they go to court so they can tap into it. (remember the voip wire-tapping ordeal?)

  • VOIP nope not for me (Score:3, Insightful)

    by Grand Facade (35180) on Thursday May 05 2005, @11:39PM (#12448684)
    I'm not giving up my copper! No way! It is protected by law. And it is more insecure than most any other form of communication. But has a high degree of reliablity. So I'm sticking to it.

    Big buisness is who wants VOIP cause they want to get rid of the expensive telcom infrastructure and gain a higher degree of control.
    • I'm not giving up my copper! No way! It is protected by law.

      Give it time. VoIP will become every bit as protected. There's already too much money flowing in the biz to let it go by the wayside now.

      What I think WILL happen is a mass consolidation of most of the current small VoIP companies. Then, of course, prices will rise.

  • woulda been nice to know it was PDF ... (Score:3, Insightful)

    by 2TecTom (311314) on Thursday May 05 2005, @11:40PM (#12448690) Journal
    ... sigh, here we go again.

    Imagine this, you're far, far away in some distant, lost, Internet cafe. You are deeply in the backwoods of the third world. Your cellular 911, for some reason, isn't working. You see a /. story, with a link to an applicable article. You've just desperately clicked the link to the aforementioned article. Five minutes later, you begin to wonder three different and distinct things.

    1) Is the system locked up?
    2) How much is this going to cost now?
    3) Is that MODEM actually starting to smoke?

    IMHO, PDFs or links, especially unlabelled ones, are less than professional. Please, just say no.
    • You can drastically speed up PDF load times if you disable all the unneeded plugins:

      1. Install Adobe Reader 6.0 and notice where it is installed.
      2. Navigate to that folder in Explorer, locate the plug_ins subfolder and rename this folder to plug_ins_disabled.
      3. Create a new plug_ins folder.
      4. Move the files EWH32.api, printme.api and search.api from plug_ins_disabled to plug_ins.

      From http://www.mozilla.org/support/firefox/faq#acrobat [mozilla.org]

  • Gun in a field (Score:5, Insightful)

    by deathcloset (626704) on Thursday May 05 2005, @11:47PM (#12448708) Journal
    Security through obscurity is one of those strange concepts.

    Imagine every person in the world standing in a gigantic field. In the direct center of everyone is a rifle pointed at the sky.

    When the rifle fires, the bullet will go up and then come down and hit some poor sap. But if one were standing in that crowd one could virtually count one's self out as being crowned that sap.

    Virtually, but not completely.

    That's the problem with security by obscurity. Sure it lowers the chances of being hit. But it's not really security at all.

    Is it?

    • This is a great explanation, and ought to be modded up. I guess you would call it a kind of collective action problem.

      Each individual looks at the situation and determines that their own costs are very, very low--while getting hacked/shot is annoying, the odds of it happening a pretty outside. Taking the "cost" as being the actual cost of an incident times the likelihood of an incident, and you get a pretty low number.

      But considering the same question from a group point-of-view, it's not a question of w

    • Re:Gun in a field (Score:4, Interesting)

      by Creepy Crawler (680178) on Friday May 06 2005, @12:57AM (#12448946)
      Ok, we have "security by obscurity".

      Erm, isnt our current knowledge of encryption technology based much on secret numbers? Well, it is 1 in 2^128 or 2^256 or some huge number, but is this teh similar analogy you use?

      Well, first off security CAN be improved, but it uses the same techniques I use for software protections.

      There should be no meta-data telling what encrypted the data, what encryption schemes, or whatever to even start off. You should consider these to be the first 'shared secrets'. This has a side benefit as when a 3'rd party attempts to decrypt it, it just gives garbage in which SOMETHING has to interpet. It should not be as simple as "GPG v3.2 Diffie-Helman 4096 bit key" does not match .

      Next off, all decrption attempts should go through. What would you rather do: scan the encrypted files for headers in which to try dictionaries OR be forced to try all types of encryption to try to guess which one does what (if you can).

