Expert scares world with VoIP hacking proof
An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.
John Dunn | Friday, November 23 2007An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.
Called SIPtap, the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well.
The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date. Running from August this year until the most recent tap on November 21st, SIPtap had no problems in extracting enough information on the test network to prove that call recording of any and every VoIP call at a hypothetical company was now a trivial exercise.
SIPtap demonstrates that the worst-case nightmares of VoIP vulnerability are now well within the capabilities of organised crime, which could use such a program to steal confidential data from companies, governments and even the police.
The demonstrator is the work of UK-based VoIP expert, Peter Cox, who co-founded and was CTO of firewall vendor BorderWare, before leaving the company last summer to start his own VoIP consultancy, due to be up and running by Spring 2008. He was inspired to write the software after conversations with encryption guru Phil Zimmermann, creator of Zfone, the latter designed to protect against SIPtap-like hacking by using VoIP call encryption.
"We are in the early days of VoIP, but there is a knowledge gap," said Cox, lamenting the naivety about VoIP's inherent security weaknesses among the mostly telecoms-oriented engineers building such systems. "Companies using VoIP internally think they are protected."
"The threat is that an attacker engineers a Trojan and has it sit there passively [on a network], recording calls from anywhere on the internet," says Cox.
His advice was simple. "Apply the same vigour when building a VoIP network you would when building a website."
Cox is currently running a series of workshops on VoIP threats in conjunction with SIP Services Europe, and has published his own video podcast on the topic.
31 Smartphones tested:Looking to buy from any of the NZ telcos? Look no further!
Family games consoles:
We've got all-ages games for every major console.
Inside the smart lounge:
What you need for a smart TV setup, and how to get it.
Hot Products || PC World editors iPhone 4S launch pics and unboxing
The iPhone 4S launched at midnight through both Vodafone and Telecom. ... READ MORE
Tux Love || Geoff Palmer Beginning Linux : Part 4 - Exploring the Unity interface
Ubuntu's Unity interface is a step away from traditional graphical user ... READ MORE
Tech Guy || Juha Saarinen The mixed legacy of Steve Jobs
Over the years, it’s been fascinating to watch Apple mainly due to ... READ MORE
In a Nutshell || Zara Baxter What's in a CPU name?
If you're looking for a prebuilt desktop system, most ads and stores will ... READ MORE
Harley O'Gyver || Harley Ogier Braver than a barrel of codemonkeys
If you've ever wondered, "can a grown man really do that?", Harley O'Gyver ... READ MORE
The Arcade || PC World editors Shut up and take my money: Uncharted developers debut awesome-looking new IP
Sony-owned game developer Naughty Dog - the guys behind Crash Bandicoot, ... READ MORE
Dumb Terminal Live! || PC World editors New Zealand memes: We think we're real funny
We New Zealanders love the internet, and we have a pretty good sense of ... READ MORE
