Click Here To Visit SIP Broker  

Go Back   Voxalot / SIP Broker Support Forums > Voxalot Forums > Voxalot Support

Voxalot Support Support for the Voxalot service.

 
 
Reply
Thread Tools Display Modes
Unread 10-25-2009, 11:52 AM   #1
sleek
Member
 
Join Date: Dec 2008
Posts: 54
Thanks: 2
Thanked 5 Times in 5 Posts
sleek is on a distinguished road
Default What about security?

I'd like to touch on a very sensitive subject, security.

Or lack thereof. I believe the majority of end-customers are unaware of the fact their conversations are COMPLETELY unsecured!

I was rearranging my network topology at home and decided to execute some security tests. The results are worrisome. Utilizing the Man In The Middle attack I was able to record every and each of my conversations, including the md5 hashed password, for authentication with the SIP server.

In essence, this means, everyone, from our neighbor, our ISP and all the way to the SIP server, people can eavesdrop on our conversations with ease. It also means people with weak passwords are subject to account hijacking, because the md5 hash also travels without any encryption.

The thought of our conversations being eavesdropped virtually by anyone from our computers to the Voxalot SIP servers is quite unsettling.

This is only a brief overview of a huge problem. I don't want to get into details.

Can Voxalot offer some sort of remedy?
sleek is offline   Reply With Quote
Unread 10-25-2009, 06:04 PM   #2
ctylor
 
ctylor's Avatar
 
Join Date: Apr 2006
Location: Vancouver, BC
Posts: 296
Thanks: 94
Thanked 53 Times in 27 Posts
ctylor will become famous soon enough
Default SIP over Transport Layer Security (TLS)

I am not sure how difficult it would be to enable SIP over Transport Layer Security (TLS) between our SIP devices and the Voxalot server, but that would be a good start... though I don't think that encrypts your calls, just the server info and passwords you are sending in SIP packets.

Unfortunately very few devices and softphones (the SPA942/SPA962 and Eyebeam, anything else?) even include the functionality to encrypt SIP messages with TLS.

Secure Real-Time Transport Protocol (SRTP) is commonly supported in theory in Sipura/Linksys devices but the only way to get a certificate is at the dying Voxilla website, and even then it only works for Sipura ATAs, and not for IP phones. And to work requires both parties be using SIP devices with SRTP installed and call security enabled.

You know, the more I think of it, the more it seems like the government designed the "security" system of SIP telephones. There seems no reason why it couldn't be more secure. Just that not enough people are asking for it or willing to pay for it.
ctylor is offline   Reply With Quote
Unread 10-25-2009, 09:18 PM   #3
remm
Junior Member
 
Join Date: Oct 2009
Posts: 9
Thanks: 2
Thanked 0 Times in 0 Posts
remm is on a distinguished road
Default Security should be more discussed!

It's very strange -- I feel the same way -- not enough discussion.

Does anyone know if voxalot supports SIPS (SIP+TLS+SDES) ? This would be a good start as at least two SIPS devicies could register and then setup an SRTP session. It would also be good to support openvpn as part of the premium plan.

People say security is difficult -- I don't buy that. There are 4 common ways to implement security: openvpn (callwithus and fonosip will do this), ipsec, zrtp (supported by zphone, twinkle, some expensive draytek devicies, and some proxies), and SIPS+SRTP (which almost every new hard phone can do).

Other thing I would say -- the huge issue is secure PSTN termination. You can with effort secure voip-voip calls today using zrtp -- but I've not been able to find anyone that will do secure PSTN termination for residential users.

What have others found about this issue? Anyone know of a secure PSTN termination that is SIP based?

Rob
remm is offline   Reply With Quote
Unread 10-26-2009, 10:09 AM   #4
martin
 
Join Date: Feb 2006
Posts: 2,930
Thanks: 528
Thanked 646 Times in 340 Posts
martin is a jewel in the roughmartin is a jewel in the roughmartin is a jewel in the roughmartin is a jewel in the roughmartin is a jewel in the roughmartin is a jewel in the rough
Default

Quote:
Originally Posted by sleek View Post
In essence, this means, everyone, from our neighbor, our ISP and all the way to the SIP server, people can eavesdrop on our conversations with ease.
Not sure how your neighbor is eavesdropping unless you have an unsecure wireless connect. Theoretically an ISP could eavesdrop on the RTP stream. However, it would seem highly unlikely.

