Sign up
 Vonage  

       
 
Vonage Forum Menu

Vonage Forums
Vonage VoIP Forum
tplink Posted:
Im trying to add
my HT802 vonage
adapter to my home
network. I
currently have
...

In The Forum:
Hard Wiring - Installation
Topic:
Vonage behind switch
On Dec 05, 2016 at 06:35:11

DWSupport Posted:
After recent
Vonage update that
took place on the
4th and 5th of
Nov. E-mails with
...

In The Forum:
Vonage
Topic:
Voicemail Not Forwarding to Outlook Accounts
On Nov 10, 2016 at 12:23:26

peterlee Posted:
Had a call from a
Hospital in Ajax,
Ontario to my home
in
Scarborough, Onta
rio
...

In The Forum:
Vonage Canada
Topic:
Hospital Incoming call unable to connect
On Nov 08, 2016 at 11:59:50

TELLDOUG Posted:
I am looking for a
product that will
make my phone ring
louder so I can
hear using
...

In The Forum:
Vonage
Topic:
Looking for a ringer ameliorate
On Oct 26, 2016 at 09:21:30

HildBeft Posted:
You can recollect
password by
connecting the
router to your pc
and open the
browser
...

In The Forum:
Hard Wiring - Installation
Topic:
How to arrive at wifi password?
On Oct 20, 2016 at 05:05:49

HildBeft Posted:
Great tips..
Thanks for sharing
...

In The Forum:
Hard Wiring - Installation
Topic:
How to have Vonage and another land line?
On Oct 20, 2016 at 04:55:03

massrman Posted:
The devices are
available at
different price
margins , please
share your
estimated
...

In The Forum:
Vonage
Topic:
IP PBX for small business
On Sep 30, 2016 at 00:48:03

massrman Posted:
Hi these are most
commonly used SIP
PBX interops and
their
configuration
guides,
...

In The Forum:
Vonage
Topic:
IP PBX for small business
On Sep 30, 2016 at 00:37:45

Sammy00 Posted:
Has anyone setup a
W52p phone for
vonage? I have
a W52p with two
wireless handsets,
...

In The Forum:
Hard Wiring - Installation
Topic:
W52p Setup
On Aug 30, 2016 at 10:38:01

James44 Posted:
Hi, I am
looking for a good
Sip Trunking
provider in
Canada. they
should offer
...

In The Forum:
Vonage
Topic:
A good sip trunking provider
On Jul 17, 2016 at 23:42:46


Vonage VoIP Forums

Vonage In The News
Vonage Holdings Corp. Reports Fourth Quarter and Full Year 2013 Results

Carolyn Katz Elected to Board of Directors of Vonage Holdings Corp.

Syndication

Vonage Customer Reviews
Vonage vs. Time Warner Cable SoCal
Vonage vs. Time Warner Cable SoCal



Vonage UK Review
Vonage UK Review



Vonage Pros and Cons for 2006
Vonage Pros and Cons for 2006



Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review
Vonage, a VT2142 and a RTP300, My Experiences - A Detailed Review



Salt Lake City: impressions after several months
Salt Lake City: impressions after several months




Vonage Reviews


Post new topic   Reply to topic  Vonage® VoIP Forum - Vonage News, Reviews And Discussion » Vonage Forum Archive
Author Message
GardRailz
Full Forum Member
Full Forum Member


Joined: Jan 30, 2005
Posts: 73
Location: WV

PostPosted: Thu Feb 17, 2005 12:45 pm    Post subject: Reply with quote Back to top

kenn10 wrote:
GardRailz wrote:
If you'd like, i can provide a step by step demonstration of how easy it is utilizing free tools on the web... RTP is not encrypted, SRTP is the secure protocol.



If you'd like, I can take you to the cross-box and show you how to put your butt-set on a pair of wires and listen. We know its un-encrypted. We know our POTS voice lines are unprotected. For every technology, there is some way to break it. Encrypted or not.

This is pointless to argue. Vonage CS personnel are not network engineers and I don't expect them to know about all this. You clearly do so why berate them about it?


I guess I did come off a bit harsh. I appologize. It's just quite frustrating that people, even some engineers fail to realise the security concerns with lack of encryption.

