[Dshield] Internet phones a hacking risk?
Johannes B. Ullrich
jullrich at sans.org
Tue Mar 22 17:26:14 GMT 2005
> WASHINGTON (Reuters) - Internet phone services have drawn
> millions of users looking for rock-bottom rates. Now they're
> also attracting identity thieves looking to turn stolen
> credit cards into cash.
There are a couple issues here:
First of all, the article referenced above is mainly concerned about
caller ID spoofing. Caller ID is not reliable. Even using non VoIP
equipment (e.g. in some cases if you have ISDN, or us a T1 trunk for
voice), you can fake caller ID. There are also a few 'dial around'
methods to spoof caller ID. The only safe way to verify the phone number
someone calls from is to call the number back.
On the other way, there are a number of risks in VoIP:
- reliability is worse then a 'hard line'. It can't be more reliable
then your Internet connection, which for residential users is usually
provided on a 'best effort' basis.
- its quite easy to DOS a voip device. Only takes a fairly small amount
of traffic. you can typically generate that with a dialup connection.
- None of the commercial VoIP providers encrypts the voice traffic. Your
chance of eavesdropping may be a bit smaller if you use a service
offered by your ISP, and if they implement something like MLPS or so to
keep the VoIP traffic separate. However, the main risk is that a PC on
your LAN is used to eavesdrop (typically easier to get into that then
your ISPs routers... but YMMV depending on your ISP ;-).
From my testing, US VoIP providers (Broadvox, Broadvoice, Vonage,
Voicepulse..) use Level 3 for their backbone. The call is routed from
your network to the closest Level 3 gateway, and from their it is routed
within Level 3's backbone to the VoIP carriers location. So if Level 3
has issues, most VoIP carriers feel the pain.
FreeWorldDialup is a bit different in the sense that they do not use a
A totally different beast is Skype. Skype uses its own proprietary
protocol, which is typically descried as a "p2p" protocol. Random other
skype users may be used to route your call. However, Skype calls are
encrypted. But given that Skype is proprietary, it is kind of hard to
tell how good this encryption is. They do use AES if I remember right,
which is a solid algorithm. But it wouldn't be the first time that a
specific implementation messes things up. For example, I am not sure how
keys are generated and exchanged.
Johannes Ullrich jullrich at sans.org
SANS Internet Storm Center (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 256 bytes
Desc: OpenPGP digital signature
Url : http://www.dshield.org/pipermail/list/attachments/20050322/27376d41/signature.bin
More information about the list