Quote:
It also means people with weak passwords are subject to account hijacking, because the md5 hash also travels without any encryption.
If you read up on the SIP protocol you will see that SIP authentication uses a nonce to encrypt the password.

Even if a man in the middle attacker was to capture the auth token they would not be able to simply replay it as the SIP server would require a new encrypted auth token matching a newly issued nonce.
__________________
Martin

Please post support questions on the forum. Do not send PMs unless requested.
martin is offline   Reply With Quote
Unread 10-26-2009, 12:35 PM   #5
sleek
Member
 
Join Date: Dec 2008
Posts: 54
Thanks: 2
Thanked 5 Times in 5 Posts
sleek is on a distinguished road
Default

martin, I only gave an example of how eavesdropping may take place. Truth be told, it depends on which corner of world you live, as well as your network infrastructure and circumstances.

Fact is, there are a lot of people sharing internet connection (between neighbors for ex.), there are ISPs still using switched networks, many offices/buildings are using switched networks, colleges, dorms..etc. situations where your infrastructure is subject to either MITM or ARP attacks subsequently hijacking sensitive information. As far as wireless networks go, I'm sure you're aware of the large number unsecured wifi spots both at residential and business establishments. Not to mention people who still think WEP is 'secure' option for their networks. I won't omit an ISP either, I don't trust them and why should I?

Just because you believe an eavesdrop is 'unlikely', doesn't mean it's out of the question. If that was the case, banks and security organizations wouldn't go trough the trouble of creating expensive encryption software/hardware to protect sensitive information. Are you willing to do your online banking without SSL, certificate or any other encryption, trusting your ISP or any other corresponding network won't tap in on your bank accounts? I know I wouldn't!

As for the SIP hashes, to my understanding they are md5-like and more importantly they are subject to dictionary and bruteforce attacks. I found a number of tools for that.

Bottom line is, I suppose I can live with a strong non-dictionary based password travel trough the net, but a completely unsecured rtp media stream is one thing I cannot abide or allow and perhaps daily, casual conversations aren't a big deal, but business VoIP is. I can't imagine talking to my bank or my accountant or confidants knowing someone might be listening.

Unless people are willing to leave their privacy to chance, security amendments must implemented. (IMHO)

Last edited by sleek; 10-26-2009 at 01:56 PM.
sleek is offline   Reply With Quote
Unread 10-27-2009, 01:50 AM   #6
remm
Junior Member
 
Join Date: Oct 2009
Posts: 9
Thanks: 2
Thanked 0 Times in 0 Posts
remm is on a distinguished road
Default Security Issues

As far as I know SIP Digest authentication only protects the sip provider and the account at the sip provider -- it does not really protect the user.

* I have no way to know if the server I'm talking to is really the one I think it is. This is what TLS is for and for the key exchange to setup SRTP.

* As stated above -- just TLS does not guarantee security -- but it does allow one to use SDES (if your server allows it) to setup SRTP voip to voip.

I'm not saying TLS is the solution for voxalot -- I'm not certain. Really viop-to-voip security may be better served by zrtp, and in terms of voxalot to get pstn termination security that must be implemented on the termination side -- which I've not been able to find. TLS would however help people wanting to do sip to sip connections between voip phones. OpenVPN seems intresting also but it means a lot of bandwith on the voxalot end.

The other thing I would say -- people make a lot of comments about voip being more secure than your pstn phone -- and if your using DSL and only looking at a connection between your home and your ISP -- I can believe that. However, this is not the real security concern:

* What happens at the 30-40 other nodes and routers your call will go though before it is terminated either into PSTN or into another voip device -- and the dozen compaines, and the 100 people that have access to it along the way? Then of course there is the 1000 crackers that will try to break into those 40 nodes or otherwise route traffic.

* What happens when your traveling and in a hostile environment like a hotel or hotspot network? Is the traffic secure and the DNS reliable there?

I don't mean to be alarmist -- but I do think these are all issues -- and that they are all good reasons not to trust some voip setups for business and financial uses. This makes me sad -- but I think it's the situation.

The other sad thing is that there is at least one major internet phone company that already uses encryption. It's sad because I don't care to support, recommend or use the closed Sk* protocol and software. I just wish SIP people would take some action regarding security.

Rob
remm is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Broadvoice in and outbound calling heartspeace Voxalot Support 16 07-11-2008 02:22 AM
Security question. cpiga Voxalot Support 3 08-07-2007 02:39 PM


All times are GMT. The time now is 07:05 PM.


Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.