RE: VoIP security

["Joshua Berry" <jberry () PENSON COM>]

There are programs out there capable of replaying VoIP sessions:

Vomit:
http://vomit.xtdnet.nl/
The vomit utility converts a Cisco IP phone conversation into a wave
file that can be played with ordinary sound players. Vomit requires a
tcpdump output file. Vomit is not a VoIP sniffer also it could be but
the naming is probably related to H.323.

I haven't found any others but it is definitely possible.  VoIP travels
over IP and therefore can be encrypted through IPSec tunnels or other
means but I doubt most ISP's are doing that right now.

-----Original Message-----
From: Seth Art [mailto:sethart () gmail com] 
Sent: Wednesday, April 20, 2005 8:52 AM
To: security-basics () securityfocus com
Subject: VoIP security

My coworker had an interesting question.  She had to validate her
credit card number over the phone using her social and other sensitive
information.  She has a VoIP router from her ISP.  The question: Are
the VoIP packets encrypted as they go across the wire?   Or can
someone sniffing in the right place capture all of that sensitive VoIP
traffic and reassemble her CC# and SS# from the tones? Is this
somethign that might be an issue in the future or is there already an
answer out there?

-Seth