If you'd like, i can provide a step by step demonstration of how easy it is utilizing free tools on the web... RTP is not encrypted, SRTP is the secure protocol.
If you'd like, I can take you to the cross-box and show you how to put your butt-set on a pair of wires and listen. We know its un-encrypted. We know our POTS voice lines are unprotected. For every technology, there is some way to break it. Encrypted or not.
This is pointless to argue. Vonage CS personnel are not network engineers and I don't expect them to know about all this. You clearly do so why berate them about it?
I guess I did come off a bit harsh. I appologize. It's just quite frustrating that people, even some engineers fail to realise the security concerns with lack of encryption.
As far as a butt-set, yes, anyone can find a butt-set and climb a telephone pole, and if someone does have the guts to climb up a pole, and listen to someones conversation, especially out in the public eye, they have more balls than I do. I'm just trying to illistrate how easy it is to capture data out on the internet. Anyone can do it... I just want to prove a point to Vonage, and it's techs that no RTP is not secure, and to stop telling customers that it is.
This could have been taken care of if customercare@vonage.com responded to my e-mail. Hopefully their engineers will see this thread, then check for e-mail "[vonage.com #1185886] Automated Response: Voip security concerns "
Again, I would like to appologize for coming off harsh, that wasn't really my intention. I guess after the maxwell smart comments, and snide comments I just got a bit short.... (that's still no excuse)
kenn10 Vonage Forum Master
Joined: Jun 07, 2004 Posts: 196
Location: Kennesaw, GA
This could have been taken care of if customercare@vonage.com responded to my e-mail. Hopefully their engineers will see this thread, then check for e-mail "[vonage.com #1185886] Automated Response: Voip security concerns "
Again, I would like to appologize for coming off harsh, that wasn't really my intention. I guess after the maxwell smart comments, and snide comments I just got a bit short.... (that's still no excuse)
Gardrailz, almost no company has decent customer service any more. Customers aren't willing to pay higher prices to support it. You should try calling my local DSL provider and asking a question. After the nice person in India tells you to reboot your modem and PC for the fifteenth time, you figure it out. That's why I switched to the cable company who has local people to tell you to reboot your modem and pc. LOL.
On a more serious note, posting what you did above just lets more criminals and soon to be criminals have an easy reference on how to tap phone calls. Not a good idea. Hopefully, the moderator will blot that portion out.
This could have been taken care of if customercare@vonage.com responded to my e-mail. Hopefully their engineers will see this thread, then check for e-mail "[vonage.com #1185886] Automated Response: Voip security concerns "
Again, I would like to appologize for coming off harsh, that wasn't really my intention. I guess after the maxwell smart comments, and snide comments I just got a bit short.... (that's still no excuse)
Gardrailz, almost no company has decent customer service any more. Customers aren't willing to pay higher prices to support it. You should try calling my local DSL provider and asking a question. After the nice person in India tells you to reboot your modem and PC for the fifteenth time, you figure it out. That's why I switched to the cable company who has local people to tell you to reboot your modem and pc. LOL.
On a more serious note, posting what you did above just lets more criminals and soon to be criminals have an easy reference on how to tap phone calls. Not a good idea. Hopefully, the moderator will blot that portion out.
I'm glad someone realises how serious this is. When individuals state that RTP is secure, I was meerly demonstrating how easy it is to decode packets. Sure, i'm sure there are laws to discourage this type of activity, but it doesn't prevent it from happening from a technical standpoint. All I ask is why didn't customercare respond to my origional e-mail dated 02Feb2005 @ apx 21:51 EST.
This information is all over the web. Blotting it out here doesn't prevent the information from getting out. Security by obscurity is not the correct stance on security issues....
I want people to be aware of the security concerns, and by documenting this all here, Hopefully Vonage, and it's customers will take this seriously. I'm not trying to create criminals, i'm trying to prevent criminals from attacking vonage's network.
kenn10 Vonage Forum Master
Joined: Jun 07, 2004 Posts: 196
Location: Kennesaw, GA
As far as I know it is secure...You have SIP which initiates the call and then RTP stream carries the call and is supposed to be encrypted.
You might be able to get the data, but piecing it back together might take a long time. The social security issue might get resolved first.
If you'd like, i can provide a step by step demonstration of how easy it is utilizing free tools on the web... RTP is not encrypted, SRTP is the secure protocol.
after issuing that command, I dialed the number, and listened on the line for ~ 6 seconds. I then killed the capture, and downloaded it to my local XP laptop.
After installing the latest version of ethereal, obtained from http://www.ethereal.com (http://www.ethereal.com/distribution/win32/ethereal-setup-0.10.9.exe) I opened the capture file by double clicking it....
After opening the file, the SIP protocol could be clearly seen, within the SIP protocol there's a handshake process, where the local device 'invites' the remote peer. This invitation looks like this:
Code:
No. Time Source Destination Protocol Info 8 3.728364 172.31.31.251 216.115.25.57 SIP/SDP Request: INVITE sip:13017979797@atlas4.atlas.vonage.net:5061, with session description
Both phone numbers can be clearly seen and is unencrypted. (this re-enforces my previous statement about individuals being able to capture based on phone numbers dialed) I could paste the actual text data contained in the RTP packets, but that would be useless considering it's audio data. This is how one would decode the data if one were to 'obtain a capture'.
