Securing Voice-over-IP – Put an End to Eavesdropping

All-IP, IP Telephony, Voice-over-IP, VoIP, ISDN, analog telephonyAnalog telephony has a long history, dating back to the 19th century inventors and pioneers of the telephone Innocenzo Manzetti, Philipp Reis and Alexander Graham Bell. But the days of analog communication are numbered and, gradually, digitalization is taking over. Europe has already seen the first wave of digitalization in the telephone industry with the invention and standardization of the ISDN (Integrated Services Digital Network) technology for data and voice transmission in the late 1980s and mid-1990s. Some European countries skipped the ISDN technology completely and moved directly from analog to Voice-over-IP telephony.

Today everyone is talking about All-IP, Voice-over-IP and IP telephony. Most providers want to fully convert all of their analog telephone connections to digital within the next couple of years. Many contracts have already expired, urging customers to switch to IP-based networks. According to official numbers from Deutsche Telekom, the share of IP telephony rose from 29 percent in 2014 to 40 percent of customers Europe-wide in 2015.

Challenges of IP telephony

For the telecom companies this shift in technology brings numerous advantages, in particular saving costs for maintenance and administration. Some also see the digitalization of the telephone industry as a potential opportunity not only for new IP-based business models, but also in raising the level of security.

But what exactly are the advantages of this new standard technology for voice transmission, and what are the disadvantages? Well, the biggest downside is the fact that a constant power supply is vital to keep all network components running. If the power goes down, the Internet connection is lost and all telephone conversations over that line are terminated. The traditional analog landline does not require a power source as the signals are transferred directly via electrical frequency changes over copper cables. Consequently, many small and medium sized companies fear that electricity failures could threaten their business. Other institutions that depend on constant availability, like emergency hotlines, are also feeling rather uncomfortable. However, there are emergency power sources like battery packs or other UPSs (Uninterruptible Power Supplies) to keep telephone lines running in the case of a blackout.

And yet apart from the constant supply of electricity, there is another major issue regarding VoIP telephony that people tend to forget: security. Just like any other data transferred over the internet, call-data packets can be intercepted in the public or corporate networks, by the internet service provider, and right along the backbone. Cyber criminals, competitors or intelligence agencies can eavesdrop on the unencrypted data anywhere along the line—all they need is access to the network.

In general VoIP calls over the internet are not encrypted, making them vulnerable to different security threats from outside attackers, but also from the inside. Proper encryption is one of the essential security technologies for any kind of data sent over the internet, so securing VoIP is a vital element of the security package for any organization.

In the course of replacing analog lines with modern IP-based telephony, encrypting and securing VoIP should have a place on the agenda.

VoIP protocol encryption 

Today there are two major encryption methods available for VoIP calls: encryption of the standard protocols for VoIP, and proprietary end-to-end encryption based on specially designed applications.

Secure IP telephony, All-IP, IP Telephony, Voice-over-IP, VoIP, ISDN, analog telephony, SIPS, SRTPWith the introduction of the SIPS/SRTP protocols, the Internet Engineering Task Force (IETF) laid the foundation to secure the communication between a VoIP telephone and a VoIP service provider. SIPS (Session Initiation Protocol Security) encrypts all signaling data with the help of TLS (Transport Layer Security), whereas all voice related data is encrypted by SRTP (Secure Realtime Transport Protocol) with the help of AES (Advanced Encryption Standard). But only the connection between the caller and the provider is encrypted – and hence, secure. In order to have a fully encrypted connection between both participants of a call, the person called ideally should use the same provider and exactly the same SIPS or SRTP-based telephone. The ultimate goal is to have these secure protocols established as a broad standard of encryption in the near future when the outdated landline ceases to exist.

However, this still does not provide true end-to-end encryption as the processing of the data packets in the Session Border Controller at the provider itself has to be unencrypted; the reason being a political one: According to the “Lawful Interception” legislation in most countries, telecom companies have to provide law enforcement officials – e. g. the police – access to their internet traffic data via unencrypted interfaces.

 Loose end-to-end encryption

End-to-end encryption guarantees maximum security along the entire length of the connection, from the caller at one end of the “line”, passing through the provider, right to the very end where the receiver sits. This method is based on software solutions or applications for mobile devices. The encrypted communication runs from one application to the other, functioning only if both parties use exactly the same program. This form of encryption is a true end-to-end solution making it impossible for third parties to intercept messages or calls. It is also legally safe, as Lawful Interception only applies to telecoms operators; it applies neither to the manufacturers of software or VPN routers, nor to their customers.

As mentioned above, encryption is only secure on condition that both parties use exactly the same software. With a variety of solutions on the market and providers using different technologies for securing their traffic, the encryption process can become rather complex. In addition, normal analog telephones are not compatible with this TCP/IP-based encryption. They need to be addressed by an intermediate server that establishes the connection.

So the bottom line is that protocol-based encryption is by far the more practical and promising solution, while special software solutions – under the circumstances described above – can also deliver a high level of security for IP-based telephone calls. It is yet, however, to be seen how fast the secure protocols described above will be adopted by the providers and manufacturers.

Network security first

Despite all this, the whole issue only makes sense if the company’s network is properly secured. As the standard VoIP protocols (SIP/RTP) are unencrypted, the biggest threat to security often comes from within organizations, as numerous studies and articles show.

Secure_All_IP_Scenario via VPN Client, VoIP Encryption, end-to-end encryption

Securing Voice-over-IP via a VPN Client

In order to prevent any kind of snooping or eavesdropping on sensitive data by inside attackers, first and foremost the in-house network needs to be properly secured. What’s more, remote offices should be integrated into the company’s network by means of a VPN connection in order to protect the data traffic from outside attacks.

1 Comment

  1. WS
    February 7, 2018    

    this is interesting!

Leave a Reply

Your email address will not be published. Required fields are marked *

When you leave a comment, the system automatically stores the following data:

    • your name or your pseudonym (mandatory information / will be published)
    • your e-mail address (mandatory / will not be published)
    • your IP address (the IP address will be deleted automatically after 60 days)
    • date and time of the comment submitted
    • a website (optional)
    • your comment text and personal data contained therein
    • I also agree that all personal data entered together with my IP address will only be checked and stored by the Akismet spam filter in the USA for the purpose of spam prevention. Further information on Akismet and revocation options can be found here.