Expert Unveils 'Scary' VoIP Hack 103
Kurtz'sKompund passed us a link to a Techworld article on a frightening new vulnerability for VoIP. The UK's Peter Cox has put together a proof-of-concept software package to illustrate the flaw, a program he's calling SIPtap. "The software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well. The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."
Holy hyperbole, Batman! (Score:5, Insightful)
In other news, experts have revealed that water is scarily wet, the sun is frighteningly hot, and occasionally rain terrifyingly falls from the sky. We'll interrupt your surfing with more news as it unfolds. Meanwhile, please continue to tremble in fear of the obvious.
Re:Holy hyperbole, Batman! (Score:5, Insightful)
I'm sure he's set up his test network appropriately (hubs not switches, no VLANs in sight, every Ethernet packet visible at each node...) to spread FUD and market his services.
Very l33t, I'm sure.
Just a Slashdot advertisement feature again - there seem to be more and more of these appearing.
I'm waiting for the announcement that a program to increase penis size has been written by a bloke in the pharmaceutical industry - that'll make the fromt page for sure :P
Others will be pleased (Score:5, Insightful)
Obvious but a wake-up call (Score:4, Insightful)
Although this is obvious to many—if you're transmitting data unencrypted from A to B, someone monitoring the communication channel can of course read the data too—the reality is that it probably takes a concrete, real-world package like this, plus media coverage, to before many organizations will grasp the risk.
In other words, although much of the slashdot crowd will say "well, duh", this is a very practical wake-up call for real-world organizations that have deployed VoIP. Of course they'll need to either use encryption of trust everyone and all machines on the network.
Coming up next: An attacker with appropriate radio gear can eavesdrop on cell phone conversations!
Re:More Info? (Score:3, Insightful)
Need help from service providers to fix this! (Score:3, Insightful)
The current problem for anyone using VoIP is that it's necessary to pay some outside company to do the termination into "real world phone service", aka PSTN, so that you can make and receive calls to the normal phone network. Until the VoIP service providers start letting you do encryption all the way to their end, there's a lot of people who can listen to your phone calls much easier than in the analog days. However, this is going to cost them CPU time. But is this something that people would pay more for? I think the answer might be yes...
In any case, slightly off-topic, I highly recommend Voicepulse Connect [voicepulse.com] as an IAX/SIP termination/originiation provider to anybody who can run their own Asterisk PBX and who wants to punt the local phone company.
--
Educational microcontroller kits for the digital generation -- a great gift! [nerdkits.com]
sip has always been insecure. (Score:2, Insightful)
SIP was never intended to be anything other than a means to negotiate RTP streams. Any decent voip sysadmin would know that SIP is only trusted as far as the wires it runs on.
'Wiretapping' a sip calls is not as difficult as people may assume it to be. Im sure you would find some relatively basic instructions on doing just that using Ethereal/Wireshark online.If you can capture the traffic, you can easily pull our the RTP stream and then decode into ulaw/alaw (or whatever it was encoded as) and listen to it. Though its nice that someone has taken the initiative to build an even easier means to do this.
The internet Gods created things called vpns so that I can safely phone seX0r without the spooks getting off aswell