Security Basics mailing list archives

Re: VoIP security

From: Mihai Amarandei <mihaixmco1 () yahoo fr>
Date: Fri, 22 Apr 2005 16:29:26 +0200

I've been doing some research on VoIP Security. The encryption isoptional in VoIP, so your ISP should be able to tell you if they encryptVoIP conversations, and especially where. Tipically I think theencryption is at the router level (so not directly in the telephone),but it might be that your ISP is encrypting directly at their servers.The IPSec(VPN) solution is not very used in my knowledge because it addsmuch overhead to this time critical service.The protocols specific to VoIP define several ways of encryptinginformation and preserving confidentiality so technically your friendmight be safe. You shoud however ask your ISP about their encryption(I'm quite interested myslef in the policiy of ISPs regarding VoIP).

And btw, please excusee my poor english
Mihai

Joshua Berry wrote:

There are programs out there capable of replaying VoIP sessions:

Vomit:
http://vomit.xtdnet.nl/
The vomit utility converts a Cisco IP phone conversation into a wave
file that can be played with ordinary sound players. Vomit requires a
tcpdump output file. Vomit is not a VoIP sniffer also it could be but
the naming is probably related to H.323.

I haven't found any others but it is definitely possible.  VoIP travels
over IP and therefore can be encrypted through IPSec tunnels or other
means but I doubt most ISP's are doing that right now.

-----Original Message-----

From: Seth Art [mailto:sethart () gmail com]Sent: Wednesday, April 20, 2005 8:52 AM

To: security-basics () securityfocus com
Subject: VoIP security

My coworker had an interesting question.  She had to validate her
credit card number over the phone using her social and other sensitive
information.  She has a VoIP router from her ISP.  The question: Are
the VoIP packets encrypted as they go across the wire?   Or can
someone sniffing in the right place capture all of that sensitive VoIP
traffic and reassemble her CC# and SS# from the tones? Is this
somethign that might be an issue in the future or is there already an
answer out there?

-Seth

Current thread:

VoIP security Seth Art (Apr 20)
- Re: VoIP security Champ Clark [Vistech] (Apr 21)
- RE: VoIP security David (Apr 21)
- Re: VoIP security Pbt (Apr 21)
- <Possible follow-ups>
- RE: VoIP security Joshua Berry (Apr 21)
  - Re: VoIP security Mihai Amarandei (Apr 22)
- RE: VoIP security Drumm, Daniel (Apr 22)
  - RE: VoIP security Anil Saini (Apr 25)
  - Re: VoIP security Champ Clark [Vistech] (Apr 25)