About us
Contact us
RSS
Newsletters
Blogs
Video
Follow us on Twitter
EVENTS
TOPIC AREAS
RESOURCE CENTRE
Computer & Internet Security News
22 November 2007
Expert scares world with VoIP hacking proof
An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.
Called SIPtap, the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well.
The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date. Running from August this year until the most recent tap on 21 November, SIPtap had no problems in extracting enough information on the test network to prove that call recording of any and every VoIP call at a hypothetical company was now a trivial exercise.
SIPtap demonstrates that the worst-case nightmares of VoIP vulnerability are now well within the capabilities of organised crime, which could use such a program to steal confidential data from companies, governments and even the police.
The demonstrator is the work of UK-based VoIP expert, Peter Cox, who co-founded and was CTO of firewall vendor BorderWare, before leaving the company last summer to start his own VoIP consultancy, due to be up and running by Spring 2008. He was inspired to write the software after conversations with encryption guru Phil Zimmermann, creator of Zfone, the latter designed to protect against SIPtap-like hacking by using VoIP call encryption.
"We are in the early days of VoIP, but there is a knowledge gap," said Cox, lamenting the naivety about VoIP's inherent security weaknesses among the mostly telecoms-oriented engineers building such systems. "Companies using VoIP internally think they are protected."
"The threat is that an attacker engineers a Trojan and has it sit there passively [on a network], recording calls from anywhere on the Internet," says Cox.
His advice was simple. "Apply the same vigour when building a VoIP network you would when building a website."
Cox is currently running a series of workshops on VoIP threats in conjunction with SIP Services Europe, and has published his own Video podcast on the topic.
Follow highlights from Techworld on Twitter
Stay Informed > Subscribe to our Newsletters
The UK IT News widget Get it for your site!
<<newer article | back to index | older article>>
close
close
Email this article to a friend or colleague:
PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.
close
- This article is now being printed.
close
What are your views on this subject? Use the form below to post a comment on this article up to 1000 characters.
close
What is this?
Click below to add 'Expert scares world with VoIP hacking proof' to your blog.
If you do not have a ComputerworldUK Account and would like to use this feature, please Register.
If you are a registered, logged-in user, this will post the title and first paragraph of this story to your blog to share with your readers.
Subscribe to the Computer & Internet Security newsletter
Recent Computer & Internet Security news
- New Firefox bug not exploitable says Mozilla
- Mozilla crunches first critical bug in Firefox 3.5
- Researchers set to reveal SSL vulnerability
- Freecom puts swipe-card security on hard drive
- CEOs cautioned for underestimating security risks
Subscribe to the Computer & Internet Security news RSS feed 
Other recent Techworld news
- Oracle price hikes part of greater plan say experts
- Netbook users will be wary of Windows 7 says analyst
- Borland's silky approach to testing
- Accenture set to buy Symbian support unit
- Smooth transition to Azure says Microsoft
Recent Computer & Internet Security features
- How to buy UTM products
- Getting to grips with PCI Security Standard
- How to assess laptop encryption products
- Securing servers in the cloud
- Admin tips for securing Vista
Recent Computer & Internet Security reviews
- AutoSave Encrypt
- Passpack privacy manager 6.2
- PicturePIN-XP password manager
- SanDisk Cruzer Enterprise
- Memeo Backup Premium 3.5
Latest PC Advisor news
- US named as top spam-producing country
- 90% think mobile termination rates are unfair
- Orange and T-Mobile to offer iPhone 3G?
