I've been doing some research on VoIP Security. The encryption is
optional in VoIP, so your ISP should be able to tell you if they encrypt
VoIP conversations, and especially where. Tipically I think the
encryption is at the router level (so not directly in the telephone),
but it might be that your ISP is encrypting directly at their servers.
The IPSec(VPN) solution is not very used in my knowledge because it adds
much overhead to this time critical service.
The protocols specific to VoIP define several ways of encrypting
information and preserving confidentiality so technically your friend
might be safe. You shoud however ask your ISP about their encryption
(I'm quite interested myslef in the policiy of ISPs regarding VoIP).
And btw, please excusee my poor english
Mihai
Joshua Berry wrote:
There are programs out there capable of replaying VoIP sessions:
Vomit:
http://vomit.xtdnet.nl/
The vomit utility converts a Cisco IP phone conversation into a wave
file that can be played with ordinary sound players. Vomit requires a
tcpdump output file. Vomit is not a VoIP sniffer also it could be but
the naming is probably related to H.323.
I haven't found any others but it is definitely possible. VoIP travels
over IP and therefore can be encrypted through IPSec tunnels or other
means but I doubt most ISP's are doing that right now.
-----Original Message-----
From: Seth Art [mailto:sethart@gmail.com]
Sent: Wednesday, April 20, 2005 8:52 AM
To: security-basics@securityfocus.com
Subject: VoIP security
My coworker had an interesting question. She had to validate her
credit card number over the phone using her social and other sensitive
information. She has a VoIP router from her ISP. The question: Are
the VoIP packets encrypted as they go across the wire? Or can
someone sniffing in the right place capture all of that sensitive VoIP
traffic and reassemble her CC# and SS# from the tones? Is this
somethign that might be an issue in the future or is there already an
answer out there?
-Seth
