Forgot your password?
typodupeerror
Security Communications The Internet

Expert Unveils 'Scary' VoIP Hack 103

Posted by Zonk
from the keep-it-close-to-your-chest dept.
Kurtz'sKompund passed us a link to a Techworld article on a frightening new vulnerability for VoIP. The UK's Peter Cox has put together a proof-of-concept software package to illustrate the flaw, a program he's calling SIPtap. "The software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well. The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."
This discussion has been archived. No new comments can be posted.

Expert Unveils 'Scary' VoIP Hack

Comments Filter:
  • by plover (150551) * on Friday November 23, 2007 @11:12AM (#21453937) Homepage Journal
    Not only that, but ethernet data traffic can be read [ethereal.com] by someone else on the network, and wi-fi traffic can be monitored [kismetwireless.net] by someone even without wires.

    In other news, experts have revealed that water is scarily wet, the sun is frighteningly hot, and occasionally rain terrifyingly falls from the sky. We'll interrupt your surfing with more news as it unfolds. Meanwhile, please continue to tremble in fear of the obvious.

    • Re: (Score:2, Informative)

      by NoxNoctis (936876)
      This is why I SSH tunnel any truly sensitive traffic to as close as I can get to the destination.
    • by aix tom (902140)

      So to which politics-critter should I write to get that rain thing taken care of? It's responsible for most of the rust on my car.

      Funny how many of this stories surface, which basically just state the same "everything that is not encrypted on the network can be seen pretty easily" over and over again.

    • by aproposofwhat (1019098) on Friday November 23, 2007 @11:26AM (#21454029)
      So some bloke who's about to start up a VOIP consultancy firm has made a SIP traffic sniffer, which he claims will allow the recording of SIP calls on a network.

      I'm sure he's set up his test network appropriately (hubs not switches, no VLANs in sight, every Ethernet packet visible at each node...) to spread FUD and market his services.

      Very l33t, I'm sure.

      Just a Slashdot advertisement feature again - there seem to be more and more of these appearing.

      I'm waiting for the announcement that a program to increase penis size has been written by a bloke in the pharmaceutical industry - that'll make the fromt page for sure :P

      • If you think that's necessary, I urge you to look up the PCAP software and how it can be used to monitor the traffic to arbitrary MAC addresses on your network unless your switches are very sophisticated and very carefully programmed.
        • by Feyr (449684)
          you're thinking ettercap, pcap works passively and wouldnt fool a switch
      • by Vellmont (569020)

        I'm sure he's set up his test network appropriately (hubs not switches, no VLANs in sight

        If you think a switch protects you from sniffing, thing again. There's several ways to sniff switch traffic, arp poisoning, faking dhcp responses, etc. VLANs might be a bit trickier, but it isn't always practical to have a separate network for just the voip traffic. The general rule is to not rely on your traffic being kept secret if someone can get inside your network.
    • by Vorknkx (929512)
      (Score:5, Obvious)
    • by Scooder (1193279)
      This just in, without blinds your neighbours may be able to watch you undress.
    • by MoogMan (442253)
      Wireshark [wireshark.org] has the ability to reconstruct RTP streams, and has been able to for some time. "SIPtap" is doing the same thing. Hyperbole indeed.
    • The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."
      Wow -- even by date!! What evil genius was able to come up with a clever way to get a computer to tell you what day it is? These kids are too smart for their own good. All hackers and potential hackers - hell, everyone under 30 - should be jailed forthwith.
    • VoIP traffic is mostly unencrypted making sniffing it out and recording it very trivial. Try and find a VoIP provider that uses encryption. The only problem with encrypting voip traffic is that call quality suffers.
  • Wow (Score:5, Funny)

    by telchine (719345) on Friday November 23, 2007 @11:13AM (#21453945)
    The german police will be pleased!
    • by JonTurner (178845) on Friday November 23, 2007 @11:30AM (#21454049) Journal
      The telecom companies will be pleased. They're terrified of VOIP, and are holding on to their monopoly customer-no-service business models as long as they can. So any "bad news" that scares customers away from internet phone and back into their clutches is welcomed.
      • by octal666 (668007)
        phone calls can be tapped (but don't tell anyone, it's a secret)
      • Actually it's just the opposite - businesses that buy PBXs have been buying IP PBXs for the last few years as opposed to traditional TDM PBXs, and they'd rather buy VOIP interconnections to the telco networks than put in extra boxes with T1 or T3 interfaces. So scaring the market about VOIP not only annoys their customers, it gets many of their customers want more complex discussions about VOIP security - and given the appalling state of equipment vendor SIP compatibility out there, it's making it tougher
    • Re: (Score:3, Funny)

      by Evan Meakyl (762695)
      Maybe the beginning of a new /. meme... congratulations!
    • Now if only Joerg had read that article before saying what he did... http://it.slashdot.org/article.pl?sid=07/11/22/2342249 [slashdot.org]

