Expert Demonstrates Ease of Tapping VoIP Calls

Peter Cox, former CTO of BorderWare and who a few VoIP User admins met up with at VoN Stockholm, has demonstrated a piece of software called SIPtap

Quote:

...the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well. The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date. Running from August this year until the most recent tap on November 21st, SIPtap had no problems in extracting enough information on the test network to prove that call recording of any and every VoIP call at a hypothetical company was now a trivial exercise. SIPtap demonstrates that the worst-case nightmares of VoIP vulnerability are now well within the capabilities of organised crime, which could use such a program to steal confidential data from companies, governments and even the police.

http://www.techworld.com/security/news/ ... agtype=all

This isn't just a nightmare of course, it's actually quite a useful product in the right hands and could even be used to enable ISP's to comply with lawful access regulations.

Reply from tjardick on Nov 23, 2007 - 02:35 PM

Some usefull things to notice but also alot of scare making from either a non-voip equipment builder or maybe even Peter himself as he seems to be selling workshops now

I think considering the fact that your normal telco guy can open the local box in my neighborhood and hook 2 wires to my phone-line to test if the line is working and that anyone with a bit of brute force could do the same thing but just plug in to monitor instead of testing the line, the risk of wiretapping might at least be considered as something that needs more effort then the situation above..

2nd on the wiretapping is the fact that network traffic only travels where it needs to go within your company. Unless you are still using old HUBs (are they still being made?), cheap and normal network switches will not repeat every network packet and every port so even my colleague at the desk next to me will not be able to tap into my voice traffic, unless he's been in the server room stacking HUB's on all the lines. So i wonder how a malware application on my PC would be able to monitor my IP phone traffic even thru it's build in SWITCH...
(an example from peter's video on youtube).

So i guess we're still back to the good old days where they had to put wirebugs into the handset to be able to listen in...

Looking forward to any reactions on this...

Tj

Reply from dean on Nov 24, 2007 - 09:50 AM

Interesting points TJ.

In terms of a trojan, if you can get into the right point of the networking stack you could do the packet duplication at that point.

That does however mean that you'd need to get that Trojan onto every PC on the network in order to be able to tap all calls.

So Peter's claim that...

Quote:

all that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions.

...I suspect is on the assumption that the Trojan could work its way into the network stack on a PC, and duplicate itself on PC's throughout the network.

In which case, as you say, the old 2 crocodile clips and a ladder method probably makes the PSTN a lot easier to tap.

Reply from tjardick on Nov 27, 2007 - 09:25 AM

Quote:

In terms of a trojan, if you can get into the right point of the networking stack you could do the packet duplication at that point.

Yes but that would mean at the main router or main switch if you can get a trunk port where all traffic passes by.

Quote:

That does however mean that you'd need to get that Trojan onto every PC on the network in order to be able to tap all calls.

In case of softphones yes, in case of hardphones again you'll need to tap at the main entrance/switch with all the complications that come with being able to do that.

So as long as you use hard phones, things become more complicated at least.

Now there is of course the wifi phone over unencrypted network, or the fring/gizmo etc on your mobile phone on a public hotspot. Make sure that when you make calls like that, that you should consider the guy in the corner with his laptop might be able to listen along while he sips on his coffee....

Tj

Reply from Martiniano on Nov 28, 2007 - 05:33 PM

Hi there,

I'm new around, but have been reading some stuff about this guy around, and have to say, we got over this with e-commerce some time ago... and with hardphones even earlier...

Unless you have a well encripted method for transmiting and receiving information, there's always a chance for someone to diplicate your transmitions, being those sound, letters, pics, video...

We should NOT use VoIP for transmitting sensitive information, as we should NOT use hardphones for that either, nor email or unencripted browsing.

There's a point where making everyone panic on a security issue is benefitial for some people, of course, as usual. Just get the facts, and use well encripted channels for your sensitive info.

Best!
Matute

Reply from martyndavies on Nov 28, 2007 - 09:53 PM

TJ, you're right, the guy sharing your WiFi in a coffee shop is a much more realistic threat. Even if you infected a machine in the network core, there is of course the possibility that the SIP and the RTP take different routes, whereupon it becomes quite hard to find the RTP stream you're interested in...

Voip User Forum Index » The World of VoIP » VoIP Security