- Upgrading between Windows 7 versions too costly
- Windows 7 support added to Home Server
Computer & Internet Security topics
Authentication,
Email security,
Firewall protection,
Internet security,
Internet security system,
Intrusion,
Intrusion prevention,
Intrusion prevention system,
Personal firewall,
Security software,
Spyware software,
User authentication,
Virus program,
Virus software,
Windows firewall,
Wireless LAN security,
Wireless security
All topics »
WHITE PAPERS
- Seven Ways ITIL Can Help You in an Economic Downturn
Learn more about how ITIL can help your business weather the economic storm, and how it can leave you better positioned for growth when the economy begins to rebound. - Modernizing IT: Strategies for Improving Service Quality and Reducing IT Costs
Working harder simply won’t get you there. No matter how many people you allocate, sinking more labour into old IT practices cannot concurrently meet rising demands on IT and cut costs. Read about cost-effective, automated ways to meet this challenge head-on in this whitepaper. - Ten tips on security for your business
Security of your customer data and business information is vital, this guide covers the essential issues in an easy to understand straight-forward way. - Business Continuity - Are you always open for business?
Business continuity is not an end in itself, but the key to improving performance. Oracle solutions for midsize organisations contribute by providing a secure, easily accessible, and always available information infrastructure thats's also simple and cost-effective to manage. This Oracle Business Brief explains how. - A guide to understanding hosted and managed messaging
Messaging has become absolutely critical to the operation of most enterprises and has become something of a utility, much like electricity or water provision in certain key respects. Learn more with this Osterman research whitepaper.
Techworld topic pages
|
|
- About Techworld | Contact | Privacy Policy | About IDG | All contents © IDG 2009 | webmaster@techworld.com
- Infoworld | Networkworld | Tecchannel | Techworld Netherlands | IT World Canada
Comments received
KAMAL said on Thursday, 22 November 2007
looks like there will be a marriage between voip vendors and security providers- cisco has both divisions in house, but for the avaya's etc, they will probably have to look to someone like juniper to provide security enabled voip
Boots said on Thursday, 22 November 2007
fyi: cisco philosophy is "your voice is just as secure as your data" with a 800 lb solution at 800pounds of cost! No, the solution is available to all and can be found in this article (or at ripcord.com ;)
paul.bentley@firstgroup.com said on Friday, 23 November 2007
nice for a home project ;-)
Bubber said on Friday, 23 November 2007
Ok i'm confused. We are unhappy because VoIP has the same vunerability as regular Landlines. Hasn't the Police and Government been taping the phones of people for years. So basically this article says that anyone (Not just the Government)can Wiretap your Internet Phone. Well anyone can do that with cell phones and Landlines with the right equipment.Right now.
dogstar said on Friday, 23 November 2007
Yep, I agree with Bubber. Analogous to alligator clips on a phone line. Nothing to see here, move along . . .
Reece said on Friday, 23 November 2007
Sounds like this is something the government could be really worried about if this is true then Video confencing could also be a security issue. Maybe?
GL said on Friday, 23 November 2007
This guy is obviously trying to make capital for his own company. VoIP security has been real for a number of years now. Albeit, still not well deployed yet. Nonetheless, it is available and you should start using it.
Many security protocols are well defined and good implementations are available from many VoIP software vendors (M5T, RadVision and numerous opensource projet is you google a bit) like SRTP, ZRTP, TLS, MIKEY, IPSec and so on. Phil Z. is pushing for its ZRTP protocol. It is used in combination with SRTP to secure the voice path. However, other solutions also exist, like DTLS/SRTP, MIKEY/SRTP or SDESC/SRTP. Equipment that effectively implement security are also available from many vendor. Just make sure that the Soft-phone / equipment you are using is compliant with the most recent protocol specifications and you will be protected against this trivial SIPtap software.
GL
GL said on Friday, 23 November 2007
This guy is obviously trying to make capital for his own company. VoIP security has been real for a number of years now. Albeit, still not well deployed yet. Nonetheless, it is available and you should start using it.
Many security protocols are well defined and good implementations are available from many VoIP software vendors (M5T, RadVision and numerous opensource projet is you google a bit) like SRTP, ZRTP, TLS, MIKEY, IPSec and so on. Phil Z. is pushing for its ZRTP protocol. It is used in combination with SRTP to secure the voice path. However, other solutions also exist, like DTLS/SRTP, MIKEY/SRTP or SDESC/SRTP. Equipment that effectively implement security are also available from many vendor. Just make sure that the Soft-phone / equipment you are using is compliant with the most recent protocol specifications and you will be protected against this trivial SIPtap software.