As far as a butt-set, yes, anyone can find a butt-set and climb a telephone pole, and if someone does have the guts to climb up a pole, and listen to someones conversation, especially out in the public eye, they have more balls than I do. I'm just trying to illistrate how easy it is to capture data out on the internet. Anyone can do it... I just want to prove a point to Vonage, and it's techs that no RTP is not secure, and to stop telling customers that it is.

This could have been taken care of if customercare@vonage.com responded to my e-mail. Hopefully their engineers will see this thread, then check for e-mail "[vonage.com #1185886] Automated Response: Voip security concerns "

Again, I would like to appologize for coming off harsh, that wasn't really my intention. I guess after the maxwell smart comments, and snide comments I just got a bit short.... (that's still no excuse)
View user's profile Send private message
kenn10
Vonage Forum Master
Vonage Forum Master


Joined: Jun 07, 2004
Posts: 196
Location: Kennesaw, GA

PostPosted: Thu Feb 17, 2005 1:23 pm    Post subject: Reply with quote Back to top

GardRailz wrote:
This could have been taken care of if customercare@vonage.com responded to my e-mail. Hopefully their engineers will see this thread, then check for e-mail "[vonage.com #1185886] Automated Response: Voip security concerns "

Again, I would like to appologize for coming off harsh, that wasn't really my intention. I guess after the maxwell smart comments, and snide comments I just got a bit short.... (that's still no excuse)


Gardrailz, almost no company has decent customer service any more. Customers aren't willing to pay higher prices to support it. You should try calling my local DSL provider and asking a question. After the nice person in India tells you to reboot your modem and PC for the fifteenth time, you figure it out. That's why I switched to the cable company who has local people to tell you to reboot your modem and pc. LOL.

On a more serious note, posting what you did above just lets more criminals and soon to be criminals have an easy reference on how to tap phone calls. Not a good idea. Hopefully, the moderator will blot that portion out.
View user's profile Send private message
GardRailz
Full Forum Member
Full Forum Member


Joined: Jan 30, 2005
Posts: 73
Location: WV

PostPosted: Thu Feb 17, 2005 1:52 pm    Post subject: Reply with quote Back to top

kenn10 wrote:
GardRailz wrote:
This could have been taken care of if customercare@vonage.com responded to my e-mail. Hopefully their engineers will see this thread, then check for e-mail "[vonage.com #1185886] Automated Response: Voip security concerns "

Again, I would like to appologize for coming off harsh, that wasn't really my intention. I guess after the maxwell smart comments, and snide comments I just got a bit short.... (that's still no excuse)


Gardrailz, almost no company has decent customer service any more. Customers aren't willing to pay higher prices to support it. You should try calling my local DSL provider and asking a question. After the nice person in India tells you to reboot your modem and PC for the fifteenth time, you figure it out. That's why I switched to the cable company who has local people to tell you to reboot your modem and pc. LOL.

On a more serious note, posting what you did above just lets more criminals and soon to be criminals have an easy reference on how to tap phone calls. Not a good idea. Hopefully, the moderator will blot that portion out.


I'm glad someone realises how serious this is. When individuals state that RTP is secure, I was meerly demonstrating how easy it is to decode packets. Sure, i'm sure there are laws to discourage this type of activity, but it doesn't prevent it from happening from a technical standpoint. All I ask is why didn't customercare respond to my origional e-mail dated 02Feb2005 @ apx 21:51 EST.

This information is all over the web. Blotting it out here doesn't prevent the information from getting out. Security by obscurity is not the correct stance on security issues....

I want people to be aware of the security concerns, and by documenting this all here, Hopefully Vonage, and it's customers will take this seriously. I'm not trying to create criminals, i'm trying to prevent criminals from attacking vonage's network.
View user's profile Send private message
kenn10
Vonage Forum Master
Vonage Forum Master


Joined: Jun 07, 2004
Posts: 196
Location: Kennesaw, GA

PostPosted: Thu Feb 17, 2005 2:00 pm    Post subject: Reply with quote Back to top

GardRailz wrote:
I'm not trying to create criminals, i'm trying to prevent criminals from attacking vonage's network.


Maybe they're hiring. Lol
View user's profile Send private message
tommy13v
Moderator
Moderator


Joined: Dec 20, 2004
Posts: 230
Location: upstate NY

PostPosted: Thu Feb 17, 2005 2:01 pm    Post subject: Reply with quote Back to top

GardRailz wrote:
vonagebest wrote:
As far as I know it is secure...You have SIP which initiates the call and then RTP stream carries the call and is supposed to be encrypted.

