Vulnerability Development mailing list archives
Voice over IP security - anyone?
From: John Bumgarner <JBumgarner () MATRIXNETWORKING NET>
Date: Thu, 5 Oct 2000 16:05:52 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Craig, I do not know the shortcomings of the encryption standards for VoIP, but I have been able to use a sniffer to capture the following (internal testing only) information: 1) Name of person making the call 2) Phone number called 3) Any keypad entries (i.e. credit card numbers) I have not been able to reconstruct the voice packets, but they all have common bits. Securityfocus reported that "General Dynamic was unveiled a "Social Network Analysis" toolkit capable of analyzing several forms of information to include computer and telephone records. This information can then be correlated to show individual relations and information flow." I am sure that more applications will be available in the future to capture and unencrypted the VoiP packets. Concerning encryption: The United States Navy Base in Pearl Harbor is deploying a large number of Cisco VoIP phones over the next two years (source FCW). I sure the encryption on those will be increased by the National Security Agency, since the base houses the Fleet Intelligence Command. I guess the answer to your question is really "Can you trust the person who has the encryption key?" Please respond to me with any questions or comments. Sincerely, John Bumgarner, CISSP Security Practice Director Matrix Networking Group, LLC 6425 Bannington Drive Suite A Charlotte, NC 28226 Voice (704) 907-0462 Fax (704) 341-4131 <mailto:jbumgarner () matrixnetworking net> <http://www.matrixnetworking.net/> Craig wrote: - -----Original Message----- From: Craig, Scott [mailto:SCraig () KMART COM] Sent: Wednesday, October 04, 2000 2:42 PM To: VULN-DEV () SECURITYFOCUS COM Subject: Q: Voice over IP security - anyone? Does anyone know of any shortcomings of any commercial voice over IP product? I'd like to know if encryption is standard across all vendor products (same implementation or a requirement that it exists in any form) and what the details are. I'd also like to know of any vulnerabilities that may have been exploited already. I'd like to know if any product on the market can actually have it's data traffic recorded and played back. There's mention of encryption but I don't have the details. In the past companies have spun stuff off as secure and encrypted, yet it's only a bit operation, compression, or whatever. Can't freely download the standard... so it's hard to see what standards are there for encryption or not being able to reassembler intelligible speech after capturing packets. Here's some info I've found relating to voice over IP standards (H.323).. I've only skimmed the info, but from what I saw I need more. H.323 Standards http://www.openh323.org/standards.html <http://www.openh323.org/standards.html> Voice over IP background: http://www.symbol.com/products/whitepapers/whitepapers_converging_tech .html <http://www.symbol.com/products/whitepapers/whitepapers_converging_tec h.html
Primer on H.323 standard: http://www.databeam.com/h323/h323primer.html <http://www.databeam.com/h323/h323primer.html> Security In development for months, the H.235 standard addresses four general issues when dealing with security, Authentication, Integrity, Privacy, and non-Repudiation. Authentication is a mechanism to make sure that the endpoints participating in the conference are really who they say they are. Integrity provides a means to validate that the data within a packet is indeed an unchanged representation of the data. Privacy/Confidentiality is provided by encryption and decryption mechanisms that hide the data from eavesdroppers so that if it is intercepted, it cannot be viewed. Non-Repudiation is a means of protection against someone denying that they participated in a conference when you know they were there. http://www.itu.int/osg/sec/spu/ni/iptel/index.html <http://www.itu.int/osg/sec/spu/ni/iptel/index.html> . Many countries ban IP telephony completely, yet IP calls can be made to almost any telephone in the world. Some voice over IP links: http://www.packetizer.com/people/paulej/ <http://www.packetizer.com/people/paulej/> Table of Contents on H.323 http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm <http://www.itu.int/itudoc/itu-t/rec/h/s_h323.htm> H323 Annexes * Annex D - Real Time fax over H.323 * Annex E - Multiplexed call signalling * Annex F - Simple Endpoint Terminal (SET) * Annex G - Text SET * Annex H - Mobility * Annex I - Operation over low QoS Networks * Annex J - Secure SET * Annex K - HTTP Service Control Transport * Annex L - Stimulus Signalling * Annex M - QSig Tunneling * Annex N - QoS - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Scott Craig Technical Specialist - Information Security Kmart Corporation MS: E2 ; 3100 West Big Beaver Rd; Troy, MI 48084 Phone: (248) 643-1346 Fax : (248) 614-2963 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOdzgAzI5K0kmDqujEQKiOACfXBUcRLsRwrh1kRGvVBdR2IWjlfIAoNKM IqAo0rfY1Kt2cJ02y2AstoSp =0T7o -----END PGP SIGNATURE----- <<John Bumgarner.vcf>>
Attachment:
John Bumgarner.vcf
Description:
Current thread:
- Voice over IP security - anyone? John Bumgarner (Oct 05)
- Re: Voice over IP security - anyone? John Sharpe (Oct 07)
- Re: Voice over IP security - anyone? Dragos Ruiu (Oct 07)
- <Possible follow-ups>
- Re: Voice over IP security - anyone? Alex Libenson (Oct 09)