VoIPowering Your Office: Eavesdropping on VoIP Calls (Part 1)
As a prelude to discussing VoIP security, we examine a variety of readily available tools for snooping packet-based conversations.
Just like with all TCP/IP traffic, it is easy for a snoopy person to sniff unencrypted VoIP packets and record your conversations. And don't think they won't. Remember the early days of cell phones, when people used ordinary police scanners to eavesdrop? Newt Gingrich, Nicole Kidman and Tom Cruise, Prince Charles, and hosts of other celebrities learned the hard way the value of using cell phones with strong encryption. It's not as easy to snoop wired IP traffic because you need physical access to the wires, but it's not that hard, either. Anyone on your network, anyone on other networks that you contactand all points in between, including service providersall have the opportunity to do an awful lot of juicy snooping. Throw in some poorly secured wireless access points, rogue wireless access points, or wireless VoIP endpoints, and you have a real security risk. While spying on other people's communications is mostly illegal, that's small comfort if it happens to you.
Eavesdropping on VoIP calls isn't as simple as sniffing ordinary TCP/IP traffic. For example, check out these snippets from running ngrep on an IRC session:
$ sudo ngrep -qpd eth0 host irc.server.org
interface: eth0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( host irc.server.org )
T 192.168.1.10:35776 -> 188.8.131.52:6667 [AP]
PRIVMSG #spychannel :see how easy it is to spy on ordinary cleartext TCP/IP traffic.
T 192.168.1.10:35776 -> 184.108.40.206:6667 [AP]
PRIVMSG #spychannel :just fire up easily-available tools like ngrep or tcpdump.
You won't see this in a VoIP call, but rather a bunch of incomprehensible gump. But recording intercepted VoIP traffic is easyjust run any packet sniffer and store it in a file. Actually listening to the calls is a bit harderyou need a way to reconstruct the actual voice conversation out of mass chunks of binary data. But there are plenty of freely available software programs that do it all for you: capture, reconstruct, and play VoIP conversations. These are excellent tools with a legitimate purpose, which is debugging call-quality and VoIP service problems. But just like a hammer, they can also be used for ill.
RTP and SIP
Let's take a quick looks at RTP, the Real-time Transport Protocol. SIP (Session Initiation Protocol) is a signalling protocol. SIP handles the call control functions such as setting up the calls, tearing them down, and handling the call routing. SIP is a carrier for the Session Description Protocol (SDP) which defines the media content of a SIP session, such as what IP ports to use, and it negotiates which codecs to use. After all this housework is done, RTP carries the actual voice stream. So ace spies only need to capture RTP streams to get to the good stuff.
One favorite VoIP recording tool, favored possibly more for the name than for its abiltiies, is VOMIT (Voice Over Misconfigured Internet Telephones.). It only works on Cisco gear using the Cisco SCCP ("skinny") protocol, and it needs a separate tool to do the packet capture. So you might intercept a big chunk of the traffic you wish to spy on with tcpdump, then use VOMIT to convert it to a WAVE file which can be played on any computer.
Oreka is a more powerful VoIP capture tool, though its name is not quite so catchy. Oreka captures VoIP RTP sessions by passively listening to network packets, so you don't even know it's there. It has the ability to combine both sides of a conversation into a single audio file, and each call is captured into a separate audio file. It also captures the metadata from SIP and Cisco SCCP calls, which probably doesn't contain sensitive data, and can't be encrypted anyway or the SIP packets cannot be routed.
Oreka runs on both Linux and Windows, and it has a lot of nice features. You can filter on IP address or address ranges, it can monitor multiple network interfaces in parallel, and it has a nice Web control panel for retrieval and playback.
VoiPong is a powerful VoIP sniffer that runs on Solaris, Linux and FreeBSD. It supports SIP, H323, and Cisco's SCCP, and decodes all of the major codecs. VoiPong dumps calls into WAVE files for easy and fun playback. VoiPong even comes on a LiveCD now, so you can carry it with you and run it on any computer.
Is snooping really that easy?
Ha, you say, we only use VoIP internally and are on a nice stout switched network, so it would not be easy at all for our users to do VoIP snooping. I hope you're really not saying that, because VoIPowering Your Office: Debugging SIP Sessions Without Excessive Hair Loss showed how easy it is to capture remote network traffic without ever leaving your desk. Serious snoops know about arpspoof, which you can read all about in Switched Net? dsniff It. arpspoof is part of the dsniff suite of packet-sniffing tools that do everything from allow promiscuous network sniffing, to cracking passwords, to undetectably intercepting email messages, to spying on what Web pages other people are reading, and much more.
So the moral of this story is it's quite easy to spy on your VoIP traffic without you even knowing about it. What can you do about it? That's what we'll talk about in Part 2.