Security Basics mailing list archives
Re: VoIP security
From: Mihai Amarandei <mihaixmco1 () yahoo fr>
Date: Fri, 22 Apr 2005 16:29:26 +0200
I've been doing some research on VoIP Security. The encryption is optional in VoIP, so your ISP should be able to tell you if they encrypt VoIP conversations, and especially where. Tipically I think the encryption is at the router level (so not directly in the telephone), but it might be that your ISP is encrypting directly at their servers. The IPSec(VPN) solution is not very used in my knowledge because it adds much overhead to this time critical service. The protocols specific to VoIP define several ways of encrypting information and preserving confidentiality so technically your friend might be safe. You shoud however ask your ISP about their encryption (I'm quite interested myslef in the policiy of ISPs regarding VoIP).
And btw, please excusee my poor english Mihai Joshua Berry wrote:
There are programs out there capable of replaying VoIP sessions: Vomit: http://vomit.xtdnet.nl/ The vomit utility converts a Cisco IP phone conversation into a wave file that can be played with ordinary sound players. Vomit requires a tcpdump output file. Vomit is not a VoIP sniffer also it could be but the naming is probably related to H.323. I haven't found any others but it is definitely possible. VoIP travels over IP and therefore can be encrypted through IPSec tunnels or other means but I doubt most ISP's are doing that right now. -----Original Message-----From: Seth Art [mailto:sethart () gmail com] Sent: Wednesday, April 20, 2005 8:52 AMTo: security-basics () securityfocus com Subject: VoIP security My coworker had an interesting question. She had to validate her credit card number over the phone using her social and other sensitive information. She has a VoIP router from her ISP. The question: Are the VoIP packets encrypted as they go across the wire? Or can someone sniffing in the right place capture all of that sensitive VoIP traffic and reassemble her CC# and SS# from the tones? Is this somethign that might be an issue in the future or is there already an answer out there? -Seth
Current thread:
- VoIP security Seth Art (Apr 20)
- Re: VoIP security Champ Clark [Vistech] (Apr 21)
- RE: VoIP security David (Apr 21)
- Re: VoIP security Pbt (Apr 21)
- <Possible follow-ups>
- RE: VoIP security Joshua Berry (Apr 21)
- Re: VoIP security Mihai Amarandei (Apr 22)
- RE: VoIP security Drumm, Daniel (Apr 22)
- RE: VoIP security Anil Saini (Apr 25)
- Re: VoIP security Champ Clark [Vistech] (Apr 25)