[Dshield] Internet phones a hacking risk?

Johannes B. Ullrich jullrich at sans.org
Tue Mar 22 17:26:14 GMT 2005

> WASHINGTON (Reuters) - Internet phone services have drawn
> millions of users looking for rock-bottom rates. Now they're
> also attracting identity thieves looking to turn stolen
> credit cards into cash.

There are a couple issues here:

First of all, the article referenced above is mainly concerned about 
caller ID spoofing. Caller ID is not reliable. Even using non VoIP 
equipment (e.g. in some cases if you have ISDN, or us a T1 trunk for 
voice), you can fake caller ID. There are also a few 'dial around' 
methods to spoof caller ID. The only safe way to verify the phone number 
someone calls from is to call the number back.

On the other way, there are a number of risks in VoIP:
- reliability is worse then a 'hard line'. It can't be more reliable 
then your Internet connection, which for residential users is usually 
provided on a 'best effort' basis.
- its quite easy to DOS a voip device. Only takes a fairly small amount 
of traffic. you can typically generate that with a dialup connection.
- None of the commercial VoIP providers encrypts the voice traffic. Your 
chance of eavesdropping may be a bit smaller if you use a service 
offered by your ISP, and if they implement something like MLPS or so to 
keep the VoIP traffic separate. However, the main risk is that a PC on 
your LAN is used to eavesdrop (typically easier to get into that then 
your ISPs routers... but YMMV depending on your ISP ;-).

 From my testing, US VoIP providers (Broadvox, Broadvoice, Vonage, 
Voicepulse..) use Level 3 for their backbone. The call is routed from 
your network to the closest Level 3 gateway, and from their it is routed 
within Level 3's backbone to the VoIP carriers location. So if Level 3 
has issues, most VoIP carriers feel the pain.

FreeWorldDialup is a bit different in the sense that they do not use a 
"controlled" backbone.

A totally different beast is Skype. Skype uses its own proprietary 
protocol, which is typically descried as a "p2p" protocol. Random other 
skype users may be used to route your call. However, Skype calls are 
encrypted. But given that Skype is proprietary, it is kind of hard to 
tell how good this encryption is. They do use AES if I remember right, 
which is a solid algorithm. But it wouldn't be the first time that a 
specific implementation messes things up. For example, I am not sure how 
keys are generated and exchanged.
Johannes Ullrich                        jullrich at sans.org
SANS Internet Storm Center                 (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050322/27376d41/signature.bin

More information about the list mailing list