GL
lattera said on Friday, 23 November 2007
"single PC inside the network." I'm wondering if this was testing on a network using hubs and not switches. Unless VoIP packets are broadcasted to the whole network, I don't see how this is possible, since the VoIP client connects directly to the VoIP server (with routers in between, of course).
It seems to me this is more a vulnerability of network layout/design and not VoIP. Also, as mentioned before by other people, encryption products exist to keep the data confidential. I fail to see how this "vulnerability" really is a vulnerability.
Cullen Jennings said on Friday, 23 November 2007
This article it technical very inaccurate and I suspect Cox is just trying to drum up support for his company. What he is showing here as "new" has been discredited many years ago with vomit came out. It does not work when the the security features of VoIP (TLS and SRTP in this case) are not turned off.
Mark said on Friday, 23 November 2007
The ease of recording VOIP calls is actually a selling feature for many companies. The ease of which you can record VOIP calls makes it very inviting when trying to do quality monitoring in call centres.
Of course people need to be careful to protect against outsiders recording their calls, But this can gaurded against and is not anything to be too frightened of.
Haggar the Horrible said on Friday, 23 November 2007
We've been running Mitel 3300 ICP units for years with no issues regarding security because even though the unit is "SIP capable" we use the default "encrypted" MiNET protocol for all calls. Its secure, move on......
msoulier said on Friday, 23 November 2007
Is this just glorified packet sniffing? If so, who cares? We knew that already.
WhiteWiz said on Friday, 23 November 2007
If your VoIP traffic is properly contained within it's own VLAN (a segregated area in your network switch) it may never reach your PC. This depends on how your equipment is hooked up. Most/our PC's are hooked into a network switch inside the IP phone so 2 network drops are not required. As long as the phone properly filters the VoIP VLAN you're golden. IF the VLAN reached to the PC the Trojan would have to put the PC's network card into Promiscuous mode (yes it's really called that) to to receive traffic from multiple VLANs. The defacto standard way to do that is software called WinPCap...You can see how this gets real complicated real fast. I'm not saying it's impossible, just improbable on a correctly setup network. It's an interesting payload but the threat is the Virus/Trojan, the payload is irrelevant.
WhiteWiz said on Friday, 23 November 2007
If your VoIP traffic is properly contained within it's own VLAN (a segregated area in your network switch) it may never reach your PC. This depends on how your equipment is hooked up. Most/our PC's are hooked into a network switch inside the IP phone so 2 network drops are not required. As long as the phone properly filters the VoIP VLAN you're golden. IF the VLAN reached to the PC the Trojan would have to put the PC's network card into Promiscuous mode (yes it's really called that) to to receive traffic from multiple VLANs. The defacto standard way to do that is software called WinPCap...You can see how this gets real complicated real fast. I'm not saying it's impossible, just improbable on a correctly setup network. It's an interesting payload but the threat is the Virus/Trojan, the payload is irrelevant.
Duane Storey said on Friday, 23 November 2007
As someone in the voip industry, I can tell you that this isn't anything to worry about. Unless the house or the office sends all traffic to every computer, this is rather useless, as you would only be able to trap your own calls. Most corporate routers only send your computer traffic that is ultimately destined for you -- traffic meant for other people (i.e. other calls), never even end up at your machine, so they can't be trapped.
If your network at work was actually in this configuration, you'd have a lot more problems than people easedropping on your calls.
Boots said on Friday, 23 November 2007
fyi: cisco philosophy is "your voice is just as secure as your data" with a 800 lb solution at 800pounds of cost! No, the solution is available to all and can be found in this article (or at ripcord.com ;)
AR said on Friday, 23 November 2007
Anyone who sends anything over the internet and believes it is 100% safe is living in dream land. If you want route calls over the internet then you accept the risks that come with it.
