Will VoIP Finally Get Hacked?

from the we-shall-see... dept

Ever since VoIP first came on the scene, there were fear mongering reports saying that you shouldn't use VoIP because it will get hacked. However, in all these years, we've yet to hear a serious report of VoIP getting hacked -- and, even the scary warnings about VoIP hackers have quieted down. Yet, here we are, with a security company now claiming that 2008 will be the year that VoIP gets hacked. Of course, that security company is also selling a solution to prevent VoIP systems from getting hacked, so perhaps you should take the prediction with a rather large grain of salt. So which is it: is hacking VoIP networks not that easy? Is the fear overblown? Or have we just been lucky?


Reader Comments (rss)

(Flattened / Threaded)

  1.  
    identicon
    Panaqqa, Jan 23rd, 2008 @ 5:53pm

    Why WOULD anyone hack VoIP?

    After all, these days hacking and cracking (especially of enterprise systems) is all about money. So just where is the money in hacking VoIP? It's not like the phone phreaking days of old when the free long distance calls were worth a ton.

    You will eventually see it cracked, but likely not until the attack can be refined and targeted enough to be suitable for espionage purposes.

     

    reply to this | link to this | view in thread ]

  2.  
    identicon
    kevin, Jan 23rd, 2008 @ 6:00pm

    what's the point of hacking voip, there's not really a lot of reason to do so.

     

    reply to this | link to this | view in thread ]

  3.  
    identicon
    zcat, Jan 23rd, 2008 @ 6:04pm

    BFD?

    POTS has been trivially easy to 'hack' into since it began. It's still trivially easy to tap into most people's analog phone lines. Cordless phones and analog cellphones were likewise always trivially easy to listen in on.

    If it bothers you, use an encrypted VPN. For everyone else the problem will go away by itself when we start migrating to IPV6, which includes built-in encryption.

    I don't think luck has much to do with it.. most people's telephone conversations simply aren't that interesting.

     

    reply to this | link to this | view in thread ]

  4.  
    identicon
    Black Hat, Jan 23rd, 2008 @ 6:30pm

    "Hey mom..could you buy some hot pockets at the store?" Yeah, I have to agree with zcat, not worth it for the common run of the mill hacker and the government doesn't need to do it as it stands now, they can run the lines wherever, straight from the central call center. No one cares to hack VOIP.

     

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Jason Still, Jan 23rd, 2008 @ 6:46pm

    There is money in phone system hacking

    There is most definitely money to be made in phone system hacking.

    1. Get some info about a business' bank accounts (via dumpster diving or some other method).
    2: Break into their phone system and set it up such that any calls from the bank go to you, and a call you make appears to come from the business.
    3: Call the bank and ask to have some money wired from the business account to some other account (probably overseas).
    4: The bank will ask you for some information (that you've managed to attain through nefarious means) and then will generally call the business' call back number they have on file, to verify that you were really calling from the business.
    5. The call will be routed to you. "Yep, this really is me and I'm really here at the business, go ahead and transfer that money."
    6. Undo your phone system changes and get away with a chunk of cash.

    This happened at a local bank where someone I know works, and if I recall correctly it actually happened more than once. They discovered the phone system link when another fraudulent wire was requested and after the call-back to verify the transfer they waited a few minutes and called the number again. This time it actually went through to the business and it was determined that no one at that location had called the bank or gotten a call from the bank at all that day.

     

    reply to this | link to this | view in thread ]

  6.  
    identicon
    Vinod, Jan 23rd, 2008 @ 7:03pm

    voip hacking is common - why is it a suprise?

    I am in the voip industry. I own and operate Direct Telco, LLC which is a wholesale voip telecommunication provider and I know of many cases in which a company's softswitch has been hacked because they have done stupid things, like keeping the root password on their server the default, etc...

    There has been some serious hacking where companies have tried to protect themselves. If this wasn't a serious issue you wouldn't have companies spending a ton of money on securing their network. There are a lot of "features" that many retail voip companies allow that can effect the end user, but for the most part it's companies that are affected by hackers, and not end customers - that being said, any service such as vonage, virtualpbx, etc... that allows call forwarding, or conferencing can be hacked. Anything can be hacked, the fact that they are using VOIP means nothing, it is just another thing that is hackable. For companies I recommend blocking ports on your servers that are common, port forward the ports that you need to, however you can't put voip servers behind firewalls because it causes to many problems. You have to be careful - too much security (hardware), between each server can effect quality, and not enough can put you out of business.

    For customers, however, I suggest working with reputable companies, and limit the amount of features that you don't use. Deactivate what you don't use, and if you use advanced features such as call forwarding or conferencing use passwords that extremely hard for others to pickup, and don't save your passwords on computers where others have a chance to view it. Also remember if you do save these passwords on your computer that you only use, and it is hacked you will have problems as well.

    Just be careful - but the average customer doesn't need any new software, but the average VOIP business is already protecting themselves from hackers. If they didn't (at least in the most minimalistic way) - they would be out of business already.

     

    reply to this | link to this | view in thread ]

  7.  
    identicon
    John, Jan 23rd, 2008 @ 7:53pm

    Yep I bet it will be hacked

    Quite simply if they are saying with any confidence that it will be hacked then I wouldn't doubt that it is because they have already figured out how to hack it and this information may or may not leak out wink wink

     

    reply to this | link to this | view in thread ]

  8.  
    identicon
    Anonymous Coward, Jan 23rd, 2008 @ 9:03pm

    The real risk of VoIP hacking is to the networks themselves. This has already happened. A company in Florida routed all their customer calls through someone elses networks and pocketed the money received from customers. They have already been there, done that.