1.) open up the capture file 2.) select the first RTP packet listed in the upper window (the window where a summary of the packets are listed) then click statistics in the menu bar, then select 'RTP' which is the fourth entry from the bottom. That menu will then expand into two additional options "Show All Streams, and Stream Analysis". Select stream analysis. 3.) Another window will pop up, with the name "Ethereal: RTP Stream Analysis", don't worry about the data contained in the window. Just look at the buttons down at the bottom of that window. Select the "Save Payload..." button, and specify a file name like "c:\file.au".
At this point, just double click the file (which is at the top of your C drive) and listen.
Congratulations, you just accessed unencrypted data, and have the ability to listen to any conversation you capture.
<<<SNIP>>> Speaking of unsecure is 443-541-3368 your real phone number?
Ah, someone that can read a capture
See how easy that was? Anyone can do it. Now, for grins and giggles, follow the steps with that test phone capture provided on the link provided in the post you just quoted.
Again, this is not to create criminals, this is to inform the public, and to make sure they are aware of how easy this is. Anyone can do this, just like tommy13v was able to read through the CIP header and determine what my alleged phone number is.
<<<SNIP>>> Speaking of unsecure is 443-541-3368 your real phone number?
Ah, someone that can read a capture
See how easy that was? Anyone can do it. Now, for grins and giggles, follow the steps with that test phone capture provided on the link provided in the post you just quoted.
Again, this is not to create criminals, this is to inform the public, and to make sure they are aware of how easy this is. Anyone can do this, just like tommy13v was able to read through the CIP header and determine what my alleged phone number is.
This seems like a worthwhile thread, although it ended several weeks ago. I, also, am concerned about security.
If there is some reasonable level of precaution that a non-technical person can take, then I would be interested to hear about it. Is calling out on my POTS line more secure than on my Voip line? I'll have to look into my options, under certain circumstances.
rlstjohn Vonage Forum Master
Joined: Jan 27, 2005 Posts: 217
Location: Maryland
Actually, there is a program out there that will reconstruct all the RTP for you. Here is a quote from the website:
Cain & Abel v2.65 released New features: - Voip sniffer / recorder Cain's sniffer can now extract audio conversations based on SIP/RTP protocols and save them into WAV files. The following codecs are supported: G711 uLaw, G711 aLaw, GSM, MS-GSM, ADPMC, DVI, LPC, L16, G729, Speex, iLBC. This feature is experimental, let me know your results.
And that waitress I just gave my credit card to to pay for my meal is running a copy of my numbers and signature to go buy things with. The cable company is collecting all the channels I watch and things I record on the DVR for advertising and other nefarious purposes. The clerk at the grocery store is following me around to see that I buy chunky instead of creamy peanut butter. The bank teller that I make my deposit with is copying my signature and personal info to raid my account and rob me while I sit in the drive thru.
I think you said it best in your original post, you're paranoid. I mean really. If you are THAT worried about someone snooping your phone calls and invading your network and stealing your cc numbers maybe you shouldn't be using computers or credit cards?
GardRails , you have raised valid concerns. Vonage planners will not be smart to ignore security issue if they intend to grow their business.
Before I came across this forum, I searched the whole Vonage help section but found NOTHING on subjects of privacy and encryption for their Voip service. In the age of ID/credit card thefts that can take years to fix, those who are not concerned about security of their phone transactions are burying their heads in the sand in my view.
As things are, alternative is to keep both POTS and Voip for different uses but that is not cost effective in the end. I'll be inclined to drop my Vonage service if I didn't get satisfactory information about security of calls over Vonage service if it came to choosing between old phone and Vonage.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
All times are GMT - 5 Hours
Vonage Service Plans
Vonage VoIP Members
Members New qhenryd New Today 4 Yesterday 31 Total 63384 Who Is On Site Visitors 112 Members 1 Total 113
1 Unlimited calling and other services for all residential plans are based on normal residential use by single-family household members. A combination of factors are used to determine abnormal use, including but not limited to: the number of unique numbers called, international calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.
HIGH SPEED INTERNET REQUIRED. † LIMITED TIME OFFER, VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. As a subscriber to Vonage service, you agree to be bound by the Terms of Service. See www.vonage.com/tos for details. ¤ Where available. The number transfer process takes approximately 10 business days from the time you confirm your transfer request. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.
Thinking of signing up for Vonage but have questions? Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074 No Vonage Promotional Codes or Coupon Codes are required at www.vonage.com.
The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal as a means to offset
our cost. If you are considering signing up for Vonage and have found our Vonage
News, Customer Reviews, Forums & all other parts of this site useful, please
use our Vonage FREE Month sign up offer Deal Coupon.
Vonage VoIP Phone Service is redefining communications by offering consumers & small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.55 Seconds and 204 Pages In The Last 60 Seconds The Vonage VoIP Forum
Members
New 
New Today 4
Yesterday 31
Total 63384
Who Is On Site
Visitors 112
Members 1
Total 113
0.00