21st Century Phone Tapping

Forget the spy movies where, the hero or villain climbs telephone poles, carefully attaching crocodile clips to listen in on that critical phone call, VoIP technology makes phone tapping much more of an armchair pursuit.

The reason is that VoIP calls run over IP networks, with fewer access controls than on the phone network. Anyone wanting to eavesdrop on a VoIP call can simply download a toolkit from the Internet.

There are many potential points where calls can be monitored, ranging from the cables connecting the phone to equipment at the service provider.

When my SIPtap demonstrator received some coverage at the end of last year, a vocal minority accused me of overhyping the threat.

The claim was that technologies such as VLANs, network switches and even general purpose firewalls offered effective controls. While these technologies can certainly help, none of them offer a complete solution.

A recent study I completed highlighted a number of ways that a determined attacker could monitor calls. These included vulnerabilities in desktop phones, weaknesses in access controls on critical network components and the risk of an attacker connecting equipment to network ports.

The reality is that we are heavily reliant on the phone system and regularly use it to discuss sensitive topics. The value of this information makes it worthwhile for an attacker to invest some effort in monitoring calls.

Running VoIP makes the attacker’s task easier. There are solutions, but you need to look further than relying on VLANs switches and firewalls.