      Göring would have been very disappointed.
  • Another intentional hole for NSA to listen to everything...
    • Yet, the NSA really does not need many backdoors, since so many are left in by MS windows, or any number of new protocols. In general, any new OS or protocol is designed for simplicity, and rarely makes security #1. Look at SNMP. It took 3 versions to get it right (neither snmp 2 was truly secured).
  • by illogic (52099)
    A perfect time to mention...

    Zfone [zfoneproject.com] - free (as in beer) encrypted VoIP.

    Get it while it's still legal!
    • Re: (Score:2, Interesting)

      by JackMeyhoff (1070484)
      How do you know? From their advertisement or have you checked? I never take things on face value. Anyway, if they really want to listen you stand no chance.
  • This is soo old! (Score:3, Informative)

    by Kris2k (676294) on Friday November 23, 2007 @11:19AM (#21453991)

    I recall seeing a project on freshmeat in 1999-2000 about the exact same functionnality. Granted, it wasn't as refined as this one, but it did exactly what it had to do; sniff packets over the wire, decode them, and send them to your DSP.

    This is old, and that's why people today use VLAN tagged phones to seperate VOIP traffic onto another network, combined with switches that don't allow promiscuous activities, intrusion detection systems, picky switches that don't like MAC changes, and voilà, problem solved for the distribution networks.

    There will always be ways to tap coversations, and if you think you pots land line is secure *chuckle*, get real.

    • In fact, there are entire open source and commercial products predicated on being able to do this.

      For example:

      http://www.orecx.com/ [orecx.com]
    • that's why people today use VLAN tagged phones to seperate VOIP traffic onto another network, combined with switches that don't allow promiscuous activities, intrusion detection systems, picky switches that don't like MAC changes, and voilà, problem solved for the distribution networks.

      I'm not up on IP phone networking/security concerns. Should I be concerned that staff at this office just dropped the shiny new IP phones on the same network as the PC's? I have one port in my cube: CAT-5 daisy-chain

      • by rcw-home (122017)

        I'm not up on IP phone networking/security concerns. Should I be concerned that staff at this office just dropped the shiny new IP phones on the same network as the PC's? I have one port in my cube: CAT-5 daisy-chains from the wall to IP phone to PC. Or do I just need to ask for more tin foil in the supply cabinet?

        More tin foil. Most phone system vendors will set a company's office phone system up on a separate VLAN, then allow access to that VLAN through any port on a wall that a phone was supposed to g

      • by stimuli (37803)
        It depends on how they configured it. Just because a PC is daisy-chained off of the phone does not mean that the phone and voice traffic are on the same vlan.
      • Most networks now are switched, not using open hubs. In a switched network, you can't just stick a network card in promiscuous mode and hear all the traffic. The switch connects two two ends that are talking, (e.g. your phone and pbx) and excludes that traffic from anyone else on that switch.

        The vulnerable points come after the switch, for example if all the phones use a switch, and that switch has a connection to the PBX, than if you could insert a hub between the pbx and the switch you could use this ha
  • More Info? (Score:5, Interesting)

    by TheGreatDonkey (779189) on Friday November 23, 2007 @11:19AM (#21453993)
    I read TFA and I didn't see any information that makes this any different than using Wireshark to capture and reassemble the packets and do this (it is fairly easy)? What is so drastically advanced about this discovery? Additionally, isn't a switched network generally protected by this unless a port is specifically configured for packet forwarding? That would be one spiffy trojan to hack into the switch as well and configure this. Also, most VOIP installs I have seen have, at the vendors install requirement, the VOIP phones be on their own VLAN from the data side of the network, further limiting the exposure?
    • Re: (Score:3, Insightful)

      by jav1231 (539129)
      I was wondering the same thing. The hacker would not only have to infect a PC on the network, it would have to be on the voice span. That's something that is not likely since you generally separate your user segment and your voice segment. The two only share WAN pipes to move from one network to another. Then again, this is a proof of concept.
      • Re: (Score:1, Informative)

