Never mind the hacker....
beware the BOFH!!
With VoIP rapidly becoming a commodity feature in everything from TV set-top boxes to barcode scanners, Sipera's VIPER Lab predicts that 2008 will be the year it all goes pear-shaped - a prediction borne out by Cisco's first security fix of the year. VIPER reckons that denial of service attacks and eavesdropping, using hacked …
"Fixed/Mobile convergence is also suggested as a security weakness, with telecos connecting their systems to IP networks but lacking the skills to maintain the security of such connections.".
..............would it help if we tatooted "Security" on their noses before they think of coming up with anything that has an IP address.
Brrrr its chilly out there, Taxi!!!!!!
"Fixed/Mobile convergence is also suggested as a security weakness, with telecos connecting their systems to IP networks but lacking the skills to maintain the security of such connections."
Bingo on this one for french provider Free Telecom, and their unsupported SIP service (not so unsupported since it's the only way to have their Black and White phone work ! Read on here (in Voltaire language):
- http://www.freephonie.org/topic3319.html
And this was half a month ahead of 2008. Rumours have it they restricted the SIP service to non-international after they realised some smart ass in their Morocco support teams had stolen SIP credentials from Free customers, to use them as a free tunnel to backcharge calls to their "customers".
Don't look for Free Telecom words on this, as they have yet, 2 months after the incident, to say anything about it.
Avoid 3rd party VOIP. If your own (real, not resold wholesale) ISP has VOIP, own voice gateway and ATA direct on WAN without useraccessible IP (typically on a 10.xxx.xxx.xxx inaccessible to users or Internet) then you likely have better QOS and better (total?) security.
If none of the network carrying the VOIP is accessible to the Internet, how can it be hacked.
Cable, Fibre, LLU based ATA/VOIP, and Digiweb Metro all tend to have this model of VOIP. It means no direct URI PC to PC calls, only calls to/from real numbers, though usually calls are free within and ISP and for PC to PC you can always revert to Skype...
2008 is the year , huh?
VoIP has been hacked for many years now - I've regularly shown folk with little/no understanding of the risk a nice VoIP call being grabbed and then replayed (in pseudo stereo with one caller coming out of left speaker and t'other out of right) - this is on proper switched networks - wifi ones are just as fun!
seriously, you NEED end-to-end encryption as a bare minimum.
"If none of the network carrying the VOIP is accessible to the Internet, how can it be hacked[?]"
Umm...by anyone on the inside?
More to the point, how can you be sure none of the network is accessible to the internet? Even if your IP phone has an internal address, its gateway is likely be one port on a large router which also routes (and hence is accessible to) Internet traffic. It doesn't even need to be on the router; any device on that 10. network could have a second port on a public network.
An internal IP address is no guarantee of security.
>If none of the network carrying the VOIP is accessible to the Internet, how can it be hacked.
You are making the fatal error of assuming that all ISP customers are honest. Back when I ran networks a lot of the port-probes and hack attempts would come from within the ISP that we were using - and quite a few of them from corporate IP ranges.
And lets not discount cracks by the ISP staff themselves..
provided you /the ITSP are using SIP............... and most decent ITSP's should be by now or at least looking to move towards SIP....... many of the technical issues have already been solved by iptego.
Of course if someone is willing to hand over personal information to anyone who asks......... that's up to them
rygbi