Encryption

Have a great idea? We'd love to hear it! Want to share the story of how Fongo is saving you money? This is the place to do it!

Encryption

Postby voipy » 11/05/2020

I have been a user of Freephoneline for years and like the service overall, but I am concerned about privacy and security.

Whereas, much of the internet has shifted to using encryption over the internet in the past decade, VOIP telephone service providers including Freephoneline haven't kept up with the remainder of the industry. I think that it is time for Freephoneline to play catch up. Currently, there isn't encryption. This means our plain text SIP login information can be intercepted, our call meta data can be intercepted (e.g. information that the whistle was blown on the US government for illegally collecting), and our conversations aren't secure when transmitted to/from Freephoneline.

Requests:
-Adopt SIPS and SRTP functionality to securely transmit login/passwords, call metadata, and conversations to/from Freephoneline.
-Add functionality to Freephoneline's website to enable users to change the SIP password, which may be compromised due to being transmitted unencrypted.
-Add encryption to this forum. This is the only website with a login/password that I know of, which doesn't employ encryption.

Reference
https://www.pcmag.com/news/voips-big-security-problem-its-sip

Additional reference (example of financial risk to Freephoneline users if malicious parties were to use our accounts to call toll lines):
https://betanews.com/2020/11/05/hackers-exploit-voip-vulnerability/
voipy
Just Passing Thru
 
Posts: 2
Joined: 11/05/2020

Re: Encryption

Postby bridonca » 11/06/2020

If you are concerned about privacy and security, you should not be doing VOIP at all, or even telecom. Too many holes. The problem is that these technologies you reference do not address the problem very well.


I will try to address your concerns.

-Adopt SIPS and SRTP functionality to securely transmit login/passwords, call metadata, and conversations to/from Freephoneline.

On the surface, that sounds like a great idea. But the old system is holding up well. On your end you can set up a encrypted tunnel yourself, but if the other end of your conversation is totally unencrypted, what is the point? Other companies do a better job at secure communications than Fongo ever will, so it is easier go there. It is not a market Fongo is going to make money on.


-Add functionality to Freephoneline's website to enable users to change the SIP password, which may be compromised due to being transmitted unencrypted.

That is not a bad idea. I never had to use it though because of firewall rules on my router. If you are using it in an environment where you are hacked often, a password change is not going to help. You would have better success if you set up firewall rules to certain IP addresses. That way, the bad actor would have to have the right ip address to get to your freephoneline account.


-Add encryption to this forum. This is the only website with a login/password that I know of, which doesn't employ encryption.

We have volunteer moderators here that actively deal with issues that arise. Encryption does not get rid of a spammer, for example. As an open forum, there is no need to encrypt anything, and there is nothing to gain hacking another member's account. Security by obscurity actually works if there is no incentive to hack.
User avatar
bridonca
Technical Support
 
Posts: 1225
Joined: 11/16/2009
SIP Device Name: Netgear WGR615V
Firmware Version: latest
ISP Name: Eastlink
Computer OS: XP

Re: Encryption

Postby Liptonbrisk » 11/06/2020

Although usernames are sent in cleartext, Freephoneline SIP passwords are not. They are hashed. I'm also seeing a randomized nonce value in my log capture, which is normal.
That's the standard for most SIP services: MD5 hashes are compared and not the actual password in cleartext. It seems to me that anyone who has used SIP or Freephoneline and claims to know anything about security would realize this.

Yes, I wouldn’t mind being able to change my own SIP password without having to submit a ticket.

Even if you encrypt traffic between you and the SIP provider, once the call reaches PSTN, it's unencrypted and can be easily tapped. If telephone wires are hanging overhead, it would be simple for someone who knows what to do to tap into your calls.You can encrypt VoIP calls (so that one side of the call is encrypted), but once they hit POTS or another VoIP network, encryption ends. There's rarely end-to-end encryption. If one end of the call is a VoIP call with a secured router being used, for simplicity, it would probably be easier to simply pick the other end to tap. So just because one end of the call is encrypted doesn't mean someone can't capture it on the other or collect data about the call, regardless. I would warn against someone gaining a false sense of security just because one end of the call is encrypted.

https://forums.redflagdeals.com/voip-se ... #p14632893
Pianoguy wrote: No, landlines are completely insecure, and in my opinion significantly less secure than VoIP. Attaching an FM transmitter to the phone line entering your premises would take moments, and if I wore a shirt with the phone company's logo, no one would know the difference. It would be more difficult if the lines to your house were buried and/or you lived in an apartment or townhouse, but not impossible.



and

Pianoguy wrote: VoIP is typically not encrypted because the PSTN is also unencrypted. Even if a VoIP provider were to employ encryption, they would only be able to encrypt the portion of the call traveling from you to their media gateway. Then they would have to decrypt it to send the call to their carrier. The general consensus is that this would create too much overhead for little to no benefit.

