SDA India is an online resource for Software, Development,IT, Architecture, Open Source, Mobile, Security, Databases, Delphi, C, OS, Asp, .Net, Php, Xml, Java

UK-based VoIP expert, Peter Cox, who co-founded and former CTO of firewall vendor BorderWare, has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.

SIPtap, as the software is called, is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well.

SIPtap demonstrates that the worst-case nightmares of VoIP vulnerability are now well within the capabilities of organized crime, which could use such a program to steal confidential data from companies, governments and even the police.

"We are in the early days of VoIP, but there is a knowledge gap," said Cox, lamenting the naivety about VoIP's inherent security weaknesses among the mostly telecom-oriented engineers building such systems. "Companies using VoIP internally think they are protected."

The program can index 'IP-tapped' calls by caller - using SIP identity information - and by recipient, and even by date. Running from August this year until the most recent tap, SIPtap had no problems in extracting enough information on the test network to prove that call recording of any and every VoIP call at a hypothetical company was now a trivial exercise.

"The threat is that an attacker engineers a Trojan and has it sit there passively (on a network), recording calls from anywhere on the Internet," said Cox.
Cox also added, "Apply the same vigour when building a VoIP network you would when building a website."

Cox is currently running a series of workshops on VoIP threats in conjunction with SIP Services Europe, and has published his own Video podcast on the topic.