[kwlug-disc] voip.ms - tos? [Was: VoIP - Even without a server]

Mon Feb 14 12:27:29 EST 2011

One good example of eavesdropping is debugging a voip connection. We had a 
customer with audio quality issues that couldn't articulate how it was bad. 
It was also hard to determine from the user the degree of the problem.

With their knowledge we ran pcapsipdump and captured all the packets for 
each call. Later using wireshark we inspected a call that was reportedly 
bad. We extracted the audio with a few clicks and listened to it.

We used "appropriate" access.

----- Original Message -----
From: kwlug-disc-bounces at kwlug.org <kwlug-disc-bounces at kwlug.org>
To: KWLUG discussion <kwlug-disc at kwlug.org>
Sent: Mon Feb 14 12:08:31 2011
Subject: Re: [kwlug-disc] voip.ms - tos? [Was: VoIP - Even without a server]

On Mon, 2011-02-14 at 11:09 -0500, unsolicited at swiz.ca wrote:
> On Sun, 13 Feb 2011 09:10:37 -0800 (PST), Raul Suarez <rarsa at yahoo.com>
> wrote:
> > This one falls into the "I should have know this before!!!" category.
> >
> > You don't need an Asterisk server to use a DID !! (d'oh)
> .
> .
> .
> > Something that I wasn't expecting, was total honesty. I read the Terms
> of
> > service and they are very clear: "VoIP.ms does not pretend to offer 100%
>
> > reliable service ... The customer shall not use this service as their
> sole
> > call
> > termination service".
>
> As I said, thank for pointing this out.
>
> Reading through their terms of service https://www.voip.ms/tosshort.php
> ...
>
>
> 1. ... The customer understands that VoIP.ms does not guarantee any
> privacy on the communications through VoIP.ms. ...
>
>     The lack of privacy assurance was a little startling. I wonder if
> that's an issue in this day and age. AFAIK, with landlines, there are
> privacy protections built in. Further, if you cross into the U.S.A.
> [voip.ms, or softvox, is Montreal, Quebec based, so I would hope not an
> issue for Canadian source and destination calls], presumably one enters 
> the
> realm of the Patriot Act and is open to wiretapping. Hmmm.
>

VoIP is not telephony.  VoIP is internet traffic.  In order to eavesdrop
on a SIP call (non-SRTP) all you need is packet sniffer and
(in)appropriate network access from someone who is on the route.  A VoIP
call is as secure as sending an e-mail.  Any device that you can imagine
for trolling the internet for keywords can easily be modified to troll
through VoIP calls as well.

I do not know of any VoIP providers that support secure RTP (SRTP)
connections (which would only secure connections to/from the provider).
Asterisk supports SRTP in the development version.  It should be
available in version 1.8.  I do not know about FreeSwitch.  Various SIP
phones support SRTP as well.  In the end, unless you trust/control both
endpoints of a call, your VoIP call is not going to be truly secure.