You might be able to get the data, but piecing it back together might take a long time. The social security issue might get resolved first. Smile


If you'd like, i can provide a step by step demonstration of how easy it is utilizing free tools on the web... RTP is not encrypted, SRTP is the secure protocol.

My network configuration is as follows:
Code:

[cable modem]
            |
            | (eth0 public side)
  [linux Firewall]
            | (eth1 private side)
            |--------------------[vonage router]
            |
   |---------------|
   |                   |
[pc]               [pc]

on the linux firewall, i used the following command before making a test phone call to an automated weatherline (301)797-9797

tcpdump -i eth1 -s 1518 -w rtp.cap host 172.xx.yy.251

after issuing that command, I dialed the number, and listened on the line for ~ 6 seconds. I then killed the capture, and downloaded it to my local XP laptop.


After installing the latest version of ethereal, obtained from http://www.ethereal.com (http://www.ethereal.com/distribution/win32/ethereal-setup-0.10.9.exe) I opened the capture file by double clicking it....

After opening the file, the SIP protocol could be clearly seen, within the SIP protocol there's a handshake process, where the local device 'invites' the remote peer. This invitation looks like this:

Code:

No.     Time        Source                Destination           Protocol Info
      8 3.728364    172.31.31.251         216.115.25.57         SIP/SDP  Request: INVITE sip:13017979797@atlas4.atlas.vonage.net:5061, with session description

Frame 8 (1275 bytes on wire, 1275 bytes captured)
Ethernet II, Src: 00:12:17:de:d8:92, Dst: 00:02:b3:b3:0f:bd
Internet Protocol, Src Addr: 172.31.31.251 (172.31.31.251), Dst Addr: 216.115.25.57 (216.115.25.57)
User Datagram Protocol, Src Port: 5061 (5061), Dst Port: 5061 (5061)
    Source port: 5061 (5061)
    Destination port: 5061 (5061)
    Length: 1241
    Checksum: 0x03d3 (correct)
Session Initiation Protocol
    Request-Line: INVITE sip:13017979797@atlas4.atlas.vonage.net:5061 SIP/2.0
        Method: INVITE
        Resent Packet: False
    Message Header
        Via: SIP/2.0/UDP 172.31.31.251:5061;branch=z9hG4bK-c1eb8f36
        From: 443-541-3368 <sip:14435413368@atlas4.atlas.vonage.net:5061>;tag=a7c6b5b382060016o0
            SIP Display info: 443-541-3368
            SIP from address: sip:14435413368@atlas4.atlas.vonage.net:5061
            SIP tag: a7c6b5b382060016o0
        To: <sip:13017979797@atlas4.atlas.vonage.net:5061>
            SIP to address: sip:13017979797@atlas4.atlas.vonage.net:5061
        Call-ID: a579d7b7-c0cba5e2@172.31.31.251
        CSeq: 102 INVITE
        Max-Forwards: 70
        Proxy-Authorization: Digest username="14435413368",realm="216.115.25.57",nonce="424760

350",uri="sip:13017979797@atlas4.atlas.vonage.net:5061",algorith

m=MD5,response="350e71218a20c3af9b24c59a3276f2ff"
        Contact: 443-541-3368 <sip:14435413368@172.31.31.251:5061>
        Expires: 240
        User-Agent: 001217DED892 Linksys/RT31P2-2.0.12(LI)
        Content-Length: 426
        Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, REFER
        Supported: x-sipura
        Content-Type: application/sdp
    Message body


Both phone numbers can be clearly seen and is unencrypted. (this re-enforces my previous statement about individuals being able to capture based on phone numbers dialed) I could paste the actual text data contained in the RTP packets, but that would be useless considering it's audio data. This is how one would decode the data if one were to 'obtain a capture'.

1.) open up the capture file
2.) select the first RTP packet listed in the upper window (the window where a summary of the packets are listed) then click statistics in the menu bar, then select 'RTP' which is the fourth entry from the bottom. That menu will then expand into two additional options "Show All Streams, and Stream Analysis". Select stream analysis.
3.) Another window will pop up, with the name "Ethereal: RTP Stream Analysis", don't worry about the data contained in the window. Just look at the buttons down at the bottom of that window. Select the "Save Payload..." button, and specify a file name like "c:\file.au".

