SlideShare ist ein Scribd-Unternehmen logo

Voice security and privacy - Today’s solutions and technologies

PrivateWave Italia SpA
PrivateWave Italia SpA

The document discusses the risks of eavesdropping and phone call interception. It notes that phone call interception was once limited but is now more widespread due to new technologies and operators. It describes methods that can be used to intercept phone calls both lawfully and unlawfully at low cost. The document warns that the human factor introduces risks if those involved in interception can be bribed or make interceptions for unauthorized political purposes. It also discusses real world cases where illegal interception scandals have undermined democracy in countries like Italy, Greece, Finland, and Turkey.

Technologie
1 von 72
Voice security and privacy: Confidentiality protection today’s protection, today s solutions and upcoming technologies and standards d t d d March 2009 Fabio Pietrosanti CTO @ PrivateWave Pietrosanti, Fabio Pietrosanti 1 www.privatewave.com
1 The need to intercept phone calls Fabio Pietrosanti 2 www.privatewave.com
1 - The need to intercept phone calls Once upon a time... • Communication interception was limited to fixed phone lines • Few companies, Telco monopoly, were involved • The interception was limited in providing useful information for investigation and intelligence needs Fabio Pietrosanti 3 www.privatewave.com
1 - The need to intercept phone calls But now now... • Ubiquitous computing is a reality and mobility is everywhere • Plenty of different operators • Plenty of different technologies (voip, virtual operators, etc) (voip operators • Cross-border communication services complexity • More data can be retrieved (ex: Location data, phone call logs, sms messages, etc,) Fabio Pietrosanti 4 www.privatewave.com
1 - The need to intercept phone calls An appealing business today • Acquiring access to communications today means acquiring *full* access to a person’s life • But who has such a need? Fabio Pietrosanti 5 www.privatewave.com
1 - The need to intercept phone calls Subjects interested in other parties communications • Law Enforcement Agencies • National Secret Services • Foreign Secret services • Almost all large corporations in international context • Outsourced intelligence service providers • Organized crime (those information may require dedicated slides for each subject) Fabio Pietrosanti 6 www.privatewave.com
1 - The need to intercept phone calls Lawful interception Lawful i f l interception i • Action (based on the law) - performed by a network operator / access provider / service provider (NWO/AP/SvP) id i id ( ) - to make certain information available and provide that information to a law enforcement monitoring facility for investigation purposes Fabio Pietrosanti 7 www.privatewave.com
1 - The need to intercept phone calls Unlawful interception Unlawful interception U l f li t ti • Action (against the law) - performed by a government agency / network operator / access provider / service provider (NWO/AP/S P) / t k t id i id (NWO/AP/SvP) Large enterprise / Intelligence Agency / Intelligence professional / disgruntled employee – to make certain information available and provide that information to an interested third party who provided enough budget to proceed to an information collection Fabio Pietrosanti 8 www.privatewave.com
2 Methods to intercept phone calls (do-it-yourself) Fabio Pietrosanti 9 www.privatewave.com
2 - Methods to intercept phone calls Tactical Vs Non-Tactical Vs. Interception • Tactical interception • It directly applies to communication lines • Does not involve the telecommunication operator knowledge • It can be lawful or unlawful • Almost most unlawful interception use Tactical methods l h d Fabio Pietrosanti 10 www.privatewave.com
2 - Methods to intercept phone calls Interception targets and approach • Target Identity • Target Devices • Target Communication lines g • Parametric Interception • Most methods can be cheap, only a few are expensive i Fabio Pietrosanti 11 www.privatewave.com
2 - Methods to intercept phone calls Practical Approach: Once upon a time... • Manual switching cable on Telco offices was an easy task to do. Fabio Pietrosanti 12 www.privatewave.com
2 - Methods to intercept phone calls Practical Approach: Mobile interception (1) • Mobile phones can be intercepted with appropriate equipment (GSM, CDMA, UMTS) • Passive Method (A5 Cracking) • Active Method (Risk of detection) • Active/Passive Method (100% success) Fabio Pietrosanti 13 www.privatewave.com
