How secure is my VoIP connection?

[yf]

Folks:
The more I become dependent on VoIP the more I get worried about the security of the connection. I am talking about home-use connections not the fancy corporate business exchanges.

1) Is my home network is at risk having an ATA connected to it? If so what are the risks?
2) Can someone hack my account with my VoIP provider and use it to make calls of his own? I am talking about the commercial VoIP providers.
3) Can someone eardrop to the telephone conversation I make it over my VoIP connection?

[chandave]

Quote:

Originally Posted by yf

1) Is my home network is at risk having an ATA connected to it? If so what are the risks?

Yes. Any time you add a device into your home network that can talk to another machine outside your network puts your home network at risk. BUT, currently, that risk is low. It is more likely that your ATA might be tricked into assisting in a Denial of Service attack.

Quote:

Originally Posted by yf

2) Can someone hack my account with my VoIP provider and use it to make calls of his own? I am talking about the commercial VoIP providers.

Yes. Someone can hack your account. It doesn't take that much resources but a lot of time. The method of authentication (based on the HTTP-digest algorithm) is an open standard and the information about your call setup is in cleartext when the data is sent between you and your VSP.

Again, the risk is currently low.

Quote:

Originally Posted by yf

3) Can someone eardrop to the telephone conversation I make it over my VoIP connection?

The audio packets are not encrypted. Anyone that can record the datastream between you and your VSP can eavesdrop on the conversation.

This is no different from someone walking over to your home, finding the demarc of your POTS drop, and alligator-clipping the wires.


See ya...

d.c.

[jan1972]

Actually, I would be more concerned about your private network. Tapping a call on the public Internet is difficult as usually an attacker does not have access to the WAN.

The LAN is much easier. Using the remote ARP attack (check out Cain & ABel at oxit.it) every one in the LAN can route the VoIP traffic through the local PC and then record the RTP stream. That tools does everything for you, no need to be a security geek.

But not only your information-hungry colleague is a problem. It is only a question of time when the spyware, bots and whatever start the same thing and upload the records to the mailservers of the competing companies.

[Steve7]

I guess everything has a risk, you just weigh it down and see what you could take and what not.

[vergara]

Very nice thread you got here guys, it helps me understand the risk of using voip.

[comp1]

Hello

Divide and conquer. There are three main threats to VoIP security: authentication failures, integrity failures and privacy failures.