Page 1 of 1

security concern with freephoneline VOIP

PostPosted: 04/16/2011
by zollen
I am absolutely new to VOIP world and recently I joined the freephoneline.ca. I am living in Toronto. I have a number of questions regarding to freephoneline services and VOIP securities. They sent me a ATA model: Grandstream HT286

1. Does freephoneline.ca utilizes both RIP and SIP, for VOIP?
2. Does my voice stream get encrypted by default?
3. Does HT286 offer any voice encryption or VOIP securities?
4. Would other more expensive ATA model (i.e. PAP2-NA) offers better VOIP securities and voice encryption?
5. What can I do as an end user to improve my VOIP securities?
6. What kind of VOIP securities does freephoneline.ca currently provide?
7. If I use CIBC telephone banking (for example), should I be worried about being eavesdropped?

Re: security concern with freephoneline VOIP

PostPosted: 04/16/2011
by bridonca
zollen wrote:I am absolutely new to VOIP world and recently I joined the freephoneline.ca. I am living in Toronto. I have a number of questions regarding to freephoneline services and VOIP securities. They sent me a ATA model: Grandstream HT286

Good for you, I am sure you will enjoy the service.
zollen wrote:1. Does freephoneline.ca utilizes both RIP and SIP, for VOIP?

freephoneline.ca uses SIP for a VOIP protocol. Not sure what RIP is, RTP perhaps? If so, SIP also needs an available port for RTP.
zollen wrote:2. Does my voice stream get encrypted by default?

No
zollen wrote:3. Does HT286 offer any voice encryption or VOIP securities?

No.
zollen wrote:4. Would other more expensive ATA model (i.e. PAP2-NA) offers better VOIP securities and voice encryption?

No
zollen wrote:5. What can I do as an end user to improve my VOIP securities?

Use Skype instead. SIP is not a really secure protocol with the voice traffic. It's packets are very easy to sniff.
zollen wrote:6. What kind of VOIP securities does freephoneline.ca currently provide?

They make it hard for one to guess your password. The password is pretty secure, the voice traffic, not so much.
zollen wrote:7. If I use CIBC telephone banking (for example), should I be worried about being eavesdropped?

I suppose, but then again the plain old telephone service is not much more secure either, and that is what most people use for telephone banking.

Re: security concern with freephoneline VOIP

PostPosted: 04/18/2011
by FONGO_steve
This topic does not need to be sticky, I have changed it to a normal post...

Re: security concern with freephoneline VOIP

PostPosted: 04/19/2011
by Ice
I'll contribute by saying this... I think part of Freephoneline boils down to (1) what this product/service actually is all about; and (2) expectations you may have.

Freephoneline is a plain and public telephone service that happens to be run over VoIP. The technology itself is simple because it is plainly for voice/telephony. There are ways to make it secure, but Freephoneline being "free" simply has the barebones, and slowly growing to include more features. There are various methods to encapsulate and/or secure/encrypt your voice connection but they are not standard.

One good thing about the Freephoneline's in-security include the direct interaction and transparency you get with the community and staff. Nowhere else will you have this same level of transparency, whether with Bell, Telus, voip.ms, etc. I'm sure there are secure voice/telephony providers and you'll most likely be able to put much better faith in their systems and security, however, don't forget the huge premium you will be paying for the service.

Everything people said here holds true... I don't see a significant security risk over other traditional landline/POTS systems. I think it's possible to have an internet connection + ATA box but no functioning computer for general use (but rare). :)

Re: security concern with freephoneline VOIP

PostPosted: 06/10/2011
by Bloodsong
I'm a little late to this topic, but since I'm here, and network security is my background, I'll throw out a few tid-bits.

SIP is an open standards protocol, very transparent and easy to intercept and play with.
This being said, all of your traffic is essentially simple to intercept, if I have access to your network.
once it's "in the cloud" tracking any given information is next to impossible, each packet has the potential to be routed slightly differently depending upon the conditions of "the internet" between you and, in this case, freephoneline.

Truth is, most people do not have physical (perhapse wireless? I hope you use WPA2 with a secure password) access to your network. However all I need to listen to your phonecalls over POTS is a handset (not a complete phone, just the handset portion) and a pair of alligator clips, then to sit down with a hard-hat, orange vest, and toolbelt next to the phonebox down the street.