2 - Methods to intercept phone calls Practical Approach: Mobile interception (2) • Can be leased along with intelligence professionals for 2000 EUR/day list price • In theory they are illegal in their use but, in practice... Ask a quotation to serious investigation agency! Fabio Pietrosanti 14 www.privatewave.com
2 - Methods to intercept phone calls Practical Approach: Mobile interception (3) • Uplink of operators between towers are not encrypted and monitoring devices are even less costly! Fabio Pietrosanti 15 www.privatewave.com
2 - Methods to intercept phone calls Practical Approach: ISDN/PSTN Interception • Simple cable cut gives impressive results! • Budget? Less than 250 USD for a professional equipment transmitting in VHF Fabio Pietrosanti 16 www.privatewave.com
2 - Methods to intercept phone calls Practical approach: Fiber Tapping (VoIP) • Less than 300 USD equipment • Open the bottle, bypass the fiber, get the h l t ffi f th whole traffic of area Fabio Pietrosanti 17 www.privatewave.com
2 - Methods to intercept phone calls Practical approach: DSL copper tapping (VoIP) • Tap directly on ADSL copper with Tactical ADSL probe probe. Fabio Pietrosanti 18 www.privatewave.com
2 - Methods to intercept phone calls Practical Approach: Easy ethernet tapping (VoIP) • From 20 to 150 USD b d t F t budget Fabio Pietrosanti 19 www.privatewave.com
3 The risk of eavesdropping (for people’s safety and democracy) p p y y Fabio Pietrosanti 20 www.privatewave.com
3 - The risk of eavesdropping Quis custodiet ipsos custodes? Who will watch the watchers? • The most important sentence • Reflect on the impact that eavesdropping has on the democracy Fabio Pietrosanti 21 www.privatewave.com
3 - The risk of eavesdropping The human factor: Can we trust all of them together? • Law E f L Enforcement E l t Employee • Telco Employee • Outsourced interception services employee • Technical support employee of interception h i l l fi i products • Any party involved in the process... Fabio Pietrosanti 22 www.privatewave.com
3 - The risk of eavesdropping The h Th human factor: Quiz f t Q i An employee of a Telco, a 1800 USD net salary, working on technical structure is asked by an unknown person to wiretap a certain line. He is given 20k USD in advance What he will do? advance. a) Refuse the offer and report to the authority the request. He has an ethic! b) Accept the offer and execute the taping ) p p g c) Accept and propose also a list price for phone call logs and details on owners of lines Fabio Pietrosanti 23 www.privatewave.com
3 - The risk of eavesdropping The technical f h h i l factor • Most interceptions are done by redirecting p y g and/or copying intercepted traffic to a centralized place • Do you think that the diverted traffic is p protected? NO! • From one place, the LEA office lines, every interception can be intercepted. • VoIP multiplies the risk factor by moving the intercepted traffic over the internet without protection. Fabio Pietrosanti 24 www.privatewave.com
3 - The risk of eavesdropping The political factor and new freedom risks • New parametric interception techniques are able to N ti i t ti t h i bl t detect certain kind of pattern in ALL voice flows. • Language bl kli ti L blacklisting, gender d t ti d detection and d blacklisting, keyword matching give too much power in the hands of few persons and there’s no law on how to deal with it. Fabio Pietrosanti 25 www.privatewave.com
3 - The risk of eavesdropping The political factor in unstable countries • Unstable countries face the issue of cross-agency interception • Wiretapping became a strong cause of political pp g g p instability Fabio Pietrosanti 26 www.privatewave.com
3 - The risk of eavesdropping The Th need of perfectly enforceable d f f tl f bl laws on wiretapping • Laws and procedures for efficient, controlled and guaranteed wiretapping are required • Wiretapping of civil, secret and military agencies has to be regulated and the rules have to be subject to public scrutiny Fabio Pietrosanti 27 www.privatewave.com