        by Anonymous Coward
        Check out this particular magic spell [wikipedia.org]. If you do not have separate LANs for VoIP and other data, or one of your computers uses a software VoIP client on the VoIP network, a single infected machine is sufficient for an attacker to listen in on all calls (unless your network admins have a clue and detect and isolate unauthorized MAC address changes.) Some SOHO switches can also be turned into hubs by flooding their MAC address table.
        • by Melkman (82959)
          Oooh, fun. What do you think will happen if you redirect all traffic of a segment through a single desktop PC ? And that is what you will need to do to get all conversations. Switches were not primarily invented for security but for improved performance you know. I have a hunch people will notice the performance drop. Seeing that I get an average incoming traffic of 200Mbps on a single 240 port switch stack and those are pretty normal office workers. Spotting the infected PC will be easy... it's the one wit
          • You don't need to ARP-jack _all_ the traffic for your building, and ideally you don't want to. But if you can pull off the attack successfully (and I'm not convinced you can), what you want to do is only steal the traffic pointed at your VOIP PBX, which will get you the signalling traffic and probably outbound VOIP traffic as well. If you're not as lucky, the VOIP services will run on the same router that connects you to the outside world, but if that's the case it's usually only a T1 or two, not a T3, so
    • What is so drastically advanced about this discovery?
      From the summary (emphasis mine):

      The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."
      ;-)
      • by Fred_A (10934)

        From the summary (emphasis mine):

        The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date."
        ;-)
        I suppose we can count ourselves lucky that it's not advanced enough to figure out the exact time of the calls (yet).

        Still, technology is frightening (ooooh, lookat all em numbers)
  • by whamett (917546) on Friday November 23, 2007 @11:30AM (#21454057)

    Although this is obvious to many—if you're transmitting data unencrypted from A to B, someone monitoring the communication channel can of course read the data too—the reality is that it probably takes a concrete, real-world package like this, plus media coverage, to before many organizations will grasp the risk.

    In other words, although much of the slashdot crowd will say "well, duh", this is a very practical wake-up call for real-world organizations that have deployed VoIP. Of course they'll need to either use encryption of trust everyone and all machines on the network.

    Coming up next: An attacker with appropriate radio gear can eavesdrop on cell phone conversations!

  • by curty (42764)
    This guy has written a demonstration program to show how easy it is to "hack" VoIP traffic. Ok, the program has to be on the same network as the traffic (oh yeah, just use a trojan), and the traffic has to be un-encrypted, but once those conditions are satisfied, his 1337 code will intercept any call!

    I wonder why he decided to publish such a scary VoIP hack?

    FTA:

    Cox is currently running a series of workshops on VoIP threats in conjunction with SIP Services Europe, and has published his own Video podcast on the topic.

    He was inspired to write the software after conversations with encryption guru Phil Zimmermann, creator of Zfone, the latter designed to protect against SIPtap-like hacking by using VoIP call encryption.

  • This is a tool. I have been looking for a way to log my home phone calls using my WRT54G to an external samba share - but havent found code I can build for the device. Maybe I should get in touch with these guys.

    PS can any hack just say they are a security researcher nowadays?
  • This has been known for awhile, but I'm assuming the program referenced just makes it easier.

    At any rate, this is why I really wished SIP would have required a mandatory encryption scheme. Skype does, but I'd rather use a protocol that's open and interoperable. SIP does have encryption provisions (SRTP, TLS, etc..), but they are a bit difficult and not widely used (so completely pointless). It should have been something mandatory, though I can understand that encryption latency would have ramifications o
    • by tengwar (600847)
      Probably obvious to you, but for those who don't know - SIP is the "session initiation protocol". It's just the call setup mechanism, but it specifies what form the call will take. The most common type of call is over RTP (real time protocol), but this isn't mandatory. RTP is based on UDP, which means that you can't trivially use TLS (which requires the reliable transport of TCP to keep in sequence). Two means of encryption have been proposed to secure the call voice stream (as opposed to the setup data, wh
      • More to the point, there are two kinds of connections in a SIP conversation - the SIP-protocol signalling between the endpoint and the PBX (or equivalent), and the media connection between the two endpoints that carries the actual voice/video/IM/etc. (Normally the media channel is directly between endpoints, e.g. two phones in the same office, and only touches the PBX if one endpoint is a non-VOIP telco line or if there's some special NAT requirement.)

        Encrypting the signalling channel is a pretty straigh

  • is this really news? vomit [xtdnet.nl] has been out since 2001 and etherreal has been doing this since about 2003...
  • by t00le (136364)
    I manage telecom and netsec for a large company who dials roughly twelve to fifteen million calls per month over SIP/RDP. This really isn't all that new since almost all recording products do this to maintain compliance and such. How is this any different than rootkitting a machine and starting a wireshark/ethereal script w/ pcap. Installing any of these would be trivial once a machine is rootable.

