VoIP systems vulnerable to identity theft

VoIP calls could be intercepted by criminals and hackers. They need to be encrypted

The majority of VoIP telephone systems are vulnerable to interception and hacking attacks. That's the view of Phil Zimmerman, the creator of Pretty Good Privacy (PGP), who believes that VoIP technologies now need to be encrypted.

"We must encrypt VoIP because it's vulnerable," he said in an interview published in PC Answers magazine. "On the public switched telephone network (PSTN), the government could easily wiretap [a call] and criminals could not. With VoIP anyone can wiretap."

VoIP vulnerability

Zimmerman goes on to explain how a VoIP hack might work if your computer, or one of the computers on a local network, was infected with spyware that could monitor all IP traffic. This spyware would sniff for unencrypted VoIP traffic and then record it to the computer's hard disc as WAV files. There's a utility that already does it here.

"Someone on the other side of the world who put that spyware there could browse through those files and selectively play the interesting ones - without even coming into your country."

It's a hacking strategy that hasn't been possible before via the existing telephone network. While PC-to-PC calls on Skype already employs 256-bit AES encryption, the rest of the VoIP industy isn't so well protected. It's a glaring gap that Zimmerman aims to fill with Zfone, an end-point encryption application for SIP/RTP that he's developed. Think of it as PGP for VoIP.

"VoIP is a growth industry and it needs to be encrypted," adds Zimmerman. "Criminal organisations will start attacking VoIP as soon as it becomes big enough to attract them."

Zfone is currently available as a beta release and can be downloaded from the Zfone website. The full interview with Phil Zimmerman appears in the October 2007 issue of PC Answers, out now.