At this point, just double click the file (which is at the top of your C drive) and listen.

Congratulations, you just accessed unencrypted data, and have the ability to listen to any conversation you capture.


Here's a thread of an individual asking how to do what I just described: http://www.vonage-forum.com/ftopic2705-0-asc-20.html

and here's a url on ethereal's website which describes what to do with the capture once you obtain it:
http://wiki.ethereal.com/RTP

and here's a capture file that you can cut your newly developed RTP decoding teeth on:
http://vomit.xtdnet.nl/phone.dump.gz


Speaking of unsecure is xxx-xxx-xxxx your real phone number?


Last edited by tommy13v on Thu Feb 17, 2005 2:13 pm; edited 1 time in total
View user's profile Send private message Visit poster's website AIM Address
GardRailz
Full Forum Member
Full Forum Member


Joined: Jan 30, 2005
Posts: 73
Location: WV

PostPosted: Thu Feb 17, 2005 2:07 pm    Post subject: Reply with quote Back to top

tommy13v wrote:

<<<SNIP>>>
Speaking of unsecure is 443-541-3368 your real phone number?


Ah, someone that can read a capture Smile

See how easy that was? Anyone can do it. Now, for grins and giggles, follow the steps with that test phone capture provided on the link provided in the post you just quoted.

Again, this is not to create criminals, this is to inform the public, and to make sure they are aware of how easy this is. Anyone can do this, just like tommy13v was able to read through the CIP header and determine what my alleged phone number is.
View user's profile Send private message
jlsoaz
Vonage Forum Junior
Vonage Forum Junior


Joined: Feb 04, 2005
Posts: 28

PostPosted: Mon Mar 07, 2005 2:45 pm    Post subject: Reply with quote Back to top

GardRailz wrote:
tommy13v wrote:

<<<SNIP>>>
Speaking of unsecure is 443-541-3368 your real phone number?


Ah, someone that can read a capture Smile

See how easy that was? Anyone can do it. Now, for grins and giggles, follow the steps with that test phone capture provided on the link provided in the post you just quoted.

Again, this is not to create criminals, this is to inform the public, and to make sure they are aware of how easy this is. Anyone can do this, just like tommy13v was able to read through the CIP header and determine what my alleged phone number is.


This seems like a worthwhile thread, although it ended several weeks ago. I, also, am concerned about security.

If there is some reasonable level of precaution that a non-technical person can take, then I would be interested to hear about it. Is calling out on my POTS line more secure than on my Voip line? I'll have to look into my options, under certain circumstances.
View user's profile Send private message
rlstjohn
Vonage Forum Master
Vonage Forum Master


Joined: Jan 27, 2005
Posts: 218
Location: Maryland

PostPosted: Mon Mar 07, 2005 2:57 pm    Post subject: Reply with quote Back to top

Actually, there is a program out there that will reconstruct all the RTP for you. Here is a quote from the website:

Cain & Abel v2.65 released
New features:
- Voip sniffer / recorder
Cain's sniffer can now extract audio conversations based on SIP/RTP protocols and save them into WAV files. The following codecs are supported: G711 uLaw, G711 aLaw, GSM, MS-GSM, ADPMC, DVI, LPC, L16, G729, Speex, iLBC. This feature is experimental, let me know your results.

check it out at http://www.oxid.it/
View user's profile Send private message
MrMike
Full Forum Member
Full Forum Member


Joined: Dec 29, 2004
Posts: 40
Location: Austin, TX

PostPosted: Mon Mar 07, 2005 4:30 pm    Post subject: Reply with quote Back to top

And that waitress I just gave my credit card to to pay for my meal is running a copy of my numbers and signature to go buy things with. The cable company is collecting all the channels I watch and things I record on the DVR for advertising and other nefarious purposes. The clerk at the grocery store is following me around to see that I buy chunky instead of creamy peanut butter. The bank teller that I make my deposit with is copying my signature and personal info to raid my account and rob me while I sit in the drive thru.

I think you said it best in your original post, you're paranoid. I mean really. If you are THAT worried about someone snooping your phone calls and invading your network and stealing your cc numbers maybe you shouldn't be using computers or credit cards?
View user's profile Send private message
talkisfree
New Forum Member
New Forum Member


Joined: Mar 20, 2005
Posts: 6

PostPosted: Sun Mar 20, 2005 8:35 pm    Post subject: vonage will lose without security Reply with quote Back to top

GardRails , you have raised valid concerns. Vonage planners will not be smart to ignore security issue if they intend to grow their business.

