Securing VoIP Calls
I read today in PC World about a VoIP consultant who hacked through SIP conversations to prove how easy it is to access information on an unsecured VoIP network.
“An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.
Called SIPtap, the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well.”
“End-users and network engineers may not consider the security ramifications of a hacker or any other user using a tool to not only capture but play back VoIP conversations. Higher-end VoIP systems may offer ways to encrypt the data, but lower-end products often do not. You’ll want to consider this before you purchase a solution. Second, VoIP traffic is usually most vulnerable on the LAN since Internet WAN traffic is typically routed through VPNs.”
Although there might be a lot of excitement around SIPTap and the ability to hack VoIP conversations, the problem of unsecured VoIP networks is something our engineers have been addressing for several years with clients. I’m not sure what it is about new technologies, but it seems like people get so pumped up on the benefits that they forget about the security implications (think back to wireless).
So it’s not the SIPTap threat that is the worry, but rather being certain that your networks are adequately secure and conversations encrypted as they leave the network. In good fashion, I have assembled a list of resources for you. Also, if you are really interested in VoIP, Network Performance Daily is doing a series on the soup to nuts on the subject.