VoIP Security – Secure or Too Secure?
As a brief followup to my previous post about VoIP security, I came across a couple articles that offer an interesting point / counterpoint to the questions regarding VoIP reliance and peace of mind.
The first article from PC World by Lincoln Spector; Is VoIP Secure?:
The digital data of a VOIP call can be intercepted anywhere along the complicated path from your router through the multiple servers until it goes out to the analog phone network. Assuming your VOIP service doesn’t encrypt calls, whoever intercepts it can listen to it, as well.
Which raises the question: Does your VOIP service encrypt calls?
Skype does, with very strong, 256-bit AES encryption. You can read the details here.
But others are not as cautious. I know that Google Voice doesn’t encrypt their calls because a Google spokesperson told me so. Yahoo didn’t respond to my query, so I think it best to assume the Yahoo Voice (the service that USANomad uses) also lets their calls go out unprotected.
While encryption increases your safety, it doesn’t guarantee it. Your own computer may be the weak point in your VOIP security chain.
The next article is from Network World by Jim Metzler and Steve Taylor; Is VoIP Too Secure?:
The issue that was discussed by FBI General Counsel Valerie Caproni is that with VoIP solutions – and Web-based VoIP in particular – the individual conversations can be quite difficult to intercept and decode. Further, while at one time Internet-based voice conversations were largely limited to “major” applications like Skype, there is rapid and widespread proliferation of “voice chat” capabilities. For instance, you can do a voice chat, a video chat, or even call an external phone from Gmail. And this only covers voice-like capabilities, and doesn’t include other messaging.
Interestingly, and in a move that makes sense, the government is not specifying exactly which services need to be modified so that they can be more easily monitored.
So, which is it?  Will infected computers and unreliable encryption severely compromise your safety or, is the proliferation of IP based communications the saving grace of interception resistance?
Maybe it’s a little bit of both? Security will always be an issue so do everything in your power keep your systems updated and secure on your end but, take some comfort in the fact that the government is having troubles decoding conversations. Some of this similar to what was represented in the NOVA episode The Spy Factory where a major challenge for the NSA was not collecting information but acquiring the resources to deal with the sheer volume of data, making sense of it, and then connecting the dots.
1 Comment
What you have highlighted is that there are a diversity of voip services available, some that include security be default and many that don’t.
I know of no SIP based ITSP that offers TLS/SRTP based security for voice calling. This is the standard way that companies might secure calling between sites over their WAN. It tends to be limited to such corporate or institutional installations.
Most ITSPs pass SIP and RTP in the clear. That means that it’s reasonably easy for the well informed hacker to capture & record your calls.
People often overstate the security of traditional POTS service. Anyone with access to your analog pair and a butt-set could tap the line and listen in. Physical access being the hardest part, and not that hard in reality.
While there is a lot of concern shown for the technical matters of security, social engineering often overcomes the best tech…and relatively easily.
From the fed authorities perspective the current state of the art in securing voice traffic over IP is possibly a challenge. Likewise accessing Skype calls, which would likely happen through Skype’s cooperation with authorities.
From the perspective of a Vonage customer, security is basically not even on the horizon. All the SIP & RTP traffic travels in the clear, readily available to the feds like any other internet traffic.