Tuesday, June 21, 2005

VoIP security

What the heck is wrong with some people?

Ted Wallingford

In a recent VoIP article linked from Google News, a writer named Dee Scrip is (dramatically and inaccurately) calling for VoIP adopters to proceed with caution, claiming VoIP telephony is a security nightmare waiting to happen. Just look at how he begins his article:
Warning! Warning! Warning!
Beware of VoIP internet service providers that operate on industry standard codec and industry standard protocols because they are PUBLICLY OPEN and INTERPRETABLE! This also includes, but is not limited to, peer-to-peer (P2P) networks.
In plain terms, this means, if you subscribe to, or considering subscribing to a VoIP internet solution provider who operates on these industry standards – and over 90% do — you have inadvertently made yourself vulnerable to the criminal activities of hackers.
This is the kind of unbalanced sensational stuff that well-intentioned noobs all over the world are abused by constantly. But who ever heard of bashing industry standards? You can file it right alongside “There’s no software available for Macs” and “It’s not safe to use a credit card on the web”. The guy who wrote this is attempting a good old-fashioned SEO hack by loading a web page up with keywords and then providing disturbingly bad advice to his readers:

1. Find a VoIP internet solution provider that has their own proprietary high end encryption codec

( so you are relatively sure, since you WON'T be able to call IP to IP that much.)

2. Find a VoIP internet solution provider that has their own proprietary patented technology

(see above)

It is through better collective understanding of standards that security problems are averted, not through ignorance of them. Mr. Scrip is clearly just posting drivel in order to drive search engine traffic, and that’ s a shame. Somebody is going to read this stuff and misunderstand the legitimate concerns of VoIP security. What’s worse, I found out about this silly article through Google news.
The point being, while the article points out, in vague terms, how hackers can observe VoIP traffic, it misses a few key points:

• Old school telephony is even easier to listen in on, because it doesn’t have encrypted media streams.

The problem is not that somebody can listen to my telephone calls, at least to MOST of MY telephone calls.
The problem is that my softphone or my IP phone are connected to the NET and are on a Network with my computers.
If Voice packets easily "pass through any firewalls" like Skype's, then my firewall gets useless and there is nothing more dangerous than a useless firewall...

• Standards-based protocols for VoIP DO in fact prescribe a solution for encrypting VoIP media—namely Secure RTP (SRTP).
• It’s quite possible, and very easy, to record somebody’s traditional telephone conversations without their knowledge. All it takes is a little wiring. You tell me what’s harder, sniffing VoIP packets on the Internet, or touching a pair of wires with a pair of probes connected to a recording device?
I’m not going to do this guy the favor of providing a link to his garbage. If you really want to find the page it’s on, just google his name.
Post a Comment