Not surprisingly, hackers and penetration testers have been hard at work making convenient tools for launching attacks against common VoIP configurations.  Disappointingly, the VoIP services supplied by many of the big vendors appear to be unsecure by default.  The best part of the article is the reported claim by one such vendor that, "We are more secure than a regular phone line."  I’m not even sure what they meant by that, but it made me laugh.

Which brings me to this cool-looking tool from Phil Zimmerman, which appears to attempt, by intercepting VoIP packets on the host, to negotiate agreed keys and encrypt traffic on the fly.  Of course there’s the usual bootstrapping problem for the paranoid:  if you haven’t exchanged some information (like a PGP key hash, I suppose) with the other party in advance, then you still can’t know if there’s a man-in-the-middle.  And exchanging that information in advance in a truly secure way can be inconvenient at best.  I’ve read that in the early days of PGP, people did face-to-face key-hash exchanges at crypto conferences!  Good times.

No Comments »