     

    reply to this | link to this | view in thread ]

  9.  
    identicon
    inc, Jan 24th, 2008 @ 6:39am

    what ever happened to phreaking lol

     

    reply to this | link to this | view in thread ]

  10.  
    identicon
    Anonymous Coward, Jan 24th, 2008 @ 8:23am

    We were hacked (sortof)

    At my company, someone from the outside gained enough access to use our internal VOIP system, and they used it to try and sucker people into giving up their system passwords (thus gaining access to a whole lot more). So, VOIP hacking is already a real problem.

     

    reply to this | link to this | view in thread ]

  11.  
    icon
    chris (profile), Jan 24th, 2008 @ 11:30am

    voice is hard to parse, and deadly boring

    if i wireshark a network, i can create huge logs of text from all of the packets i've sniffed. spies call this "collection" while computing types call this "logging".

    i can then use grep to search those logs for interesting stuff and pass the results to more human readable logs. spies call this "analysis" while computing types call this "parsing". on computer networks, you are usually looking for lots of connections to a particular host, which indicates a server or a router, or all traffic to a known host, like a website or mail server.

    the problem with voice is that while recording makes it possible to "log" every second of VOIP conversation, there are not many useful and usable tools for "parsing" audio recordings for useful information. humans read significantly faster than they talk and computers read significantly faster than humans, so listening to audio is probably the slowest method of parsing.

    even in law enforcement wiretaps, someone has to listen to all the tapes in order to isolate the good stuff.

    so, unless you are snooping a very small network (like a home or a small business) and you were already interested in a known host on said network (say a former employer or love interest), chances are it will be very tough to locate something interesting in a VOIP conversation.

    also, it should be noted that while we all think our personal communications are wonderfully interesting, i would imagine that most people don't. when i have had full access to whole email servers i have found other people's mail to be mind-numbingly dull, i would imagine their phone calls to be doubly so.

     

    reply to this | link to this | view in thread ]

  12.  
    identicon
    Bah who needs one, Jan 24th, 2008 @ 6:41pm

    This article and others are tagged with "hacked". Another bunch are tagged with "hacking". These sets seem to be disjoint, but seem to really belong as a single collection.

    Either the system should be smart enough to consolidate tags with a shared root word by ignoring common suffixes and prefixes, including the -ed and -ing suffixes, or synonymous tags should be avoided in favor of standardizing on just one tag to use from each group of synonyms, a "normal form" of sorts. In this case I'd suggest retagging everything with "hached" under "hacking" and always using "hacking" in the future for articles that deal with hacks.

    On a related note, retroactively tagging all the pre-2007 articles would be a good idea. Someone could work their way gradually backward tagging old articles. Simpler and nearly as effective would be to just take each tag used thus far and do a search of the site to find the older articles that should probably have the same tag, and add it to the ones where it does seem appropriate. Afterward, when a tag is used for the first time, the same procedure can be used to retroactively tag any relevant old articles with the newly-coined tag.

     

    reply to this | link to this | view in thread ]

  13.  
    identicon
    Anonymous Coward, Jan 25th, 2008 @ 8:06am

    Lets see the many ways that VoIP has already been "hacked"

    Caller ID. Already happened. Someone called 911 using someone elses phone number and reported they were being held hostage in New Brunswick, NJ. Police surrounded the house for 6 hours in their "standoff" until someone stuck their head out of the house wondering what the hell was going on. Later it was determined it was a "prank" (actually pretty funny)

    People have received calls from political operatives slandering a candidate and the caller ID shows it came from a politician (that one is pretty funny too)

    A Florida VoIP provider hacks into IDT's customer networks and routes his customers calls through their phone network, thus providing his customers calls for free (although he received the money from his customers) Over 10 million minutes of conversations were done this way.

    Hacking into VoIP really isn't all that hard because the providers did not secure it. Hacking VoIP is easier than hacking POTS because now you don't need direct access and you don't need to buy an expensive PBX. Software tools are all you need.

     

    reply to this | link to this | view in thread ]

  14.  
    identicon
    Tack Furlo, Jan 27th, 2008 @ 11:09pm

    Hello? Anybody Home?

    Over a year ago, Cain & Abel, a very popular hacking tool for windows, added a VoIP sniffer (or more correctly, a TCP/UDP audio stream sniffer that can determine if the audio is using one of the 5 or 6 major codecs used for voip) that allows any hacker with 2 cents of common sense to capture, decode, and listen to any VoIP calls going through the router they're connected to. I'm not sure what you mean by "cracked" but if you mean anyone with an old cheap windows laptop, wifi, and a free and very well known program can listen in, a.k.a. wiretap your calls from anywhere within wifi range, then yeah, it's be cracked almost since the day it was created.

    For those who'd like to have a look at it, check out http://www.odit.it/cain.html where you can download Cain & Abel and, if you spend 30 minutes to at most 2 hours (even for the dumbest of fools) you too can sniff a VoIP phone call. Works with skype too, I think.

     

    reply to this | link to this | view in thread ]

  15.  
    identicon
    Tack Furlo, Jan 27th, 2008 @ 11:11pm

    Correction

    Sorry, but even at 21 I still hunt and peck... *sigh* so here's the correct URL:

    http://www.oxid.it/cain.html

    Happy hacking.

     

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>
Follow Techdirt
A word from our sponsors...
Essential Reading
Techdirt Reading List
Techdirt Insider Chat
A word from our sponsors...
Recent Stories
A word from our sponsors...

Close

Email This