Voip > blog
Voip Blog
People Listening In On VoIP Calls? Give Me A Break!
Friday, April 11, 2008
Every so often, I come across a panic piece by someone blogger who thinks that their VoIP calls are insecure because their traffic can be sniffed and decoded rather easily. If only people would implement encryption, they say, this problem would be resolved.
While on the face of it, I tend to agree with these people, I am going to put forth another viewpoint. One that is written across The Hitchhiker's Guide To The Galaxy in large, friendly letters: DON'T PANIC.
First, let's talk about SIP--the lingua franca of VoIP--and what information is actually sent:
- Call Information Goes In The Clear: Yes with SIP, whom you are and whom you're calling does go in the clear. Yes, you can use Transport Layer Security (TLS) to encrypt this information.
- The Voice Data Goes In The Clear: What you're saying also goes in the clear as well. This can be mitigated by using SRTP to encrypt the data portion of the call.
That's quite a lot of information. A scary amount, in fact. But let's look at your typical analog phone line. If someone were to covertly listen in on your phone line, they'd get the same information. Outbound calling would be communicated via DTMF tones. Inbound calls are communicated via a "burst" of data during the ring cycle. That plus the contents of your VoIP conversation. Yup, they pwn you.
Let's look at what it takes to actually pull off this kind of sniffing attack against a VoIP call. With a landline phone, you essentially have to have physical access to the line. Depending on the neighborhood--or the office--this could either be easy or hard. However, the demarc outside your house is always quite accessible. Office building demarcs are a little tougher to get into.
To do this same kind of attack in the VoIP world, you have to be at a location where the call is traveling through, either at the telephone service provider or the ISP. Since the path a call might take over the Internet isn't guaranteed, there are only a couple of points where it is practical to intercept a VoIP call: on the client or proxy's premises, or at the ISP used by either endpoint.
Guess what? Nothing's really all that different. Both VoIP and PSTN calls can be intercepted--at essentially the same locations, too. Why are people freaking out?
