ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    SIP over the internet

    IT Discussion
    6
    40
    5.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      Here is another way to look at it..... ever "accidentally" gotten access to someone's VoIP call? I bet not. Ever "accidentally" gotten connected to a PSTN call that wasn't yours and had access to either listen or possibly even talk? Sure, who hasn't. It's rare. But my point is that it is so easy to tap the PSTN that the phone carriers accidentally tap people into lines with some regularity. There is no protection at all.

      JaredBuschJ 1 Reply Last reply Reply Quote 1
      • JaredBuschJ
        JaredBusch @scottalanmiller
        last edited by

        As @scottalanmiller states, it is trivial to tap a POTS line.

        Anyone can open a box on the outside of your building, or even down the street and clip on to pairs until they find your call.

        How will you tap a VoIP call? You have to get on the network between the PBX or phone and the SIP trunk provider. How easy is that to do?

        1 Reply Last reply Reply Quote 2
        • JaredBuschJ
          JaredBusch
          last edited by

          @Dashrender You have not yet replied with WHY you are trying to protect against eavesdropping.

          What is driving this?

          DashrenderD 1 Reply Last reply Reply Quote 1
          • DashrenderD
            Dashrender @JaredBusch
            last edited by

            @JaredBusch said:

            @Dashrender You have not yet replied with WHY you are trying to protect against eavesdropping.

            What is driving this?

            My personal paranoia.

            Without physical access PSTN is not trivial.. .but yes physical access is trivial as long as you re local to the connections, but if you're some hack in China, there is little to no chance they are going to tap your PSTN connection, but they definitely have the ability to try to hack your VOIP connection.

            I realize I probably have a completely unfounded fear here, and as someone already said.. we all know that the NSA is already tapping everything.

            Another thing - I like privacy for the sake of privacy. Frankly I'm amazed how many people don't.

            scottalanmillerS 3 Replies Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Dashrender
              last edited by

              @Dashrender said:

              Without physical access PSTN is not trivial.. .but yes physical access is trivial as long as you re local to the connections, but if you're some hack in China, there is little to no chance they are going to tap your PSTN connection, but they definitely have the ability to try to hack your VOIP connection.

              But even without physical access, VoIP is as safer or possibly still safer. PSTN is just SO much more dangerous when there is physical access.

              You really think someone in China wants to listen to you talk?

              They can tap your PSTN just like your VoIP. Don't get confused into thinking the PSTN is secure. You need to read more about the history of hacking. Hackers came from the phone systems to computers, not the other way around.

              DashrenderD 1 Reply Last reply Reply Quote 0
              • DashrenderD
                Dashrender @scottalanmiller
                last edited by

                @scottalanmiller said:

                They can tap your PSTN just like your VoIP. Don't get confused into thinking the PSTN is secure. You need to read more about the history of hacking. Hackers came from the phone systems to computers, not the other way around.

                Oh Yes, I've read some of Mitnick's adventures.

                scottalanmillerS 1 Reply Last reply Reply Quote 1
                • scottalanmillerS
                  scottalanmiller @Dashrender
                  last edited by

                  @Dashrender said:

                  Another thing - I like privacy for the sake of privacy. Frankly I'm amazed how many people don't.

                  Then you'd move to VoIP first and look to make it MORE secure afterwards. PSTN is the least secure thing, along with cell phones and texts. Those are the things you'd use last. VoIP is more secure. Sure, you can REALLY secure VoIP, if you are extra paranoid. But using the insecure because you fear the moderately secure doesn't make sense and doesn't reflect a desire for privacy.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller @Dashrender
                    last edited by

                    @Dashrender said:

                    @scottalanmiller said:

                    They can tap your PSTN just like your VoIP. Don't get confused into thinking the PSTN is secure. You need to read more about the history of hacking. Hackers came from the phone systems to computers, not the other way around.

                    Oh Yes, I've read some of Mitnick's adventures.

                    He was late. It's the older 1970s stuff in Silicon Valley that's really hilarious and interesting. The phone system is not designed to be secure. It's designed to be replaced, which it was, long ago by VoIP.

                    1 Reply Last reply Reply Quote 0
                    • DashrenderD
                      Dashrender
                      last edited by

                      I'm definitely not looking to stay on PSTN for security/privacy sake, please don't misconstrue that.

                      My quest is more on the, we're using SIP over the internet, why does it seem that encryption is the exception, not the rule?

                      I see no reason for me not to dump PSTN as soon as I'm able.

                      scottalanmillerS 1 Reply Last reply Reply Quote 0
                      • scottalanmillerS
                        scottalanmiller @Dashrender
                        last edited by

                        @Dashrender said:

                        Frankly I'm amazed how many people don't.

                        Why? What do I care if someone wants to dedicate their life to tapping my phone? If it is worth that kind of effort they can listen to be check on my dad's health. If people want to spy on you they are going to, period. There is a reasonable level of security that makes you not be low hanging fruit, do that stuff. But there is a point of paranoia that does you no good and actually might flag you as a target for being weird.

                        No one has needed encrypted calls for a hundred years. Why now? Now that no one uses phones seems an odd time to be concerned.

