July 30, 2007
By Carla Schroder
Just like with all TCP/IP traffic, it is easy for a snoopy person to sniff
unencrypted VoIP packets and record your conversations. And don't think they
won't. Remember the early days of cell phones, when people used ordinary police
scanners to eavesdrop? Newt Gingrich, Nicole Kidman and Tom Cruise, Prince Charles,
and hosts of other celebrities learned the hard way the value of using cell
phones with strong encryption. It's not as easy to snoop wired IP traffic because
you need physical access to the wires, but it's not that hard, either. Anyone
on your network, anyone on other networks that you contact—and all points
in between, including service providers—all have the opportunity to do
an awful lot of juicy snooping. Throw in some poorly secured wireless access
points, rogue wireless access points, or wireless VoIP endpoints, and you have
a real security risk. While spying on other people's communications is mostly
illegal, that's small comfort if it happens to you.
Eavesdropping on VoIP calls isn't as simple as sniffing ordinary TCP/IP traffic. For example, check out these snippets from running ngrep on an IRC session:
$ sudo ngrep -qpd eth0 host irc.server.org
interface: eth0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( host irc.server.org )
T 192.168.1.10:35776 -> 140.22.33.44:6667 [AP]
PRIVMSG #spychannel :see how easy it is to spy on ordinary cleartext TCP/IP traffic.
T 192.168.1.10:35776 -> 140.22.33.44:6667 [AP]
PRIVMSG #spychannel :just fire up easily-available tools like ngrep or tcpdump.
You won't see this in a VoIP call, but rather a bunch of incomprehensible
gump. But recording intercepted VoIP traffic is easy—just run any packet
sniffer and store it in a file. Actually listening to the calls is a bit harder—you
need a way to reconstruct the actual voice conversation out of mass chunks of
binary data. But there are plenty of freely available software programs that
do it all for you: capture, reconstruct, and play VoIP conversations. These
are excellent tools with a legitimate purpose, which is debugging call-quality
and VoIP service problems. But just like a hammer, they can also be used for
ill.
RTP and SIP
Let's take a quick looks at RTP, the Real-time Transport Protocol. SIP (Session Initiation Protocol) is a signalling protocol. SIP handles the call control functions such as setting up the calls, tearing them down, and handling the call routing. SIP is a carrier for the Session Description Protocol (SDP) which defines the media content of a SIP session, such as what IP ports to use, and it negotiates which codecs to use. After all this housework is done, RTP carries the actual voice stream. So ace spies only need to capture RTP streams to get to the good stuff.
Vomiting VoIP
One favorite VoIP recording tool, favored possibly more for the name than for
its abiltiies, is VOMIT (Voice Over Misconfigured
Internet Telephones.). It only works on Cisco gear using the Cisco SCCP
("skinny") protocol, and it needs a separate tool to do the packet capture.
So you might intercept a big chunk of the traffic you wish to spy on with tcpdump,
then use VOMIT to convert it to a WAVE file which can be played on any computer.
Oreka is a more powerful VoIP
capture tool, though its name is not quite so catchy. Oreka captures VoIP
RTP sessions by passively listening to network packets, so you don't even know
it's there. It has the ability to combine both sides of a conversation into
a single audio file, and each call is captured into a separate audio file. It
also captures the metadata from SIP and Cisco SCCP calls, which probably doesn't
contain sensitive data, and can't be encrypted anyway or the SIP packets cannot
be routed.
Oreka runs on both Linux and Windows, and it has a lot of nice features. You can filter on IP address or address ranges, it can monitor multiple network interfaces in parallel, and it has a nice Web control panel for retrieval and playback.
VoiPong is a powerful VoIP sniffer that runs on Solaris, Linux and FreeBSD. It supports SIP, H323, and Cisco's SCCP, and decodes all of the major codecs. VoiPong dumps calls into WAVE files for easy and fun playback. VoiPong even comes on a LiveCD now, so you can carry it with you and run it on any computer.
Is snooping really that easy?
Ha, you say, we only use VoIP internally and are on a nice stout switched network, so it would not be easy at all for our users to do VoIP snooping. I hope you're really not saying that, because VoIPowering Your Office: Debugging SIP Sessions Without Excessive Hair Loss showed how easy it is to capture remote network traffic without ever leaving your desk. Serious snoops know about arpspoof, which you can read all about in Switched Net? dsniff It. arpspoof is part of the dsniff suite of packet-sniffing tools that do everything from allow promiscuous network sniffing, to cracking passwords, to undetectably intercepting email messages, to spying on what Web pages other people are reading, and much more.
So the moral of this story is it's quite easy to spy on your VoIP traffic without you even knowing about it. What can you do about it? That's what we'll talk about in Part 2.
Generate Revenue Through IT Using Business Service Management
Managing the Modern Network
Storage Networking 2, Configuration and Planning
Is Your Disaster Recovery Plan Good Enough? Get Disaster Recovery Right 
Add voipplanet.com to your browser search box
IE 7 | 
Firefox 2.0 | 
Article: Manage Your Windows Infrastructure with Microsoft System Center
Five Trends for Application Development & Program Management. Download Complimentary Report Now.
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers. Sponsored by HP, Citrix, and Intel.
Best Practices: Make the Case for IT Investments. Complimentary Independent Report. Download Now!
Flash Demo: Learn how IBM Information Server Blade is easy to manage, highly scalable and efficient.