Lock up VOIP

Kirsten Doyle
By Kirsten Doyle, ITWeb contributor.
Security Summit 2009, 26 May 2009

Criminals will own the phone system if VOIP is left unprotected, says author of Pretty Good Privacy (PGP) and international security consultant Phil Zimmerman.

“We cannot not encrypt VOIP calls; if we don't, the criminals will own our phone system,” he said, during his keynote address at ITWeb's fourth annual Security Summit, which kicked off, in Midrand, this morning.

“The legal environment has shifted so much since the 1990s. The threat model I designed PGP for was different. There was not that much encryption software in 1991, and the little there was, was designed to protect businesses from their competitors.

“PGP was designed to protect against major governments. I had to assume the national technical means of the two superpowers during the Cold War would be used to assist secret police. That was the threat model.”

Global crypto war

As the Cold War ended and the 1990s unfolded, there was a shift towards a global economy. “A lot of businesses found themselves in environments where they needed to protect their businesses against sovereign states,” he explained.

Security Summit 2009 Expo

Visit the Security Summit Expo taking place from 26 to 28 May at Vodaworld, Midrand. Tickets cost R150 and more information is available online here.

PGP was already positioned to do that, so it turned into a business tool, due to the shift in threat model and legal environment. During the 1990s, companies had to fight for the right to use strong encryption.

France banned PGP altogether, the US had controls that said strong encryption could not be exported without a licence, and other countries copied these. The French eventually realised in order to compete with the world, they would have to embrace technology and the Internet, and eventually relaxed domestic controls. The UK followed, and then, finally in 2000, the US relaxed controls, said Zimmerman.

Learning acceptance

Today, the legal environment in the US is predisposed towards the use of encryption. In addition, these days, if a company loses customer identities, it has to confess, which damages its reputation, and makes it lose customers. However, a company does not have to confess if it encrypted the data, as nothing has been lost, he noted.

All these laws add up to a legal environment that encourages the use of encryption. “This is quite a shift and I think that we will probably see the following happen: there is a long tradition in law enforcement of being able to wiretap, although it is not done regularly and only where a court order has been issued. It has happened more and more in the US, in recent years, but now we're about to transition from a public switch telephone network to VOIP, and we'll find we have no choice but to encrypt. The old telephone system could only be tapped through the operator.”

He explained that with VOIP, the packets go through the cloud, making it easier to wiretap near the endpoints. If one PC out of hundreds is infected with spyware, it could capture the local network traffic, and can capture VOIP traffic, and could record this as MP3 files or similar. Someone on the other side of the world could browse those recordings, without entering the country. They could selectively listen to the pieces that interest them.

Taking cover

According to Zimmerman, the potential dangers of this are enormous. There could be instances of insider trading by listening in to one CEO talk to another. Criminals could listen into prosecutors' calls, gleaning information on key witnesses. They could eavesdrop on judges, blackmail politicians - the possibilities are endless, he pointed out.

“This means that we have to find a way to encrypt VOIP, otherwise organised crime will be all over VOIP as it's all over the Internet now.

“Criminals attack the Internet with such ferocity these days. I can liken it to being inside an armoured personnel vehicle, and hearing the bullets hit it on the outside.”

If phone calls are going to move into the urban blight of the Internet, users have to do something to encrypt those calls, he warned. If they don't, criminals will own the phone system.