'Net pioneers sound security alarm over VoIP wiretaps

FCC has set next May 14 as the date service providers must comply with the federal law.

By Tim Greene , Network World , 06/19/2006

Share/Email
Tweet This
Comment
Print

Making it possible for law enforcement to tap VoIP calls will open Internet security holes that could endanger corporate voice and data traffic, according to a report by a group of respected Internet figures.

How soon will legal taps hit VoIP
The FCC has set May 14, 2007, as the date VoIP service providers must comply with the federal wiretapping law called Communications Assistance to Law Enforcement Act (CALEA), but the technical hurdles are high. Some of these:

•	There is no accepted architecture for VoIP taps.
•	Varying models of how VoIP services are supported make a single architecture unlikely and therefore making implementation more difficult.
•	Physically securing the switching and routing equipment so it is only tapped by legitimate parties.
•	Users can easily create new Internet identities making it difficult to target an individual's calls.
•	The delivery path of tapped calls to law enforcement creates a second path that unauthorized eavesdroppers could exploit.
•	Smart user devices make it more likely that taps will be discovered.
•	Minimizing the amount of traffic tapped to specific calls is very difficult and may mean capturing more than what has been authorized, possibly infringing on privacy laws.

Click to see: How soon will legal taps hit VoIP

With the federal wiretapping law scheduled to apply to providers of VoIP next May 14, now is the time for businesses to evaluate whether to take steps to counter the risks it represents, the experts say.

Eight Tips for Managing Higher Education Networks Security and Cost-Effectively: Download now

The report, "Security Implications of Applying the Communications Assistance to Law Enforcement Act to Voice over IP," calls CALEA wiretapping "an architected security breach" that could be exploited by unauthorized parties.

Given the difficulty of isolating voice packets among data packets mixed in a stream, even legitimate use of wiretaps will inevitably result in capturing more than just the phone calls authorized by CALEA court orders, says David Endler, a director of the Voice Over IP Security Alliance, an industry association focused on developing VoIP security standards. "How would you limit it to voice? This apparatus would have to capture everything," he says.

Related Content

With businesses embracing converged networks that carry voice and data, this puts more than phone calls at risk - instant messaging, e-mail and any corporate transactions made over the Internet could be captured, the report says.

The report was written for the Information Technology Association of America, a trade organization, and its authors include Internet pioneer Vint Cerf, public-key cryptography developer Whitfield Diffie and IETF security leader Steven Bellovin.

A wiretap is a vulnerability that others besides law enforcement could exploit, and the routers that would be tapped are not kept uniformly secure, the panel notes. Typically these devices are less secure than phone switches in the traditional public phone network, the authors say.

In the hands of malicious parties, a tap could grab any type of traffic passing through the router and be an access point for man-in-the-middle attacks, in which data in a stream is altered. "By opening up the communications to an unacknowledged third party, wiretapping is a designed security breach; the combination of wiretapping with remote delivery elevates the risk that communications security can be violated with minimal risk of discovery," the report says.