3 - The risk of eavesdropping The need of perfectly enforceable laws on wiretapping • USA: Foreign Intelligence Surveillance Act (1978) ll ll ( ) • Church Commitee Report • The Committee finds that information has been collected and disseminated in order to serve the purely political interests of an intelligence agency or the administration, and to influence social policy and political action. • White House officials have requested and obtained p q politically useful information from the FBI, including y , g information on the activities of political opponents or critics. • The FBI has also used intelligence as a vehicle for covert efforts to influence social policy and political action. • NSA Warrantless Wiretapping (Bush Administration) • New York Times: Bush Lets U.S. Spy on Callers Without Courts • “The White House asked The New York Times not to publish this article” • http://www.cfr.org/publication/9763/ • http://www.commondreams.org/headlines05/1216-01.htm Fabio Pietrosanti 28 www.privatewave.com
4 Real R l case, R l world Real ld Real risk scenario Fabio Pietrosanti 29 www.privatewave.com
4 - Real case, Real world, Real risk scenario Global interception: Echelon • USA confirmed their global interception program with the support of Great Britain and New Zealand • European Parliament confirmed that Echelon was used to illegally divert airplane deals to make US company win respect to EU company Fabio Pietrosanti 30 www.privatewave.com
4 - Real case, Real world, Real risk scenario 2006 - Italy: Interception scandals, thousands of persons were profiled, intercepted and someone blackmailed. • Adamo Bove, the head of Security of the Mobile Telco TIM was found “suicided” suicided • The head of secret services was wiretapped • Thousands of people’s phone logs were acquired • A numbers of illegal interception has been done • http://www.edri.org/edrigram/n http://www edri org/edrigram/n umber4.15/italy Fabio Pietrosanti 31 www.privatewave.com
4 - Real case, Real world, Real risk scenario 2005 - Greece: Interception scandals, a bug has been put in Vodafone ICT infrastructure • Costas Tsalikidis has been found dead head of Security of the Mobile Telco was found “suicided” • The prime minister, the chief of minister secret services, a lot of activists have been intercepted • No N responsibility has been found ibilit h b f d • All phone calls were diverted to a bunch of prepaid anonymous SIM p p y cards Fabio Pietrosanti 32 www.privatewave.com
4 - Real case, Real world, Real risk scenario 2001 - Finland: Interception scandals, mobile phones intercepted without warrants • 3 top officials of Finland Security Policy and the head of f the security department of Sonera are charged for illegally intercepting user ill ll i t ti phone calls. • The recording has been going for nearly a year without any formal authorization nor request Fabio Pietrosanti 33 www.privatewave.com
4 - Real case, Real world, Real risk scenario 1996-today 1996 today - Turkey: Continuous interception scandals, blackmailing and transcripts of wiretapping p pp g • Since 1996 in Turkey the political instability has caused a continuous tapping of phone calls of journalists, politicians, journalists politicians military and police representative • Almost every year a scandal gets out Fabio Pietrosanti 34 www.privatewave.com
4 - Real case, Real world, Real risk scenario France: F Political spying by Mitterand causes him to loose election Fabio Pietrosanti 35 www.privatewave.com
4 - Real case, Real world, Real risk scenario 2007 - USA: FBI missed to get authorization for interceptions because of too complicated laws p Fabio Pietrosanti 36 www.privatewave.com
4 - Real case, Real world, Real risk scenario 2009 - C l Colombia: bi Continue the debate and fight on corrupted officials doing wiretapping paid by drug traffickers Fabio Pietrosanti 37 www.privatewave.com
4 - Real case, Real world, Real risk scenario UK: UK Incredibly increased interception power and revelation of past activities Fabio Pietrosanti 38 www.privatewave.com
4 - Real case, Real world, Real risk scenario 1996 - P l d Poland: Plenty of requests by citizens to ombudsman that received illegal transcripts of intercepted phone calls Fabio Pietrosanti 39 www.privatewave.com
4 - Real case, Real world, Real risk scenario 2002 - N th l d Netherlands: Dutch secret services interception equipment brought from Israel is tapping the interceptors • Interception equipment used by Dutch Intelligence agencies was brought from the Israel company Verint. The equipment was leaking information on interception to Israel. • Interception technology is intercepting the interceptor! Another fall into the monitoring systems! Fabio Pietrosanti 40 www.privatewave.com
4 - Real case, Real world, Real risk scenario Conclusion of real world scenarios: The tip of the iceberg • It s It’s a serious problem that affects democracy and freedom, even western “democratic” countries • It’s a concrete and real problem • Only few facts reach the public media Fabio Pietrosanti 41 www.privatewave.com
