'Net pioneers sound security alarm over VoIP wiretaps
FCC has set next May 14 as the date service providers must comply with the federal law.
By
Tim Greene
,
Network World
, 06/19/2006
- Share/Email
- Tweet This
- Print
Making it possible for law enforcement to tap VoIP calls will open Internet security holes that could endanger corporate voice and data traffic, according to a report by a
group of respected Internet figures.
With the federal wiretapping law scheduled to apply to providers of VoIP next May 14, now is the time for businesses to evaluate
whether to take steps to counter the risks it represents, the experts say.
The report, "Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP," calls
CALEA wiretapping "an architected security breach" that could be exploited by unauthorized parties.
Given the difficulty of isolating voice packets among data packets mixed in a stream, even legitimate use of wiretaps will
inevitably result in capturing more than just the phone calls authorized by CALEA court orders, says David Endler, a director
of the Voice Over IP Security Alliance, an industry association focused on developing VoIP security standards. "How would
you limit it to voice? This apparatus would have to capture everything," he says.
With businesses embracing converged networks that carry voice and data, this puts more than phone calls at risk - instant messaging, e-mail and any corporate
transactions made over the Internet could be captured, the report says.
The report was written for the Information Technology Association of America, a trade organization, and its authors include
Internet pioneer Vint Cerf, public-key cryptography developer Whitfield Diffie and IETF security leader Steven Bellovin.
A wiretap is a vulnerability that others besides law enforcement could exploit, and the routers that would be tapped are not
kept uniformly secure, the panel notes. Typically these devices are less secure than phone switches in the traditional public
phone network, the authors say.
In the hands of malicious parties, a tap could grab any type of traffic passing through the router and be an access point
for man-in-the-middle attacks, in which data in a stream is altered. "By opening up the communications to an unacknowledged
third party, wiretapping is a designed security breach; the combination of wiretapping with remote delivery elevates the risk
that communications security can be violated with minimal risk of discovery," the report says.
Comments (1)
By Mcdaddy on September 16, 2009, 9:39 amSecurity system should be installed privately and should have a code for its users.
Reply | Read entire comment
View all comments