VoIP Wiretapping and Eavesdropping Links and News
Links to Reports:
Voice Over Internet Protocol (VoIP) and Security
Security Analysis: Traditional Telephony and IP Telephony
Articles
E-MAIL SECURITY HERO TAKES ON VoIP
LAS VEGAS--Phil Zimmermann gave free e-mail encryption to the world more than a decade ago in the form of software called Pretty Good Privacy.
Now Zimmermann, who became an instant Internet hero in part because of a threat of federal prosecution for much of the 1990s, is trying to bring the same kind of encrypted security to Internet phone calls.
Last year, Zimmermann announced software called Zfone, which wraps voice over Internet Protocol (VoIP) calls in an additional layer of security. Today, Zimmermann is busy trying to convince VoIP makers to glue Zfone into their own products and announced the first licensing deal this week.
"The architecture matters," Zimmermann, who is self-funding Zfone, said in an interview at the recent Defcon hacker convention here. "This is a different way of doing it and it's better."
Zimmermann's efforts to popularize Zfone (which uses its own protocol called, of course, ZRTP) place him at the center of a growing political and technical debate about how to secure VoIP conversations--while allowing police and intelligence agencies to conduct electronic surveillance.
Claiming that terrorists and drug criminals will use VoIP, the Bush administration has demanded that broadband Internet providers provide backdoors for government wiretapping. In June, a federal appeals court ruled that such requirements were permissible under a 1994 law called the Communications Assistance for Law Enforcement Act, or CALEA. (The ruling is being appealed.)
Zimmermann's software makes those political debates far less relevant. Instead of requiring users to trust their government (or broadband and VoIP providers), Zfone scrambles the entire conversation from end to end. Think of it by way of analogy: It's as secure as handing a letter directly to its recipient--bypassing potentially nosy workers at the neighborhood post office.
Encrypting VoIP is especially important because computer networks are not nearly as safe as the public switched telephone network, Zimmermann says.
"You can have point-and-click wiretapping," he said. "And look at who's going to be doing it. It's not just going to be the major government agencies. It's going to be organized crime. It's going to be criminals on the other side of the world."
Seth Schoen, staff technologist for the Electronic Frontier Foundation in San Francisco, calls end-to-end encryption "very desirable."
"It takes intermediaries out of the picture in determining whether your communications are secure," Schoen said. "By analogy, it has fewer moving parts and fewer things that can go wrong. Or if you prefer, fewer entities that can betray your privacy."
Crypto-enabled networking gear
Zfone has met with some success. A beta version released in March (available for OS X, Windows, and Linux) works with VoIP software such as Gizmo and Free World Dialup that supports the SIP standard.
On Monday, networking gear maker Borderware said that it had licensed Zfone for use with its SIPassure product. The Toronto-based company's lineup includes firewalls and gateways, mostly designed for enterprise use.
Borderware said in a statement that the licensing arrangement extends "VoIP security provided to organizations from threats such as spam to denial-of-service attacks to include eavesdropping, spying and wiretapping."
Translated, that means Borderware customers won't be caught up in what some reports have alleged to be a huge National Security Agency dragnet that intercepts massive amounts of data that flow through the Internet. While it's still possible to figure out who's talking to whom, the contents of the conversations would in theory remain private.
The stakes are huge. Cisco Systems already has sold millions of VoIP phones, and research firm Gartner predicts that in four years, 30 percent of U.S. homes will use only VoIP or cellular phones.
Zfone isn't the first product to encrypt online audio, of course. Around the same time that the federal government said it would not prosecute Zimmermann on charges of exporting PGP, he released a voice-encryption utility called PGPfone. But the lack of readily available broadband at the time relegated it to a niche product.
Skype does use encryption, but professional cryptologists have been consistently skeptical of its security because its implementation is proprietary and the source code is secret.
An analysis by computer scientist Simson Garfinkel says "it is impossible to validate the company's claims regarding encryption." A subsequent presentation (click for PDF) at the BlackHat Europe conference in March said the right algorithms were being used, but that there's "no way" to know if a backdoor for eavesdropping exists.
By contrast, in an effort to demonstrate that there are no backdoors, Zimmermann has made Zfone's source code publicly available. In addition, the ZRTP protocol has been submitted to the Internet Engineering Task Force for review.
Still, Zimmermann's effort to build encryption into VoIP hardware could face a familiar obstacle: the U.S. government.
The FBI has drafted legislation, first disclosed by CNET News.com in July, that would force makers of networking gear to build in backdoors for eavesdropping. If approved by Congress, it would prevent companies from following Borderware's lead--unless they included mandatory surveillance backdoors for police and spy agencies.
Encryption Guru Returns With VoIP Software
PC World/Techworld
The man who almost single-handedly invented desktop encryption, Phil Zimmermann, brought his new telephony-oriented encryption program to this week's Black Hat security event in Las Vegas.
The new encryption software--currently known only by its internal development moniker "Zfone"--is designed to stop Voice-over Internet Protocol (VoIP) traffic from being snooped on, especially across broadband links. It sits on top of the open-source Shtoom VoIP client software, with Zimmermann's encryption integrated into the program.
Zimmermann told Techworld that the software uses a Diffie-Hellman-based public key design. This method is session-based, with keys generated for exchange between clients on a per-call basis. Both VoIP clients would need to run the program to set up such a secure link, which makes Zfone similar in principle to the famous PGP desktop encryption program Zimmerman wrote in the early 1990s.
