There is a lot of buzz about a new tool called SIPtap that supposedly shows us how vulnerable VOIP calls are to eavesdropping. It looks to me like it’s more about promoting the author’s consulting services. The site: siptap.voipcode.org says:
VoIPcode.org wants to raise public awareness of how dangerously vulnerable VoIP phone calls are to unauthorised wiretapping.
They support this conclusion on the basis that “IP networks are much more open than the PSTN, this means that VoIP calls can be intercepted and monitored much more easily than PSTN calls.” After all, says the site:
All they have to do is to monitor the IP network at some point between the caller and call recipient.
And that supposedly means that calls can be intercepted by “organised crime, hackers, and anyone else who wants to listen to your VoIP phone calls.” (emphasis added).
This is a fundamental myth about both the PSTN and the Internet. I will grant you that IP networks are less regulated and that it may by easier to compromise a mid point in the network, it is far from “easy”, as the VoIPcode.org site, and many of the stories reporting about SIPtap suggest. It is certainly not so easy that “anyone else” can do it. The other half of this myth is the assumption that the PSTN infrastructure is so terrifically managed and secure. Anyone inside that system knows that’s a joke too. But forgetting that for a moment, consider this notion of “monitoring the IP network at some point between the caller and call recipient.” So dear reader, how is “anyone” going to do that exactly? How would you do it? I’ll be getting on a VoIP call tonight at 11pm Pacific. If you record it, feel free to post the link to the audio file here.
VoIPcode.org tells us “The monitoring point can be the corporate network, an unscrupulous ISP or a local PC infected with spyware.” Let’s take these one at a time.
- corporate network
If you can tap the IP network at a crucial point in your corporate network, without authorization, you have a pretty broken IT department and corporate security – but you’d still be risking your job to tap phone calls. If you are authorized to tap the IP network and IP calls, then you are most likely also authorized to tap PBX/PSTN calls of your staff. Every corporate PBX already has the ability to tap any call they want.
- unscrupulous ISP
This is certainly technically possible. Believe me, PSTN workers could also quite easily tap PSTN calls (and I’m sure it happens). The closer to the center of the network (or key exchange points, iow) the less likely this is going to happen. The big ISPs are not going to permit this any more than a telephone company is going to support tapping of PSTN calls. A small ISP is a risk, in theory, but it rings of paranoia here.
- a local PC infected with spyware
A single PC is not going to be exposed to the IP traffic of other nodes, generally. They could tap the calls made on that PC, by that user, but an infected PC of a suburban housewife in Peoria is not going to be tapping anybody else’s calls.
Everyone knows any VoIP call using unencrypted codecs can be intercepted by a node on the mid-point. SIPtap is nothing new – we’ve had Cain and Abel and VoIPong, among others, for years. The myth is that it is somehow trivial to compromise the IP network at the critical point where one can capture the VoIP traffic. I’m not saying it’s not something to think about, but it’s a lot harder than most people think, and a lot harder than it is being portrayed at VoIPcode.org and in the news media.