VoIP Wiretapping Widespread, Warns Security Firm

Firm points to lax security on company phones, new tools for hackers that simplify breaches

According to Sheran, the threat of your VoIP calls being intercepted is made higher still by the low skills levels required to tap into such conversations.

"With the availability of these tools, you do not need to be very highly skilled. You just need to have a basic understanding of how VoIP works and a little bit of network knowledge," he says.

Some commercial VoIP services have taken commendable steps to ensure the privacy of their users' calls, Sheran says.

"Skype, for example, uses proprietary protocols for both signalling and for voice streams. It is significantly harder to sniff Skype traffic due to the encryption used in the protocol."

An example of an unprotected line Scanit engineers uncovered was while they were performing an internal audit for a large Middle-Eastern bank."

Their VoIP implementation used Virtual LANs to segregate specific voice streams for different departments. By connecting to a completely different VLAN reserved for consultants of the bank (with no access to other critical infrastructure servers) we were able to hop onto different VLANs and capture traffic from the senior management VLAN. We captured a significant amount of voice streams from the CEO's office," Sheran says.

The security outfit puts the number of unsecured VoIP calls that could be exploited by hackers at 70 per cent.

"Within the region we work in, I can say that we are looking at high percentage figures of insecure VoIP calls," Sheran says."Nearly three quarters of the corporate deployments we have audited have been exploitable from the inside."

Security experts around the world are rising to the challenge that unsecured VoIP networks pose.Phil Zimmermann - the legendary author of PGP, a program that offers the common email user military-spec encryption - told the Defcon hacker convention in the US this summer "point-and-click wiretapping" is being used "by organised criminals on the other side of the world". His response was to release Zfone, his own privately-developed software, which scrambles VoIP conversations from end-to-end. Taking matters into his own hands was a necessary step to protect his own VoIP conversations against eavesdropping. But not everyone supports such proactive measures. The Bush administration this year used a 1994 surveillance law to demand ISPs provide backdoors for government wiretapping of VoIP calls, citing terrorist and drug criminal usage.

"Encrypting VoIP is now more important than ever because computer networks are not nearly as safe as the public switched telephone network," Zimmermann says. However, even if the software you use to make VoIP calls offers a high level of encryption, the hardware connecting your system to the web may already have opened them up to eavesdropping.

The FBI drafted legislation in July to force makers of networking gear to build in backdoors allowing them access to all data going in and out. Sooner or later, and despite the best efforts of security companies to protect VoIP users from hackers, such a loophole will also leave the door open to hackers.

Concerns are being expressed from all sides. The Federal Deposit Insurance Corporation (FDIC) warned earlier his year: "If improperly implemented, VoIP can pose significant risks to financial institutions. Therefore, management should perform a comprehensive risk assessment before implementation to ensure the confidentiality, integrity and availability of voice communication using VoIP technology."

Among FDIC's recommendations is a caution against using "soft phones"; that is VoIP via desktop computer, using headphones and calling software, and pushing home the need for VoIP-ready firewalls. As VoIP deployments are gaining steam in enterprises of all sizes, tech analysts IDC estimate that revenue for network and premises-based VoIP services will grow from $2.9 billion to $6.9 billion over the next five years.