Before I came across this forum, I searched the whole Vonage help section but found NOTHING on subjects of privacy and encryption for their Voip service. In the age of ID/credit card thefts that can take years to fix, those who are not concerned about security of their phone transactions are burying their heads in the sand in my view.

As things are, alternative is to keep both POTS and Voip for different uses but that is not cost effective in the end. I'll be inclined to drop my Vonage service if I didn't get satisfactory information about security of calls over Vonage service if it came to choosing between old phone and Vonage.
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


All times are GMT - 5 Hours

Vonage Service Plans


Vonage VoIP Members
Members List Members
New roberthn60
New Today 2
Yesterday 10
Total 99028

Who Is On Site
Visitors 97
Members 0
Total 97


Vonage VoIP Forum Members:
Login Here
Not a Member? You can Register Here
As a registered member you will have access to the VoIP Speed Test, Vonage Service Announcements and post comments in the
Vonage VoIP Forums

Vonage Stock Price
Value: 6.69
Change:   N/A
Up to 15 Minute Delay

Site Search
 






†AK and HI residents pay $29.95 shipping. ††Limited time offer. Valid for residents of the United States (&DC), 18 years or older, who open new accounts. Offer good while supplies last and only on new account activations. One kit per account/household. Offer cannot be combined with any other discounts, promotions or plans and is not applicable to past purchases. Good while supplies last. Allow up to 2 weeks for shipping. Other restrictions may apply.

1Unlimited calling and other services for all residential plans are based on normal residential, personal, non-commercial use. A combination of factors is used to determine abnormal use, including but not limited to: the number of unique numbers called, calls forwarded, minutes used and other factors. Subject to our Reasonable Use Policy and Terms of Service.

2Shipping and activation fees waived with 1-year agreement. An Early Termination Fee (with periodic pro-rated reductions) applies if service is terminated before the end of the first 12 months. Additional restrictions may apply. See Terms of Service for details.

HIGH SPEED INTERNET REQUIRED. †VALID FOR NEW LINES ONLY. RATES EXCLUDE INTERNET SERVICE, SURCHARGES, FEES AND TAXES. DEVICE MAY BE REFURBISHED. If you subscribe to plans with monthly minutes allotments, all call minutes placed from both from your home and registered ExtensionsTM phones will count toward your monthly minutes allotment. ExtensionsTM calls made from mobiles use airtime and may incur surcharges, depending on your mobile plan. Alarms, TTY and other systems may not be compatible. Vonage 911 service operates differently than traditional 911. See www.vonage.com/911 for details.

** Certain call types excluded.

www.vonage-forum.com is not an official Vonage support website & is independently operated.
All logos and trademarks are property of their respective owners. All comments are property of their posters.
All other www.vonage-forum.com content is © Copyright 2002 - 2013 by 4Sight Media LLC.

Thinking of signing up for Vonage but have questions?
Business and Residential customers can call Toll Free 24 hours a day at: 1-888-692-8074
No Vonage Promotion Code or Coupon Codes are required at www.vonage.com to receive any special,
best Vonage cheap deals, free sign up offers or discounts.

[ | | | | | ]

Vonage Forum Site Maps

Vonage | VoIP Forum | How VoIP Works | Wiring and Installation Page Two | International Rate Plans 2 | Internet Phone
Promotion | Vonage Review | VoIP | Broadband Phone | Free Month | Rebate | Vonnage | Vontage | VoIP | Phone Service
Phone | llamadas ilimitadas a Mexico | Latest News | VoIP Acronyms | Deal | Philippines Globe Phone | Site Maps

The Vonage Forum provides the Vonage sign up Best Offer Promotion Deal.
If you are considering signing up for Vonage and have found our Vonage News, Customer Reviews, Forums
& all other parts of this site useful, please use our Vonage Sign up page.


Vonage VoIP Phone Service is redefining communications by offering consumers
& small business VoIP Internet phones, an affordable alternative to traditional phone service.
The Vonage VoIP Forum Generated This Page In: 0.75 Seconds and 476 Pages In The Last 60 Seconds
The Vonage VoIP Forum