5 Currently available protection technologies Fabio Pietrosanti 42 www.privatewave.com
5 - Currently available protection technologies Communication technologies C i ti t h l i • Traditional telephony (circuit switched) • ISDN (fixed) • PSTN (fixed) • GSM/CDMA/UMTS (mobile) • SAT (iridium, turaya, inmarsat, etc) • VoIP Telephony (packet switched) p y (p ) • Softphone on PC • Hardware phones • Mobile internet (GPRS, EV-DO, EVDO, etc) Fabio Pietrosanti 43 www.privatewave.com
5 - Currently available protection technologies Authorities for standards • ISO • ITU-T • GSM Consortium i • 3GPP • 3GPP2 • NSA • NATO • IETF • Telecom Industry Association (US interim standards) Fabio Pietrosanti 44 www.privatewave.com
5 - Currently available protection technologies Result of complexity in R lt f l it i technologies and authorities • NO single standard for telephony • NO single standard for security (not even enough!) Fabio Pietrosanti 45 www.privatewave.com
5 - Currently available protection technologies Securing unsecure media • Scrambling Vs Encryption Vs. • Voice connection Vs. Data connection • Creating a digital data path over the media • Circuit Switched: the lossy codec issue ending with “data calls” with... data calls • VoIP: required standardization for interoperability • And what about the signaling? Fabio Pietrosanti 46 www.privatewave.com
5 - Currently available protection technologies Communication technologies Circuit Switched Packet Switched Data Transmission ISDN, GSM,CDMA,UMTS, PSTN, SAT VoIP GPRS / EDGE / UMTS Quality of service Granted Not Granted Coverage Full Only Urban Area Per-packet Per-second Per second Billing (sender/receiver (sender pay) pay) Signaling l Outband b d In-band (over IP) b d( ) Fabio Pietrosanti 47 www.privatewave.com
5 - Currently available protection technologies VoIP basic • SIP is used to transport signaling informations • RTP is used to carry media traffic (audio, video) (audio • Both usually work over UDP protocol Fabio Pietrosanti 48 www.privatewave.com
5 - Currently available protection technologies VoIP Security: media encryption • Born without security in mind (like most technologies) • Encryption has been brought to IETF standard in March 2004 with SRTP (RFC3711), even if it was including a NULL encryptor... • SRTP support “Counter mode” and f8-mode for symmetric encryption and HMAC SHA1 for integrity checking (32bit) ti d HMAC-SHA1 f i t it h ki • There was only one BIG issue, no really secure and efficient key agreement method • MIKEY • SDES Fabio Pietrosanti 49 www.privatewave.com
5 - Currently available protection technologies VoIP Security: SRTP SDES INVITE sips:*97@ietf.org;user=phone SIP/2.0 Via: SIP/2.0/TLS 172.20.25.100:2049;branch=z9hG4bK-s5kcqq8jqjv3;rport From: "123" <sips:123@ietf.org>;tag=mogkxsrhm4 p g; p To: <sips:*97@ietf.org;user=phone> Call-ID: 3c269247a122-f0ee6wcrvkcq@snom360-000413230A07 CSeq: 1 INVITE Max-Forwards: 70 • SDES is the only Contact: <sip:123@172.20.25.100:2049;transport=tls;line=gyhiepdm>;reg-id=1 User-Agent: snom360/6.2.2 widely diffused and Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, implemented key MESSAGE, INFO Allow-Events: talk, hold, refer agreement method Supported: timer, 100rel, replaces, callerid Session-Expires: 3600;refresher=uas Min-SE: 90 • It’s transported over d Content-Type: application/sdp Content-Length: 477 SIP v=0 o=root 2071608643 2071608643 IN IP4 172.20.25.100 • So useful and secure! s=call c=IN IP4 172.20.25.100 t=0 0 m=audio 57676 RTP/AVP 0 8 9 2 3 18 4 101 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 t 8 /8000 a=rtpmap:9 g722/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:4 g723/8000 a=rtpmap:101 telephone event/8000 a rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=encryption:optional Fabio Pietrosanti a=sendrecv 50 www.privatewave.com
5 - Currently available protection technologies VoIP Security: SIP/TLS • But SIP channel can be enciphered, there is SIP/TLS • The key can be transported securely between the client and the intermediator (much like the security model of GSM/UMTS between mobile and radio network controller) ll ) Fabio Pietrosanti 51 www.privatewave.com
5 - Currently available protection technologies VoIP Security: end-to-end encryption? • NO! • There’s still a little detail, and in security details matter . • The PBX can always observe and record the key! Fabio Pietrosanti 52 www.privatewave.com