    Capture filters exist for most products to re-assemble rdp traffic, but the simple solution would be to use srd
  • the NSA will let us do away with $40 a month cell phone bills. Thank you mysterious hacker!

    The future of VOIP isn't P2P, it looks more like Mail servers. Asterix boxes with a central lookup table, routing calls and availability based on specific connections to servers.

    Unfortunately this system quickly becomes encrypted and impossible to monitor, so the fact that everyone could be using the 64kbps required for voip at the same time and not saturate a fraction of the wireless spectrum won't be enough to d
  • Uhh.. Yes.. (Score:5, Interesting)

    by zoid.com (311775) on Friday November 23, 2007 @11:52AM (#21454205) Homepage Journal
    We use this method to record call center traffic. Have a look at Orecx http://www.orecx.com/ [orecx.com] . This is not a hack. Also switches will not send the traffic to all systems on the network so you will have to turn on SPAN or use a dumb hub. No news here.
    • Just some basic understanding of the networking stack. You can easily arp spoof to create a MITM attack against users on a common subnet.

      http://www.watchguard.com/infocenter/editorial/135324.asp [watchguard.com]
  • by compumike (454538) on Friday November 23, 2007 @11:58AM (#21454247) Homepage
    I run a small business VoIP phone system with 5 hardware phones, some small number of software phones, and an Asterisk setup. Sniffing traffic and reassembling conversations could definitely happen. The protocols to secure this are already out there:
    • encrypted SIP - would make sure the information about who you're calling stays encrypted
    • secure RTP (SRTP) - would encrypt the actual call audio (and video)
    • encrypted IAX - would do both, though only between Asterisk endpoints

    The current problem for anyone using VoIP is that it's necessary to pay some outside company to do the termination into "real world phone service", aka PSTN, so that you can make and receive calls to the normal phone network. Until the VoIP service providers start letting you do encryption all the way to their end, there's a lot of people who can listen to your phone calls much easier than in the analog days. However, this is going to cost them CPU time. But is this something that people would pay more for? I think the answer might be yes...

    In any case, slightly off-topic, I highly recommend Voicepulse Connect [voicepulse.com] as an IAX/SIP termination/originiation provider to anybody who can run their own Asterisk PBX and who wants to punt the local phone company.

    --
    Educational microcontroller kits for the digital generation -- a great gift! [nerdkits.com]
    • by sirket (60694)
      I second the Voicepulse Connect recommendation. Their web page sucks, a lot of information is missing, but in the end they're not doing that to hit you with hidden fees, their web department just looks to be incompetent :)
    • Re: (Score:2, Interesting)

      Has anyone else tried Phil ZimmermanN's Zfone? Available on OS X, Linux, and windows, it does end-to-end (up to applications) encryption, from the father of PGP. The code is available for review. The interface is quite slick and his reputation is platinum. Is there anyone else trusted more? It works with many sip clients: X-Lite, Gizmo, XMeeting, Google Talk VoIP client, SJphone, and Asterisk PBXs. It also works with iChat audio and video and these VoIP providers: Free World Dialup, iptel.org, and S
  • Well I just find this beggars belief that the article comes across as if theres a new hole in voip and in this case SIP.
    SIP was never intended to be anything other than a means to negotiate RTP streams. Any decent voip sysadmin would know that SIP is only trusted as far as the wires it runs on.
    'Wiretapping' a sip calls is not as difficult as people may assume it to be. Im sure you would find some relatively basic instructions on doing just that using Ethereal/Wireshark online.If you can capture the traffic,
  • My Vonage VOIP box sits behind a Linux-based router/home fileserver with 2TB of storage, and I'd love to have something that would automatically record, decode and store all of my phone conversations. In the same way that I find it useful to log IM chats and save all my e-mail, I think it could be very handy from time to time to have complete logs of my phone conversations. Not so much as proof of conversations but as a way to backstop my very poor memory and abysmal note-taking skills.

    I experimented wi

    • Most services like this use G.729. You can find code at www.vovida.org
      • by swillden (191260) *

        Most services like this use G.729. You can find code at www.vovida.org

        Thanks. Indeed, my VOIP box uses G.729 when in "low bandwidth" mode, some unidentified codec when in medium mode (RTP packet type 2) and PCMU when in "high bandwidth" mode. I haven't found a free G.729 implementation that runs on Linux, but I did find that orkaudio can already decode PCMU. I installed orkaudio, configured it to output pcmwav files, hacked a quick shell script to convert them to ogg and installed it in a crontab. Works perfectly.