If you do need encryption because your conversations are particularly sensitive or you need to be protected from liability, one common way to do it is set up a VPN between the two locations, and connect your VoIP devices together over the VPN. However, this requires setup at each end.

If you don't want to use encryption, customary network security practices still apply. For example, don't leave your router and VoIP equipment in a publicly accessible place, place your VoIP equipment behind a firewall, don't forward ports or use DMZ, use encryption if you use wi-fi, don't use an outdoor-mounted demarc, run antivirus software on your computer, etc, etc.

EDIT: A commonly overlooked security practice is to use a restricted cone NAT router. If your router is of the full cone NAT type, it's less secure, because it works as if you were using port forwarding. To test your router, use this utility: http://www.dslreports.com/forum/remark,22292023


In order to be at risk with the toll lines mentioned, FPL users would first need World Credits on their account, which I suspect many FPL users don't. Consequently, targeting FPL users would be relatively worthless overall, unlike targeting customers from services that either do not require existing funds on an account to place calls outside of Canada (Bell landlines or postpaid mobility services) or from services where money must always be present on the account in order to use it to make any outgoing call. FPL does not operate in that manner, which should be patently clear to anyone who has experience with Freephoneline.
Please do not send me emails; I do not work for nor represent Freephoneline or Fongo. Post questions on the forums so that others may learn from responses or assist you. Thank you. If you have an issue with your account or have a billing issue, submit a ticket here: https://support.fongo.com/hc/en-us/requests/new. Visit http://status.fongo.com/ to check FPL/Fongo service status. Freephoneline setup guides can be found at viewforum.php?f=15.
User avatar
Liptonbrisk
Technical Support
 
Posts: 2760
Joined: 04/26/2010
SIP Device Name: Obihai 202/2182, Groundwire
Firmware Version: various
ISP Name: FTTH
Computer OS: Windows 64 bit
Router: Asuswrt-Merlin & others

Re: Encryption

Postby voipy » 11/16/2020

Liptonbrisk wrote:Although usernames are sent in cleartext, Freephoneline SIP passwords are not. They are hashed. I'm also seeing a randomized nonce value in my log capture, which is normal.
That's the standard for most SIP services: MD5 hashes are compared and not the actual password in cleartext. It seems to me that anyone who has used SIP or Freephoneline and claims to know anything about security would realize this.


MD5 hashes are compromised. This may have been an acceptable practice a decade ago, but there are well established security vulnerabilities with the existing practice. With the majority of internet traffic likely secured with TLS, it's unclear to me why anyone would be defending being low hanging fruit for being hacked, which is the status quo. Using SIPS would at least secure our passwords, so that our accounts couldn't be compromised to make phone calls (e.g. which could drain the balance of a users' account while making international long distance calls).

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.md5?view=net-5.0
https://en.wikipedia.org/wiki/MD5


Pianoguy wrote:VoIP is typically not encrypted because the PSTN is also unencrypted. Even if a VoIP provider were to employ encryption, they would only be able to encrypt the portion of the call traveling from you to their media gateway. Then they would have to decrypt it to send the call to their carrier. The general consensus is that this would create too much overhead for little to no benefit.


Times change, and as of September 30, 2021, carriers in Canada are mandated by the CRTC to adopt STIR/SHAKEN, which employs SIP trunking to ensure call authenticity (i.e. there will be a chain of authentication for calls originating from Canadian/US phone numbers).

https://crtc.gc.ca/eng/archive/2019/2019-402.htm


bridonca wrote:As an open forum, there is no need to encrypt anything, and there is nothing to gain hacking another member's account. Security by obscurity actually works if there is no incentive to hack.


I think you're missing the point. Encryption protects information being transmitted, such as login and user names. The fact of the matter is that many people (not myself anymore) recycle passwords. If you recall this year, thousands of CRA accounts were compromised due to logins/passwords from a compromised site being re-used to login to the CRA's website. Encryption would protect against man-in-middle interception of information transmitted plain text. Considering that obtaining certificates necessary to encrypt website is free, (e.g. https://letsencrypt.org/), it is unclear to me why the status quo is being defended.

https://www.cbc.ca/news/politics/canada-revenue-agency-cra-cyberattack-1.5688163
Last edited by Liptonbrisk on 11/17/2020, edited 2 times in total.
Reason: clarity for who is being quoted
voipy
Just Passing Thru
 
Posts: 2
Joined: 11/05/2020

Re: Encryption

Postby Liptonbrisk » 11/17/2020

voipy wrote:
MD5 hashes are compromised.


