Industry experts have warned for years that companies
areignoring security when deploying VoIP.
Researchers at this year's Black Hat conference say the state of
VoIP security is as bad today as it was two years ago, with many
adopters relying on protocols that are easy to attack. But PGP
creator Phil Zimmermann has unveiled new software he believes will
help turn the tide.Zimmermann calls his new creation Zfone, a VoIP phone software
product that lets users encrypt their calls over the Internet.
Zfone uses a new cryptography protocol called ZRTP, which has a
better architecture than such other VoIP security protocols as SIP
(Session Initiation Protocol), H.323 and IAX. Users can download a
free beta of Zfone from theZfone Project Web site.
"Zfone sits in the IP protocol stack and runs as a filter, and
it works with multiple programs such as Windows Mobile, Apple
iChat, Symbian and Nokia," he said before running a demonstration
of how the technology works.
 | | | | | It's getting easier for the bad
guys to use something like spyware to tap the VoIP conversations of
judges, prosecutors and the police.
Phil Zimmermann
Creator - PGP, Zfone |
| | | | | |
| |
|
To show how Zfone can protect VoIP sessions from man-in-the-middle
attacks without the need for PKI or certificate authority,
Zimmermann initiated two VoIP calls with someone in the audience
using iChat and then Gizmo, a free Internet phone
application.
"To prevent a
man-in-the-middle attack, we have to use the same session key,"
he said, pointing out how his software allows for that to happen.
"When you have the same session key at both ends, there can be no
man in the middle."
Throughout his presentation, Zimmermann stressed the importance
of encrypting VoIP transmissions, even though, as he noted, some in
the government believe that would hobble law enforcement's ability
to tap VoIP conversations as part of criminal investigations. The
problem, he said, is that organized criminal outfits are quickly
figuring out how to turn the tables by tapping VoIP calls made by
the authorities attempting to bring them to justice.
"We have to encrypt our phone calls because the VoIP environment
just isn't safe," he said. "It's getting easier for the bad guys to
use something like spyware to tap the VoIP conversations of judges,
prosecutors and the police."
Zimmermann's demonstration received a positive response from the
audience, and other experts backed his claim that it's no longer
difficult for digital miscreants to exploit VoIP insecurity.
Himanshu Dwivedi and Zane Lackey of San Francisco-based digital
security firm iSEC Partners Inc. gave a presentation on the various
ways attackers can exploit SIP, IAX and H.323. The latter, they
say, is particularly vulnerable to attack, but that most users
assume H.323 is secure because little evidence to the contrary has
been presented. They urged the audience to build a layered defense,
noting that the state of VoIP security is as bad now as it was a
couple years ago.
"Four to five years ago, we started hearing about the security
problems of VoIP, and it's really no better today," Dwivedi said.
"The security vendors are not on top of the problem and users are
relying on protocols they think are safe, when in fact they are
not."
The two then ran through a series of examples showing how
attackers could exploit the protocols to listen in on VoIP
conversations and extract sensitive information in the process, and
create havoc through denial-of-service attacks and by impersonating
certain people on the call. IDs, time stamps and certain hashing
functions can easily be sniffed, they warned.
Several Black Hat attendees said their organizations aren't
using a lot of VoIP yet, but that they know it's something they'll
soon have to deal with.
Andrew Fried, an IT security specialist with the U.S. Treasury
Department, said his agency wants to increase its VoIP capabilities
and hopes the Black Hat sessions will bring him up to speed on the
security risks he'll have to be worrying about.
"The government is trying to push more and more work at home and
VoIP will be used as part of that … but fraudulent use of VoIP is
something we're more concerned about, with [attackers] making calls
in the name of the IRS using VoIP services that are nearly
untraceable," Fried said. "Welcome to the world of fraud."