In contrast to emerging VoIP encryption protocols, Zimmermann's scheme rejected a full Public Key Infrastructure (PKI) approach to security, fearing it would add layers of complexity to the software.
Your Digits or Mine?
The current prototype also includes a simple form of authentication, whereby callers exchange a short series of digits with one another. If the two sets of digits don't match, then the call has likely been intercepted by a third party.
It is not the first time Zimmermann has used encryption with VoIP. Nearly a decade ago, he created an application called PGPfone, though it achieved only modest success and is no longer current. "Nine years ago...the Internet hadn't taken off and there was no broadband," he said. Now, however, VoIP is booming, with the conversion of domestic voice calls to the medium looking to be only a matter time.
The product is in its early stages, and Zimmermann is currently in discussion with potential investors for further development funds. To this point, he has created the program using his own money and some from VoIP expert Jeff Pulver. He did not give any timeline for the release of a beta version, but was considering making it available to developers who want it.
"I didn't have any money when I wrote PGP, so hopefully [development] won't take very long," he said.
There is some disagreement about whether VoIP applications currently need encryption security, with a recent Gartner presentation pointing out that few known tools allow for eavesdropping with this form of communication. However, history demonstrates that this will change as VoIP gains popularity.
Cisco Plugs VoIP Gateway Holes
SilconValley Internet News
Network equipment supplier Cisco has issued patches for several security flaws in its voice-over IP gateways that hackers could exploit and use to eavesdrop on telephone calls.
The vulnerability could also be exploited to issue denial-of-service attacks on services managed by its VoIP software platform.
The most recent VoIP security flaws, discovered by security unit Internet Security Systems(ISS) X-Force team, are located in Cisco's Call Manager, an essential component to the functioning of any Cisco VoIP deployment that perform call signaling and call routing.
The vulnerabilities make it possible for an attacker to trigger a heap overflow within a critical Call Manager process, causing both a denial of service condition and enabling an attacker to completely compromise the Call Manager server, ISS said.
"Like many of the applications that are driving today's businesses, VoIP travels over a variety of networks and the public Internet and is therefore susceptible to the same security perils as other staple network components like e-mail, databases and servers," Chris Rouland, chief technology officer at ISS, said in a statement.
"We are aware of several vulnerabilities that potentially affect the Cisco Call Manager software. To date, Cisco is not aware of any active exploitation of these vulnerabilities and Cisco has made free software fix available," the company said.
Cisco is not aware of any active exploitation of these vulnerabilities and Cisco has made free software fix available.
"An attacker may be able to redirect calls or perform eavesdropping as a result of this compromise. Successful exploitation of this vulnerability could be used to gain unauthorized access to networks and machines with Cisco VoIP products," the company said.
No authentication is required for an attacker to exploit the vulnerability and compromise a network, according to ISS.
"Voice over Internet Protocol is increasingly being adopted by corporations that wish to save money on telecommunications costs and streamline their communication infrastructure, providing employees with advanced features while simplifying administration processes," Rouland said.
VoIP security test bed, policy in the works
CBR
Now is the time for the US Congress to make voice over IP security a national priority, according to the Cyber Security Industry Alliance, a lobby group made up of the CEOs of major security companies.
CSIA this week asked Congress to include security recommendations for VoIP as it revises the 1996 Telecommunications Act.
The group also said that key VoIP companies and researchers will meet next month to plan a national "honey pot" VoIP security test bed to begin to address some of their concerns.
VoIP is vulnerable to some of the same threats as any internet application, such as denial of service attacks. Compromised VoIP systems could also allow eavesdropping and voicemail hijacking, said CSIA. Adding an extra layer of security infrastructure could help resolve some of these issues, but not all of them.
"Some of the same problems we see on data networks, we're going to see on voice networks," said Paul Kurtz, CSIA executive director, "And they will even be more complicated because some of the security tools we use on data networks are not as easily applicable on voice networks.
A major VoIP attack, which has not yet happened, could disable critical infrastructure and cripple VoIP-based emergency systems, Kurtz said.
Too little is known about VoIP security today to make specific policy recommendations to Congress yet, Kurtz said. But the CSIA will hold an event next month, out of which Kurtz expects will come some recommendations.
By submitting a detailed report to Congress on the issue, Kurtz said CSIA is trying to "raise the level of understanding and awareness for VoIP reliability and security issues before we get into a situation where we have large scale attacks."
The biggest problem within the next few years will be spam over IP telephony, or SPIT, said Ram Dantu, assistant professor of computer science at the University of North Texas.
"E-mail spamming is a very big issue right now, the same thing will happen with voice spamming in two or three years' time," Dantu said. "So, we need some techniques to stop this."
To develop VoIP security technology, some industry players, including Bell Laboratories, Sprint, Verizon, BellSouth, Cisco Systems and Juniper Networks will team on test bed research, Dantu said. MIT, UC Davis and the University of Tulsa, among others, will join them.
"We want to see what is the damage that can be done by DoS attacks and spamming ... we are pooling resources on this project," Dantu said. "We want to test our filters."
The group will meet to work on details and a timeline for the research on June 1 and 2 at a conference, co-hosted by Dantu's university, CSIA and George Mason University, in Washington, D.C.
Kurtz said CSIA has invited the Federal Communications Commission to next month's event. Representatives from the Department of Homeland Security and the Department of Defense will attend.
While he expects the conference will bear recommendations for government on VoIP security, Kurtz sidestepped the issue of VoIP regulation, saying it was too early to call. "There's a lot of space between the free market and regulation," he said.