5 - Currently available protection technologies Traditional t l h T diti l telephony: no security it by default • Circuit S it h d T l h Ci it Switched Telephony is considered i id d secure, as much as the Telco network can be considered secure • Standards for secure telephony were built only for governmental use and usually specifications were not available Fabio Pietrosanti 53 www.privatewave.com
5 - Currently available protection technologies Traditional telephony: clipper, born to fail • Clipper Chip was created by White House in 1993 implementing SkipJack algorithm • In 1994 FIPS 185 Escrowed Encryption Standard was approved • AT&T release TD3600E • 56bit encryption b • 4800bps data path over PSTN • In 1996 the project was considered a complete failure • In 1998 skipJack was declassified Fabio Pietrosanti 54 www.privatewave.com
5 - Currently available protection technologies Traditional t l h T diti l telephony: PGPhone PGPh • In 1995 Mr. Philip Zimmermann (2 ‘n) created PGPhone Mr n) • PGPhone was a software for Windows to be used connecting the PC through a modem for dialing the other party • Was using ephemeral Diffie-Hellmann protocol • Was using a short authentication string to detect a man-in-the- man in the middle attack • Unfortunately he was too visionary, in 1996 the internet world was still not ready for such technology ill d f h h l • In 1997 it became abandonware Fabio Pietrosanti 55 www.privatewave.com
5 - Currently available protection technologies Traditional telephony: STE and STU • From 1987 US Government standard using STU III STU-III • A set of cryptographic algorithm inside crypto cards programmed by National Security Agency • In 2004 the STE (Secure Terminal Equipment) succeeded to STU-III • STE now uses the SCIP, Secure Communication Interoperability Protocol, formerly named Future Narrowband Digital Terminal (FNDT) b d l l( ) • SCIP was first used in 2001 in Condor Secure mobile Phone Fabio Pietrosanti 56 www.privatewave.com
5 - Currently available protection technologies Traditional telephony: SCIP • SCIP is also known as the NATO extension of FNDT • Born to work over land line, military radios, communication satellite and Voice over IP (used in us over SIPRNET, Secret Internet Protocol Router Network) • Uses MELPe codec, royalty free only for US Government and NATO • Very narrowband stays at minimum of 2400hz narrowband, (2400bps) as it works also over crap iridium data links • Mr. Obama uses SCIP over a Sectera Phone as a Blackberry replacement Fabio Pietrosanti 57 www.privatewave.com
5 - Currently available protection technologies Traditional telephony: Cryptophone • In 2001 Cryptophone was born and it kept fully open their source code and security protocol design • The company (composed of several xs4all and ccc hackers) build up the product and started selling th d t d t t d lli the hardware phones • Unfortunately the protocol did not get public attention and did not get strong public auditing nor other interoperable use Fabio Pietrosanti 58 www.privatewave.com
6 Upcoming protection technologies Fabio Pietrosanti 59 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: finally end-to-end encryption! • Voice over IP finally got an end-to-end encryption with key agreements methods and new protocol approved by IETF • As a story we all have already seen with OpenPGP/MIME vs S/MIME there are two competing vs. standards • A Hierarchical standard to be integrated within PKI infrastructure - DTLS • A non hierarchical standard with a very high level or paranoid - ZRTP Fabio Pietrosanti 60 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: The main the middle problem Fabio Pietrosanti 61 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: The main the middle problem • Even if the call is ‘encrypted’ it does not mean that is secure • Key agreements can be compromised and security broken if a successful MiTM (Man in The Middle) attack is carried on • MiTM attacks carry hacks and tricks to the cryptographic key exchange making the communication appear “as secure” even if a malicious third party is diverting and wiretapping all the traffic Fabio Pietrosanti 62 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: DTLS & DTLS-SRTP • In March 2006 DTLS (Datagram Transport Layer Security) has been defined to protect UDP )h b d f d streams much like SSL and the successor TLS used in the web world • RTP runs over UDP • In 2008 a method to use DTLS as a key exchange method of SRTP to encipher RTP packets won the standardization path of IETF Fabio Pietrosanti 63 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: DTLS-SRTP • Requires a PKI to be used R i t b d • It completely relies on SIP channel integrity • In order to keep the SIP channel integrity, “Enhanced SIP identity” standard (RFC4475) has to be used • Unfortunately MiTM protection cannot be guaranteed when calling a phone number (+4179123456789) and thus, DTLS- SRTP collapse in providing security • So the basic concept is that DTLS requires a PKI to work, with all the bureocracy and complexity around building it • But B t don’t worry, most of the vendors that anno nced to use orr endors announced se DTLS-SRTP, said that they will provide self-signed certificate. No security assured. Fabio Pietrosanti 64 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: ZRTP • Mr. Mr Zimmermann did it again and by leveraging the old PGPhone concept of 1995, he designed and proposed for standardization ZRTP VoIP security protocol • ZRTP does not use SIP but instead uses in a clever way the RTP packet to perform in-band (inside RTP) key handshake • The concept is simple: what do we need to protect? • The media • So why modify the SIP signaling increasing complexity? • KISS principle always stays ahead • Implemented by Philip Zimmermann (zfoneproject.com), l d b hili i ( f j ) Werner Viettmann (gnutelephony.org), MT5 (unknown non-public implementation) Fabio Pietrosanti 65 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: ZRTP • ZRTP is provided to IETF as a standard (currently in standardization path) as a key initialization method for SRTP • ZRTP uses different key agreements method inside the cryptographic protocol • ECDH • DH • Preshared Key • ZRTP supports PFS (Perfect Forward Secrecy) • Can be used over most signaling protocols that use RTP for media transport (SIP, H.323, Jingle, P2P SIP) Fabio Pietrosanti 66 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: ZRTP • Short Authentication String as a method to detect MiTM wiretapper • the two users at the endpoints verbally compare a shared value displayed at both end • If the value doesn’t match, it f h l d h indicates the presence of someone doing a man in the middle attack Fabio Pietrosanti 67 www.privatewave.com
6 - Upcoming protection technologies Voice Over IP Security: Comparison of key agreements method of SRTP Technology SRTP - SDES SRTP - DTLS SRTP - ZRTP Yes (with Require SIP Yes additional No security complexity) The PBX can see No (but it Yes No the key? depends) Man in the middle iddl No Yes (not always) Yes protection (always) Different Yes implementation Yes No in Q1 2009 Fabio Pietrosanti 68 www.privatewave.com
6 - Upcoming protection technologies Traditional Telephony Security: ZRTP/S • In 2008 Mr. Zimmermann developed jointly with KHAMSA SA an extension of ZRTP to work again, like PGPhone already did in 1995 over traditional 1995, phone lines • ZRTP/S is a communication and security protocol that works over traditional telephony technologies (GSM, UMTS, CDMA IS94a, PSTN, ISDN, SATCOM, BLUETOOTH) • Basically it works over a ‘bitstream channel’ that can be b easily represented lik a ‘ i l connection’ il d like ‘serial i ’ between two devices Fabio Pietrosanti 69 www.privatewave.com
6 - Upcoming protection technologies Traditional Telephony Security: ZRTP/S (Design) • ZRTP/S can be, oversimplifying, a subset of a “compatible” RTP packet refactored to works over narrowband channels • It works over very narrowband links (4800 - 9600bps) • It works over high latency links (GSM CSD and SAT) with a “compressed” ZRTP handshake “ d” h dh k • In order to function over most channels, it requires the usage of narrowband codecs with advanced DTX and CNG features (AMR 4.75, Speex 3.95, MELPe 2.4) • Implemented in open source as additional module to libzrtp • Soon to be released for public and community usage Fabio Pietrosanti 70 www.privatewave.com
6 - Upcoming protection technologies Traditional Telephony: Comparison of technologies Technology SCIP ZRTP/S Cryptophone PGPhone Any (soon Government Business or Usage private and Any only Government free) Interoperable Yes Yes No No Speex, AMR, Codec C d MELPe MELP ACELP N/A MELPe IETF, Cryptophone Peer review NSA/NATO Deprecated p Community itself Fabio Pietrosanti 71 www.privatewave.com
Conclusion • Market and technologies are fragmented • Big Telco & Big Governments are against end to end-to- end encryption • A standard must win • The open source and the security communities play a fundamental role • Anyone should think about supporting it Fabio Pietrosanti 72 www.privatewave.com