      The next, for network security, is 'knock knock' scripts. Whats safer: login/passwd prompt on ssh OR 10 timed packets aimed at different ports (that change on time of day) that then proceeds to open ssh until disconnect?

      I know what I'd choose if it was my security depended on hiding, firewalling THEN login/passwords.

      The whole point is OBFUSCATION is a valid security mechanism, not that is the end-all be-all or anything, but it does have its places.

  • So what was I supposed to learn? (Score:3, Insightful)

    by modemboy (233342) on Friday May 06 2005, @12:00AM (#12448769)
    Ok I didn't read the 99 page report (probably some good info in there) but this PC World article is pointless.
    Ok so they can DOS your network connection and kill your VOIP. Uhhh, if you're being succesfully DOS'ed you've got bigger problems than your VOIP not working.
    Oh and the other horror? They can listen to your calls? As the article points out this is currently trivial with the POTS, and again if someone can succesfully listen in on your full network connection you've got bigger problems than your VOIP not working.
    So why should I be scared again? Sounds like anti-VOIP F.U.D. to me.

  • We need dedicated boxes (Score:5, Insightful)

    by delirium of disorder (701392) on Friday May 06 2005, @12:47AM (#12448921) Homepage Journal
    As a former phreaker kiddie, http://angelfire.com/linux/the1 [angelfire.com] I know how trivial it is to "tap" or disable someone's phone with physical access to the outside of their home or the TNI in their neighborhood. This is not a major threat, because someone whould have to directly be targeting your phone to 0wn it...and if you knew people (non-government) were after your phone conversations, you can put a lock on the grey customer access box on your house, and ask your CO to secure your TNI. Perhaps someone could theoretically compromise the CO's switching equiptment, but that required either good social engneering or real leet skills. But your phone is just your phone, nothing else, so attacks are limited.

    VOIP is actually more physically secure then PSTN. You can't just hook a speaker up to a DSL line and hear the conversation on it. The problem is, your computer, and every router between you and your VOIP provider, is a general purpose device. Other people and services have access to it for all kinds of legitimate reasons; each of these provides places where people/programs can input data that can potentially directly effect your voice communications or get privilage escilation on the device and indirectly effect it. ANY security person knows to be wary of input! And think of all the ways of getting input to (and theoretically compromising) a PC. What we need is a dedicated physical console for VOIP (a small linksys network device running OpenBSD or Linux and asterix sounds good). The actual VOIP data should be sent through an SSH tunnel or some kind of VPN.

  • The big problem with VOIP (Score:4, Funny)

    by prisoner (133137) on Friday May 06 2005, @07:44AM (#12450140)
    isn't the security. Phone calls haven't been secure since shortly after the first one was made. No, the problem with VOIP is working with the fucking idiot phone vendors who do not understand what they are trying to do. I've gotten several calls from local phone guys who don't understand networking in the least and insist that they've assigned proper IP's to the phones at two seperate locations but they won't talk so it is my network problem. They then inform the customer that the problem is with the network and walk off. The phone at location #1 had an IP of 192.168.39.3 and the phone at location #2 192.168.40.5. No VPN between them. They were trying to route the traffic out over the internet connection.

    These dipshits sell the customer on thsese solutions and then when it doesn't work (routing probs or dropouts from no QOS) they call us in to sell the customer a couple thousand dollars worth of services and hardware to sell the problem. I don't mind the business but working with a customer who is on the brink of becoming an axe murderer isn't pleasant.

    • Bah! (Score:3, Informative)

      by cduffy (652)
      Yes, it has encryption -- but it's a closed, proprietary solution that's virtually impossible to integrate with anything else.

      Convincing all the SIP implementations to support SRTP is the Right Thing as a long-term solution -- heck, just implementing SRTP support for Asterisk would be a big improvement. As an immediate-term solution (particularly for companies using VoIP to connect with remote users or branch offices), running over a VPN (particularly with IAX trunking if you're connecting branch offices,

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.