There is similarly depending on location, a high probability your calls are being recorded by your phone provider, and finally, police have an over-ride that allows them to bug/listen-in on anyone's POTS calls. (with a subpoena of course... but we all know the technology has been abused.)

So generally speaking, you are AT LEAST as secure as POTS... likely more.

There are projects like SIPS (Secure SIP, kind of like HTTPS) Where the SIP packets are encrypted using an SSL certificate. Of course, SIP is not what your voice is transferred by, and is often handled in relatively slow TCP packets. SIP is only a signalling technology, routing the calls to find User A and User B, ringing phones, transferring and all the other fun stuff.

The media/voice data is transferred over RTP, which also has a secure project called SRTP (See here: http://srtp.sourceforge.net/faq.html)
of course, security protocols and encapsulation methods add over-head which introduces it's own set of issues generally related to Quality of Service.

The easiest way to secure VoIP traffic is of course encapsulation (A secure tunnel) either from you to the far end use directly (avoiding a provider) or from you to your provider, where things will be viewed once more "in the clear" but avoids the possibility of sniffing between you and the provider.

Which brings the other issue in phone security in general.

As secure as your line might be, you are only as secure as the least secure portion of the call, be that your line, the other end of the call, or the provider in the middle. Generally speaking, I suggest you not worry about what happens to it outside your house because that's beyond your control.

When the SIP provider gets it and converts it to POTS/PSTN your security methods are instantly defeated anyway.

If you're not military you're probably over paranoid, if you need to worry about a particular conversation more than the average person, I suggest you find a way to have it in person, or write it in a complex cypher and mail/email it.

Re: security concern with freephoneline VOIP

PostPosted: 06/10/2011
by Jake
I might be missing something here, but when I was an engineer back in the UK I could clip a butt phone on any telephone line I could get hold of and hear what was being said on that line. In this respect I would have thought that VOIP was a bit harder for the general person to hear what is being said that any Joe who could open a street box and listen to any call he wanted to.

I must point out that I had full permissions to test the lines I clipped to, no wrong doing was done in any way, I had legit reasons for doing so.

Re: security concern with freephoneline VOIP

PostPosted: 06/10/2011
by bridonca
The general person does not know how to clip butt phones either, even though a 12 year old could do it. The only difference with VOIP is one can snoop in the comfort of their own home, and not necessarily even in the same country. Either way, there are better ways than telephone banking if security is valued.

Re: security concern with freephoneline VOIP

PostPosted: 05/22/2012
by kmichetti
So basically anyone with wireshark and my public ip address can intercept my calls, Correct?

Re: security concern with freephoneline VOIP

PostPosted: 06/24/2012
by zombie999
kmichetti wrote:So basically anyone with wireshark and my public ip address can intercept my calls, Correct?


Nope!

Re: security concern with freephoneline VOIP

PostPosted: 01/30/2016
by curt
Bloodsong wrote:So generally speaking, you are AT LEAST as secure as POTS... likely more.


According to the following article, VoIP is less secure than PSTNs:
http://www.techrepublic.com/article/security-of-voip-phone-systems-comes-up-short/

"...VoIP networks also appear to be more susceptible than PSTNs when it comes to eavesdropping. In his paper, Xin said, "Conventional telephone eavesdropping requires either physical access to tap a line, or penetration of a switch. With VoIP, opportunities for eavesdroppers increase dramatically because of the large number of nodes in the path between the connected nodes." "


Can someone explain why the article is wrong?

It also states:
"Use Encryption: Even simple encryption protocols offer a substantial improvement in security. Transport layer security is the preferred method."


The following article also recommends encryption, such as VPN:

http://www.designdata.com/wp-content/uploads/sites/321/whitepaper/top_ten_voip_security_issue.pdf

Does anyone have any opinions on VPN?

Re: security concern with freephoneline VOIP

PostPosted: 01/30/2016
by bridonca
If you can secure both ends of the conversation, encrypting your VOIP would make sense. But that is rarely possible. Because there are so many security holes in VOIP, even Skype, it is strongly recommended you assume your connection is insecure, and deal with that reality.