VoIP of any type in the enterprise environment can be secured just like the data network, secure the data network and your voice is secure, encrypting your voice is a measure to ensure the stream if captured is useless or at least you have to go to greater lengths to decrypt it.
All the VoIP sniffing tools I have seen rely on the media packets traversing a device that can pick them up and the only other way would be a man in the middle attack, however appropriate switches and security from 5 years ago will mitigate this.
I agree with those that said this guy just wants to give his company a plug.
Show us something that is a real issue.
4Khicx said on Saturday, 24 November 2007
Well....I am not sold on how a malware infection could pull this off....without an insider intervention.VoIP networks are usually run separately from data and without really putting a sniffer in the VoIP path (which is easy to do, but you do need an insider), I can't see how you can pull this off. Additionally, VoIP comms are encrypted, atleast on the Avaya system I know about.
Nathan said on Saturday, 24 November 2007
nothing new to see here; google for "sip vomit" or see vomit.xtdnet.nl or www.voip-info.org
Any decent setup will use VLANS on a switched network, SRTP (RFC 3711), etc. for security. This is all documented in the myriad of VoIP books available today. Indeed, there are even dedicated VoIP security books!
Vishal Mishra said on Saturday, 24 November 2007
What are the VoIP threats he points out?
Chris said on Saturday, 24 November 2007
This only applys to companys using SIP trunks to make calls over the internet - this DOES NOT work with companies who have private internal voip phone systems connected to a real t1 phone circuit. And this is only possible if you have access to sniff at a router level. Not any PC on a network. Poorly written - lots of false non specific information
Someone said on Saturday, 24 November 2007
I don't see the big deal, a Company I used to work for is doing this and even more for the last 7 year for VoIP and 15 years for Digital/Analog lines with FAX / DialUP / WiFI / ISP recording and reconstructing.
Very Very old NEWS
martin said on Sunday, 25 November 2007
Good that Skype doesn't use SIP , right ?
Peter Cox said on Sunday, 25 November 2007
I am pleased that John Dunn’s write up of my siptap utility has attracted so much interest. Siptap was written as a proof-of-concept, to show that VoIP call eavesdropping is possible. The reaction to John’s article has been fairly equally divided between praise for drawing attention to the problem and accusations of scare-mongering because “VoIP security has been real for a number or years” .
I am the first to agree the problem is solvable, but no amount of security technology will help unless that technology is deployed. Many VoIP networks still lack basic security controls. The motivation behind Siptap was to demonstrate the need for better use of VoIP security controls.
One posting suggests that TLS and SRTP (encryption) have to be turned off for siptap to work. The reality is that most VoIP networks do not use encryption. Many VoIP phones are still incapable of handling encryption and a recent posting on the IETF SIP mailing list showed that only 25% of devices supported SRTP.
Peter Cox said on Sunday, 25 November 2007
Martin suggested that "Good that Skype doesn't use SIP , right ?" Wrong!
If Skype used SIP or some other open standard then at least there would be an opportunity independent analysis of the protocol. History has taught us that open standards promote better security, close proprietary protocols do not.
Wally said on Monday, 26 November 2007
If Peter Cox was truly concerned about VoIP security he would have revealed his method. I concur with lattera and WhiteWiz that he does not have corporate switching infrastructure but has hubs where he can capture the traffic using sniffer trechnologies.. What a scammer
DRV said on Monday, 26 November 2007
Quite the title. I do not believe this article has the impact as the title implies. From reading the responses below it would seem if you encrypt your audio, and segment your computer network from your ip-telephony network this threat is suffocated.
Nice piece of stolen work said on Monday, 26 November 2007
Awesome, except I saw the guys that wrote this and presented it at Shmoocon '07. Don't believe it? Check out the Shmoocon website and watch the video archives.
chasefranklin765 said on Monday, 26 November 2007
The real issue is we're placing a sophisticated network solution in the hands of under qualified network people and thinking they have the needed expertise to make our VoIP PBX safe.
