Researcher releases proof-of-concept VoIP hack
Potential Trojan listens and records on the network or at the ISP level
November 23, 2007 12:00 PM ETTechWorld.com - An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.
Called SIPtap, the software is able to monitor multiple voice-over-IP call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need to do would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at the Internet service provider level as well.
The program can index "IP-tapped" calls by caller -- using Session Initiation Protocol identity information -- and by recipient, or even by date. Running from August this year until the most recent tap on Nov. 21, SIPtap had no problem extracting enough information on the test network to prove that recording of any and every VoIP call at a hypothetical company is now a trivial exercise.
SIPtap demonstrates that the worst-case nightmares of VoIP vulnerability are now well within the capabilities of organized crime, which could use such a program to steal confidential data from companies, governments and even the police.
The program is the work of U.K.-based VoIP expert Peter Cox, who co-founded and served as chief technology officer at firewall vendor BorderWare Technologies Inc. Cox left the company last summer to start his own VoIP consultancy, which is expected to be up and running by next spring. He was inspired to write the software after conversations with encryption guru Phil Zimmermann, creator of Zfone; Zfone was designed to protect against SIPtap-like hacking by using VoIP call encryption.
"We are in the early days of VoIP, but there is a knowledge gap," said Cox, lamenting that the mostly telecommunications-oriented engineers building such systems are naive when it comes to VoIP's inherent security weaknesses. "Companies using VoIP internally think they are protected.
"The threat is that an attacker engineers a Trojan and has it sit there passively [on a network], recording calls from anywhere on the Internet," Cox added.
His advice is simple: "Apply the same vigor when building a VoIP network you would when building a Web site."
Cox is currently running a series of workshops on VoIP threats in conjunction with SIP Services Europe.
Reprinted with permission from
proof of concept
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Death to PST Files
Download Now
The Tangled Web: Silent Threats & Invisible Enemies
Download Now
Tape Killed the IT Guy
Watch Now
Forrester Consulting Mobility Study: Taking Control of Enterprise Mobile Device Diversity
Download Now
BRM: What You Can Do To Reduce Risk In Challenging Times
Watch this webcast now!
What IT Must Do to Support Employee-Owned BlackBerry, iPhone and Android Mobile Devices
Download Now
Web 2.0, Social Media and the Dark Web - A Web Criminals Paradise?
In this discussion, learn about the challenges of protecting your users from the potentially unsafe content hidden in the "Dark Web".
eGuide: Enterprise Security
Smart Security Strategies for 2010. Read now!
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...