                        And tapping a phone call, eavesdropping, on VoIP is HARD. I mean really, really hard. It's not a very reasonable concern. Do you actually think someone might try to do this to you?

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @Dashrender
                          last edited by

                          @Dashrender said:

                          My quest is more on the, we're using SIP over the internet, why does it seem that encryption is the exception, not the rule?

                          Because it takes effort, in the end your calls are dumped onto the insecure PSTN, the other end isn't encrypted anyway and it has little security value. Moderate effort to nominal value means ... why would anyone care?

                          Sure if you are a government agent, a spy, are calling in Wall St. trades.... something where spending millions to hack your calls is worth it then by all means, encrypt. But if you are a normal person, it seems pretty silly.

                          1 Reply Last reply Reply Quote 0
                          • DashrenderD
                            Dashrender
                            last edited by

                            And this is what I wanted from this conversation... pulling me off the ledge I was standing on.

                            I definitely understand the

                            There is a reasonable level of security that makes you not be low hanging fruit, do that stuff.

                            While I may still have a personal twing I can't seem to get over, I know I can push myself past it and implementation.

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller
                              last edited by

                              Where are you thinking of implementing the encryption? Between the PBX and the endpoint(s)? Where will the endpoint(s) be? Internal, external?

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • DashrenderD
                                Dashrender @scottalanmiller
                                last edited by

                                @scottalanmiller said:

                                Where are you thinking of implementing the encryption? Between the PBX and the endpoint(s)? Where will the endpoint(s) be? Internal, external?

                                Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX and from my PBX to endpoints that are external (all if it's an all or nothing thing).

                                scottalanmillerS 1 Reply Last reply Reply Quote 0
                                • coliverC
                                  coliver
                                  last edited by

                                  As a grad project for a security class we used a SIP-to-SIP connection over a common switch. While it wasn't hard to "eavesdrop" it took a significant amount of effort and processing power. Which was surprising to our group. It was in a controlled environment and we managed to do it in two ways. The first was SIP spoofing/poisoning, Where we responded to both sides of the conversations as the other side and recorded the packets going through. Classic man-in-the-middle attack on both end points. Noticeable lag on the end points though so you could quickly see that something wasn't right. The second was a kind of brute force. We sniffed the network and recorded every RTP packet that went through the network and then "manually" reordered them into the correct stream. It was a cool project and really illustrated how difficult "hacking" this actually is.

                                  scottalanmillerS 1 Reply Last reply Reply Quote 2
                                  • scottalanmillerS
                                    scottalanmiller @Dashrender
                                    last edited by

                                    @Dashrender said:

                                    Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX ...

                                    Rarely do you have a choice there. They provide what they provide. They don't normally bother with encryption because the IPs are locked on both ends (normally) providing all of the real world security that you normally need.

                                    DashrenderD 1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @coliver
                                      last edited by

                                      @coliver said:

                                      As a grad project for a security class we used a SIP-to-SIP connection over a common switch. While it wasn't hard to "eavesdrop" it took a significant amount of effort and processing power. Which was surprising to our group. It was in a controlled environment and we managed to do it in two ways. The first was SIP spoofing/poisoning, Where we responded to both sides of the conversations as the other side and recorded the packets going through. Classic man-in-the-middle attack on both end points. Noticeable lag on the end points though so you could quickly see that something wasn't right. The second was a kind of brute force. We sniffed the network and recorded every RTP packet that went through the network and then "manually" reordered them into the correct stream. It was a cool project and really illustrated how difficult "hacking" this actually is.

                                      Especially network hacking, which is what we are talking about here. This isn't breaking into a system but pulling packets off of the ISP's lines and recording them. If the attack happens from someone on your LAN, it's feasible. Do that on the ISP's network and things get really, really complicated.

                                      1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said:

                                        @Dashrender said:

                                        Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX ...

                                        Rarely do you have a choice there. They provide what they provide. They don't normally bother with encryption because the IPs are locked on both ends (normally) providing all of the real world security that you normally need.

                                        Well.. That doesn't solve Man-in-the-Middle.

                                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller @Dashrender
                                          last edited by

                                          @Dashrender said:

                                          @scottalanmiller said:

                                          @Dashrender said:

                                          Anywhere that SIP runs over the internet. i.e. from the SIP provider to my PBX ...

                                          Rarely do you have a choice there. They provide what they provide. They don't normally bother with encryption because the IPs are locked on both ends (normally) providing all of the real world security that you normally need.

                                          Well.. That doesn't solve Man-in-the-Middle.

                                          True. Are you suspecting your ISP of hijacking your connection? Where are you fearing the hijack existing?

                                          1 Reply Last reply Reply Quote 0
                                          • DashrenderD
                                            Dashrender
                                            last edited by

                                            You've made your point @scottalanmiller, and talked me off the ledge (mostly).

                                            Am I worried about my ISP, no more than I have been since the confirmation of Prism. Though considering problems like the ones recently found in the WiFi used by hotels, etc that allow attackers to completely take over those devices, using security/encryption everyone should just be the norm... not having to worry about setting up my own VPN termination point, or buying someone else's would be pretty nice.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 2 / 2
                                            • First post
                                              Last post