What companies need to do is rethink the PBX on site model and adopt a hosted VoIP PBX solution. This leaves the question of security up to the vendor and with size, volume and unlimited capacity the cost of security is more easily spread out.
A solution such as one found at www.dls.net offers the best of both worlds.
reswob said on Monday, 26 November 2007
I noticed that Peter Cox did respond to comments, but he didn't answer a key question that was brought up: If the voice traffic is segregated between a data VLAN and a voice VLAN, will SIPtap work? Does SIPtap have a tool a la voiphopper (voiphopper.sourceforge.net)? If it doesn't, I agree that this tool is mostly show, simply pointing out nothing security professional didn't already know.
Even though a small percentage of implementations do not encrypt, I would bet that a much higher percentage do separate traffic onto multiple VLANs which would render SIPtap ineffective without a VLAN hopping mechanism.
reswob said on Monday, 26 November 2007
BTW, if the VoIP phone is in front of the PC, putting the PC NIC card in promiscuous mode will not enable it to receive VoIP traffic. The VoIP phone LAN connection is typically a switch, thus any VoIP traffic sent down the single physical wire would stop at the phone and not be sent to the PC. The switch in the VoIP phone would only forward traffic to the PC meant for the PC.
jeff said on Monday, 26 November 2007
I dont see trojans/malware being much of an issue due to the already mentioned traffic usually being segmented. That does not make the threat level much lower though. The majority of "hacking" comes from inside a network. It would not be that difficult to spoof the vlan a host belongs too and take the phone out of the loop. I dont know about you but i think it might be somewhat interesting to have a recording of what my manager says over the phone.
jeff said on Monday, 26 November 2007
I dont see trojans/malware being much of an issue due to the already mentioned traffic usually being segmented. That does not make the threat level much lower though. The majority of "hacking" comes from inside a network. It would not be that difficult to spoof the vlan a host belongs too and take the phone out of the loop. I dont know about you but i think it might be somewhat interesting to have a recording of what my manager says over the phone.
Rick McCharles said on Tuesday, 27 November 2007
"All that the criminal would need would be to infect a single PC"...REALLY?
How about a little perspective? Can the single PC record all calls in a switched network environment, when voice and data traffic is segmented, when it's encrypted, when all of the other well know security best practices are employed?
Enough with the silly hype already!
SmartHide.com said on Wednesday, 28 November 2007
SIP over SSL and don't problem!
Dr. John said on Thursday, 29 November 2007
For those of you who think switch traffic cannot be sniffed, think again. Keep in mind that switches are just computers. See www.cisco.com/warp/public/cc/so/cuso/epso/sqfr/sfblu_wp.pdf.
Encryption is the answer right now providing you have sufficient bandwidth and own the whole network. Encryption requires decryption, doesn't it? How are you going to do that with a non-VOIP instrument at the other end?
David Ellis, COMPUTERLINKS Director of e-Security, said on Monday, 03 December 2007
Hackers may utilise VoIP security holes to hijack calls or gain access deeper into your network. Each VoIP element on the network is vulnerable, including PBXs, gateways and IP phones. An IP handset is vulnerable to the same threat from worms and Trojans. Attacks of such nature could bring the entire business to a stand still if they are not protected against.
A resilient security offering must support the benefits that VoIP brings. IP telephony vendors such as Swyx and security vendors are already facing this challenge and providing specific support for VoIP. For example, security vendor Check Point already provides support for VoIP protocols where the Swyx solution sits behind the router and the firewall on a separate server.
Skills in data, security and voice will be required to deliver a truly secure VoIP solution. Whether that is voice resellers improving skills from a security and data perspective; data resellers training up from a voice perspective, is still to be seen.
James said on Thursday, 06 December 2007
I assume SIPtap only work on SIP? So H.323 or IAX would not be affected. If you only have Cisco gateways talking to each other, how would a computer on the network infect a gateway? Also on a closed network this would not be a security issue. The encription Cisco has called TLS would 100% eliminate this security issue.