Will VoIP Finally Get Hacked?
from the we-shall-see... dept
Ever since VoIP first came on the scene, there were fear mongering reports saying that you shouldn't use VoIP because it will get hacked. However, in all these years, we've yet to hear a serious report of VoIP getting hacked -- and, even the scary warnings about VoIP hackers have quieted down. Yet, here we are, with a security company now claiming that 2008 will be the year that VoIP gets hacked. Of course, that security company is also selling a solution to prevent VoIP systems from getting hacked, so perhaps you should take the prediction with a rather large grain of salt. So which is it: is hacking VoIP networks not that easy? Is the fear overblown? Or have we just been lucky?Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: hacked, predictions, voip
Reader Comments
Subscribe: RSS
View by: Time | Thread
Why WOULD anyone hack VoIP?
You will eventually see it cracked, but likely not until the attack can be refined and targeted enough to be suitable for espionage purposes.
[ link to this | view in thread ]
[ link to this | view in thread ]
BFD?
If it bothers you, use an encrypted VPN. For everyone else the problem will go away by itself when we start migrating to IPV6, which includes built-in encryption.
I don't think luck has much to do with it.. most people's telephone conversations simply aren't that interesting.
[ link to this | view in thread ]
[ link to this | view in thread ]
There is money in phone system hacking
1. Get some info about a business' bank accounts (via dumpster diving or some other method).
2: Break into their phone system and set it up such that any calls from the bank go to you, and a call you make appears to come from the business.
3: Call the bank and ask to have some money wired from the business account to some other account (probably overseas).
4: The bank will ask you for some information (that you've managed to attain through nefarious means) and then will generally call the business' call back number they have on file, to verify that you were really calling from the business.
5. The call will be routed to you. "Yep, this really is me and I'm really here at the business, go ahead and transfer that money."
6. Undo your phone system changes and get away with a chunk of cash.
This happened at a local bank where someone I know works, and if I recall correctly it actually happened more than once. They discovered the phone system link when another fraudulent wire was requested and after the call-back to verify the transfer they waited a few minutes and called the number again. This time it actually went through to the business and it was determined that no one at that location had called the bank or gotten a call from the bank at all that day.
[ link to this | view in thread ]
voip hacking is common - why is it a suprise?
There has been some serious hacking where companies have tried to protect themselves. If this wasn't a serious issue you wouldn't have companies spending a ton of money on securing their network. There are a lot of "features" that many retail voip companies allow that can effect the end user, but for the most part it's companies that are affected by hackers, and not end customers - that being said, any service such as vonage, virtualpbx, etc... that allows call forwarding, or conferencing can be hacked. Anything can be hacked, the fact that they are using VOIP means nothing, it is just another thing that is hackable. For companies I recommend blocking ports on your servers that are common, port forward the ports that you need to, however you can't put voip servers behind firewalls because it causes to many problems. You have to be careful - too much security (hardware), between each server can effect quality, and not enough can put you out of business.
For customers, however, I suggest working with reputable companies, and limit the amount of features that you don't use. Deactivate what you don't use, and if you use advanced features such as call forwarding or conferencing use passwords that extremely hard for others to pickup, and don't save your passwords on computers where others have a chance to view it. Also remember if you do save these passwords on your computer that you only use, and it is hacked you will have problems as well.
Just be careful - but the average customer doesn't need any new software, but the average VOIP business is already protecting themselves from hackers. If they didn't (at least in the most minimalistic way) - they would be out of business already.
[ link to this | view in thread ]
Yep I bet it will be hacked
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
We were hacked (sortof)
[ link to this | view in thread ]
voice is hard to parse, and deadly boring
i can then use grep to search those logs for interesting stuff and pass the results to more human readable logs. spies call this "analysis" while computing types call this "parsing". on computer networks, you are usually looking for lots of connections to a particular host, which indicates a server or a router, or all traffic to a known host, like a website or mail server.
the problem with voice is that while recording makes it possible to "log" every second of VOIP conversation, there are not many useful and usable tools for "parsing" audio recordings for useful information. humans read significantly faster than they talk and computers read significantly faster than humans, so listening to audio is probably the slowest method of parsing.
even in law enforcement wiretaps, someone has to listen to all the tapes in order to isolate the good stuff.
so, unless you are snooping a very small network (like a home or a small business) and you were already interested in a known host on said network (say a former employer or love interest), chances are it will be very tough to locate something interesting in a VOIP conversation.
also, it should be noted that while we all think our personal communications are wonderfully interesting, i would imagine that most people don't. when i have had full access to whole email servers i have found other people's mail to be mind-numbingly dull, i would imagine their phone calls to be doubly so.
[ link to this | view in thread ]
Either the system should be smart enough to consolidate tags with a shared root word by ignoring common suffixes and prefixes, including the -ed and -ing suffixes, or synonymous tags should be avoided in favor of standardizing on just one tag to use from each group of synonyms, a "normal form" of sorts. In this case I'd suggest retagging everything with "hached" under "hacking" and always using "hacking" in the future for articles that deal with hacks.
On a related note, retroactively tagging all the pre-2007 articles would be a good idea. Someone could work their way gradually backward tagging old articles. Simpler and nearly as effective would be to just take each tag used thus far and do a search of the site to find the older articles that should probably have the same tag, and add it to the ones where it does seem appropriate. Afterward, when a tag is used for the first time, the same procedure can be used to retroactively tag any relevant old articles with the newly-coined tag.
[ link to this | view in thread ]
Caller ID. Already happened. Someone called 911 using someone elses phone number and reported they were being held hostage in New Brunswick, NJ. Police surrounded the house for 6 hours in their "standoff" until someone stuck their head out of the house wondering what the hell was going on. Later it was determined it was a "prank" (actually pretty funny)
People have received calls from political operatives slandering a candidate and the caller ID shows it came from a politician (that one is pretty funny too)
A Florida VoIP provider hacks into IDT's customer networks and routes his customers calls through their phone network, thus providing his customers calls for free (although he received the money from his customers) Over 10 million minutes of conversations were done this way.
Hacking into VoIP really isn't all that hard because the providers did not secure it. Hacking VoIP is easier than hacking POTS because now you don't need direct access and you don't need to buy an expensive PBX. Software tools are all you need.
[ link to this | view in thread ]
Hello? Anybody Home?
For those who'd like to have a look at it, check out http://www.odit.it/cain.html where you can download Cain & Abel and, if you spend 30 minutes to at most 2 hours (even for the dumbest of fools) you too can sniff a VoIP phone call. Works with skype too, I think.
[ link to this | view in thread ]
Correction
http://www.oxid.it/cain.html
Happy hacking.
[ link to this | view in thread ]