[VOIPSEC] VoIP and Banking Security

howethomas at aol.com howethomas at aol.com
Wed Jun 22 22:15:26 CDT 2005 

Hi Al -

Not to make you feel worse about this, but I think you could claim that 
if you could access to a PSTN phone, you'd have the exact same issue. I 
mean, if you could record it, it is a trivial process to grab the DTMF 
off of it.  Now, I'll give you that it's probably easier to sniff a 
local network than it is a phone line, but you could probably still do 
both if you really wanted to. Today, the real question to ask is who 
can sniff my packets, and why are they doing it?  Sniffing packets is 
easy on a LAN, somewhat harder for someone inside your service provider 
to do (or even catch), even harder for anybody else in the world who's 
not on your LAN or in your service provider chain.  I know that 
anonymity is a poor security mechanism, but in the real world, it is an 
issue.

As I think about it, I wonder how I would go about sniffing your RTP 
stream.  I think I would mail you some sort of virus, and sniff your 
network interface card.  That is, assuming your RTP packets could be 
seen from your computer. You might be using a Ethernet phone.  Then, I 
would have to figure out how to get that MAC address, figure out if you 
have a hub or a switch, spoof it and then try to figure out what's 
important from it.  It seems like a lot of work for not a lot of 
payback. How would I figure out when to start listening for your bank 
information?  I don't know - I know better ways to extract money from 
you using VoIP than to try to grab your bank information.  Maybe 
somebody ought to try to sniff out somebody elses VoIP conversations 
and see how hard it is.

That said, you can make the argument that VoIP could be more secure 
than the PSTN, since you can encrypt the RTP stream by implementing 
SRTP.  In general, most vendors do not support SRTP, but then again, 
it's very, very uncommon for anybody to be trying to sniff streams 
(yet) and most vendors have this on their product plans somewhere.

Tom

================================
Thomas S. Howe
CTO - Versatel Networks - http://www.versatelnetworks.com
(508) 889-9959

Voice just got personal!

-----Original Message-----
From: Al <alanrice at comcast.net>
To: Voipsec at voipsa.org
Sent: Wed, 22 Jun 2005 11:52:29 -0700
Subject: [VOIPSEC] VoIP and Banking Security

  Greetings,

New here, and yes, I did check the archives first.

I just finished a session with my bank using the touch pad on my phone.
When finished I dumped the packets captured during the transaction 
(using
ethereal).  I was a little dismayed and a lot alarmed to see wherever 
the
protocol was RTP EVE that the numbers I pressed on the phone were 
visible in
the info field:

     Payload type=RTP Event, DTMF Eight 8

I'm guessing that if I can sniff these packets, so can anyone else.

Anyone have any comments to calm my nerves?

Thanks,

Al
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list