SIPtap Hysteria

November 23, 2007
By

There is a lot of buzz about a new tool called SIPtap that supposedly shows us how vulnerable VOIP calls are to eavesdropping. It looks to me like it’s more about promoting the author’s consulting services. The site: siptap.voipcode.org says:

VoIPcode.org wants to raise public awareness of how dangerously vulnerable VoIP phone calls are to unauthorised wiretapping.

They support this conclusion on the basis that “IP networks are much more open than the PSTN, this means that VoIP calls can be intercepted and monitored much more easily than PSTN calls.” After all, says the site:

All they have to do is to monitor the IP network at some point between the caller and call recipient.

And that supposedly means that calls can be intercepted by “organised crime, hackers, and anyone else who wants to listen to your VoIP phone calls.” (emphasis added).

This is a fundamental myth about both the PSTN and the Internet. I will grant you that IP networks are less regulated and that it may by easier to compromise a mid point in the network, it is far from “easy”, as the VoIPcode.org site, and many of the stories reporting about SIPtap suggest. It is certainly not so easy that “anyone else” can do it. The other half of this myth is the assumption that the PSTN infrastructure is so terrifically managed and secure. Anyone inside that system knows that’s a joke too. But forgetting that for a moment, consider this notion of “monitoring the IP network at some point between the caller and call recipient.” So dear reader, how is “anyone” going to do that exactly? How would you do it? I’ll be getting on a VoIP call tonight at 11pm Pacific. If you record it, feel free to post the link to the audio file here.

VoIPcode.org tells us “The monitoring point can be the corporate network, an unscrupulous ISP or a local PC infected with spyware.” Let’s take these one at a time.

  1. corporate network
    If you can tap the IP network at a crucial point in your corporate network, without authorization, you have a pretty broken IT department and corporate security – but you’d still be risking your job to tap phone calls. If you are authorized to tap the IP network and IP calls, then you are most likely also authorized to tap PBX/PSTN calls of your staff. Every corporate PBX already has the ability to tap any call they want.
  2. unscrupulous ISP
    This is certainly technically possible. Believe me, PSTN workers could also quite easily tap PSTN calls (and I’m sure it happens). The closer to the center of the network (or key exchange points, iow) the less likely this is going to happen. The big ISPs are not going to permit this any more than a telephone company is going to support tapping of PSTN calls. A small ISP is a risk, in theory, but it rings of paranoia here.
  3. a local PC infected with spyware
    A single PC is not going to be exposed to the IP traffic of other nodes, generally. They could tap the calls made on that PC, by that user, but an infected PC of a suburban housewife in Peoria is not going to be tapping anybody else’s calls.

Everyone knows any VoIP call using unencrypted codecs can be intercepted by a node on the mid-point. SIPtap is nothing new – we’ve had Cain and Abel and VoIPong, among others, for years. The myth is that it is somehow trivial to compromise the IP network at the critical point where one can capture the VoIP traffic. I’m not saying it’s not something to think about, but it’s a lot harder than most people think, and a lot harder than it is being portrayed at VoIPcode.org and in the news media.

5 Responses to SIPtap Hysteria

  1. November 24, 2007 at 10:32 am

    Interesting article.
    How about joining us on the VOIP Users Conference some Friday? We’d love to hear more about PhoneGnome. We’re asterisk/voip geeks located all over the world.

    http://www.VoipUsersConference.org

  2. Hannes
    November 25, 2007 at 12:52 pm

    Indeed it is silly that Peter Cox’s SIPtap program is getting press. First, it’s immediately obvious to anyone with even minimal knowledge of networking that if you have access to the packets of a VoIP flow (or for that matter any other unencrypted network flow), you can reconstruct the data.

    Also as you note, VoIPong and Vomit and Wireshark already existed, making it hard to see exactly what concept is being proved here, other than that with enough hype you can get your name in the paper.

  3. November 26, 2007 at 3:44 am

    I agree that this is old news and definitely not as easy as the author of the tool claims it to be.

    But do keep in mind technologies such as wireless and attacks such as arp spoofing and how they relate to VoIP wiretapping ;)

    ive been commenting on this on my blog http://sipvicious.org/ btw

  4. Hadriel
    November 27, 2007 at 1:06 pm

    Tell me how you doing ARP spoofing can let you wiretap my voip phone calls. Unless you’re on my local LAN, you can’t. And unless you’re in the range of my wireless LAN and I decide to leave it unencrypted, you can’t sniff my calls there either. If you’re able to get access to those, you’re probably able to get access to the POTS lines that ran from my legacy phone too, and that was tappable.

    Again, this isn’t a surprise, new, or rocket science. HTTP, POP3, SMTP, Telnet, etc. are all exposed to sniffing unless they are explicitly protected too (e.g., through SSL/TLS, SSH, etc.).

  5. sandro gauci
    November 27, 2007 at 2:35 pm

    s/arp spoofing/arp poisoning/

    re getting access to the POTS .. yea thats probably possible as well.. and might be easier to do than most network-based attacks if the network is configured correctly ;)

Buy Me A Beer

css.php