        Sometime I'll also have to write a script to parse the

        • by Fnord666 (889225)

          Sometime I'll also have to write a script to parse the tapelist.log file orkaudio generates, and make a nice little index associating the audio files to the phone number called, and then I'll have a nice history of all my phone conversations.
          Just grab and install OrkWeb/OrkTrack [sourceforge.net]. It's part of the same software suite and handles all of that for you.
    • by karnal (22275)
      Make sure you're in a one-party state before you go recording all calls.

      http://www.callcorder.com/phone-recording-law-america.htm [callcorder.com]

      I was going to just post the states and whether they are 2 party or 1 party (see middle of link above) however Slashdot kicks me out with a Lameness filter. Derp.
      • by swillden (191260) *

        Make sure you're in a one-party state before you go recording all calls.

        I am (Utah). I looked up the law before I started trying to do it the first time.

      • From the link:

        While the U.S. federal law only requires one-party consent, many states have accepted different laws. In some states all parties must give their consent or at least be notified that the call is about to be recorded (with necessary opt-out option: if you dont like them to record the call, you can ask them to stop recording). There also was a case law decision from many years ago (the 1950's) that went to the Supreme Court and affirmed that the federal law does not supersede state authority/statutes unless the call or the tap crosses state lines that is why each state went ahead and established their own guideline/statute

        (emphasis mine) IANAL, but what if I set up a system where I record the conversation, but before sending it to my storage server I proxy it (to another state, or even another country)? Would I be able to waive the notification requirement?

  • Borderware has more than one said things along these lines then pointed out they sell a product that solves all the problems. The little thing they forget to mention, SIP can run over TLS or not. When it is running over TLS, SIPtap and others like it don't work. This is the same as imap, pop, and http. If you don't run them over TLS (or SSL as it used to be known), well someone with a sniffer can read it. I'd like to point out that Cox would like to take credit for this but there has been a program that doe
  • And for over a year already.
  • Patch the format, move on. No comms are ever going to be 100% secure, but we should work to fix publicized holes like this rather than flintch from the impications.
  • You know. Almost 3 years ago when I was researching VoIP I found that this was already capable and software existed (at least) for Linux that did it. Why is it so much more scary now? Is this chaps method easier? Perhaps it works on windows?
  • http://www.shmoocon.org/2007/presentations.html [shmoocon.org]
    Scroll down to Sunday - March 25th, 10:00 am presentation
    Joel Bruno and Eric Smith
    VOIP, Vonage, and Why I Hate Asterisk

    You can download video of their presentation.
    Basically, intercepting RTP (voice traffic) is as trivial as any other traffic.
    The question is, does the equipment respond to unsolicited ARP replies?
  • Ethereal had this for years.. Although not automatic. But you still can match calls by SIP URIs and reconstruct wavs from the stream.
  • Encrypt your streams, encrypt your data, encrypt your voice.

    Few, but more than you would think, devices and providers understand Secure Real-time Transport Protocol (SRTP) [wikipedia.org] for SIP channels.

    It's important that we get this working in the free software world as well:
    http://www.voip-info.org/wiki/view/Asterisk+encryption [voip-info.org]

    Blowfish or not, any encryption is better than no encryption.

  • First of all, SIP sniffers with GUIs that can monitor calls have been around a long time.

    Second, if you already have direct access to the network, the victim has bigger problems than a SIP sniffer. Why not corrupt the TFTP server and own every phone?

    Third, on any plausible network, having a trojan on one PC would only let you sniff that PC's traffic. I'm going to assume they set up a fake network with hubs from the 1990s.

    That article is horrible, and obviously written by someone with zero VoIP experience.
  • But seriously. Doesn't this mean that VoIP is as subject to man in the middle attacks as any other digital process. The end result as far as I can see is that VoIP is as subject ot wiretap as a non VoIP phone (I hesitate to say POTS as not all "standard" phone lines are POTS) Perhaps a bit less mechanical than most think a wiretap is, but no less likely to conceive of.
  • Yeah, this is really "Duh". I've always been surprised at the complete lack of thought given to security in SIP devices and protocols.

    Here's a good example. Most of the SIP hardphones on the market right now have a feature that allows them to be answered automatically when phoned. You just pass a non-standard header in the Invite message telling the other end to auto-answer. This feature is useful for manufacturers that want to sell "consoles" which allow an operator to control all the phones or do thi
  • Cain and Abel (http://oxid.it) has had this capability (along with many others) since February 26 2005. I have personally ran forensics on a machine that had harvested many voip calls off the network.
  • This is how every call center performs voice recording when using VoIP...

    Nothing to see here kids, move on

    Sheesh

    Mark

If you aren't rich you should always look useful. -- Louis-Ferdinand Celine

Working...