This means our plain text SIP login information can be intercepted


I have been a user of Freephoneline for years


Yet this information seems new to you. You weren't aware SIP passwords being hashed is standard practice. Otherwise you wouldn't have made that statement so glibly. And now you're making no reference to using a randomized nonce. That is, the hash value isn't the same for each session. You can't just capture a session and resend it to login. Nonce, in this case, is a MD5 unique string used for each registration session and generated from a secret phrase and time stamp. The nonce value has limited longevity and can't be used again. As such, the method of attempting to produce collisions and then authenticate is unlikely to work, and, in turn, you don't appear to understand the content of the links you're posting nor SIP authentication. What other methods could I try? FPL SIP passwords are not real words. Consequently, dictionary attacks are ineffective. Would a brute force attack work? Yes, but it would likely take several months, at best. Actually, I think it would take years due to temporary IP bans. In other words, brute force would be tedious.

so that our accounts couldn't be compromised to make phone calls

being low hanging fruit


Having used this service for more than 10 years while lurking around here and elsewhere -- and now being a volunteer moderator -- I can tell you that the majority of people who have their world credits drained, which is rare, are port forwarding, using DMZ, otherwise using insecure routers, or having their website portal username and passwords compromised due to a fault of their own making. In other words, no, the "low hanging fruit" is hardly randomized hashes. And unless I had tons of World Credits (I don't), the payoff would be small.Trying to obtain FPL SIP passwords from MD5 hashes is laughable, unless the sole purpose is to prove it can be done; the cracker would have to be an absolute fool.

Would I like to be able to change my own SIP password without having to submit tickets? Sure.

Am I against FPL offering encryption? No. Why wouldn't I want more features? But it wouldn't be useful for 95% of my calls (I can encrypt my end if I want right now anyway) because the other end would remain unencrypted.

Do I think that will happen? No. FPL is pretty much out of development for features. If anything (I'm doubtful), it might be introduced for Fongo Home Phone or Fongo Mobile users first. There's no profitable incentive, unless they were to charge money to access that feature. They would need a certain number of customers willing to pay for that feature as well before the cost of implementing it breaks even. Adding that feature would need to attract paying customers. Another popular SIP service did introduce encryption not too long ago, and I'm still uninterested in using that service more frequently than I have in the past.

Am I deathly afraid of my SIP Password being hacked? No.

Times change


The context is the media gateway. Nothing you've written changes the fact that conversations are completely unencrypted when they're sent to PSTN. At best, you've introduced a red herring, which you might not have done had you understood the context of what you were responding to.

Returning to your original post. . .

our conversations aren't secure


Your conversations aren't secure no matter what you do once they reach the PSTN. You either have end to end encryption, or you don't. Encrypting one end of the call does not make it secure, but it can provide someone with a false sense of security.


With respect to this forum, and this opinion is my own, I would prefer to see htttps, at the very least, and am very sympathetic to your criticism. However, I note that didn't deter you from creating an account and posting here, which begs the question why (unless there's some sort of agenda for promoting another service) since if you really want your voice heard, you could submit a ticket instead of posting on a forum that you have strong concerns about involving security and one that employees are not obliged to read. They might read your post, and they may claim they monitor these forums. But if you want to make sure that at least one employee reads your suggestions, I would submit a ticket: https://support.fongo.com/hc/en-us/requests/new. I'm not sure if my stating anything further regarding security and this forum would be frowned up by an admin, so I'll just leave it at that. But the criticism certainly isn't new, and years later, nothing has changed. Also, I edited your post to show you were responding to bridonca, originally, about the forum.
Please do not send me emails; I do not work for nor represent Freephoneline or Fongo. Post questions on the forums so that others may learn from responses or assist you. Thank you. If you have an issue with your account or have a billing issue, submit a ticket here: https://support.fongo.com/hc/en-us/requests/new. Visit http://status.fongo.com/ to check FPL/Fongo service status. Freephoneline setup guides can be found at viewforum.php?f=15.
User avatar
Liptonbrisk
Technical Support
 
Posts: 2760
Joined: 04/26/2010
SIP Device Name: Obihai 202/2182, Groundwire
Firmware Version: various
ISP Name: FTTH
Computer OS: Windows 64 bit
Router: Asuswrt-Merlin & others


Return to Suggestions & Feedback

Who is online

Users browsing this forum: No registered users and 7 guests

cron