Empfohlen

2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)Fabio Pietrosanti
 
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Phelipe Folgierini
 
Wiretaps
WiretapsWiretaps
WiretapsHi Tech Criminal Justice
 
Dubai 2
Dubai 2Dubai 2
Dubai 2mmavis
 
Sec Wars Episode 3
Sec Wars Episode 3Sec Wars Episode 3
Sec Wars Episode 3Ikuo Takahashi
 
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesCe Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesKislaychd
 
Uk wireless network hijacking 2010
Uk wireless network hijacking 2010Uk wireless network hijacking 2010
Uk wireless network hijacking 2010CPPGroup Plc
 
Presentation on hadopi laws
Presentation on hadopi lawsPresentation on hadopi laws
Presentation on hadopi lawsbsookman
 

Empfohlen

2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)2009: Voice Security And Privacy (Security Summit - Milan)
2009: Voice Security And Privacy (Security Summit - Milan)Fabio Pietrosanti
 
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...
Internet Wiretapping - Government and Law Use (Omnivore, Carnivore, DragonWar...Phelipe Folgierini
 
Wiretaps
WiretapsWiretaps
WiretapsHi Tech Criminal Justice
 
Dubai 2
Dubai 2Dubai 2
Dubai 2mmavis
 
Sec Wars Episode 3
Sec Wars Episode 3Sec Wars Episode 3
Sec Wars Episode 3Ikuo Takahashi
 
Ce Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesCe Hv6 Module 44 Internet Content Filtering Techniques
Ce Hv6 Module 44 Internet Content Filtering TechniquesKislaychd
 
Uk wireless network hijacking 2010
Uk wireless network hijacking 2010Uk wireless network hijacking 2010
Uk wireless network hijacking 2010CPPGroup Plc
 
Presentation on hadopi laws
Presentation on hadopi lawsPresentation on hadopi laws
Presentation on hadopi lawsbsookman
 
10.1.1.64.2504
10.1.1.64.250410.1.1.64.2504
10.1.1.64.2504Dan Drumm
 
Phishing
PhishingPhishing
Phishingdefquon
 
Cybercrime Inc. v2.2
Cybercrime Inc. v2.2Cybercrime Inc. v2.2
Cybercrime Inc. v2.2Rui Miguel Feio
 
Prosecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebProsecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebDarius Whelan
 
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securityCe hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securitydefquon
 
Hacked Revealed: Penetration Profession
Hacked Revealed: Penetration ProfessionHacked Revealed: Penetration Profession
Hacked Revealed: Penetration ProfessionHaris Tahir
 
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesE Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesDan York
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersKislaychd
 
Doing Business in China IP Issues Before You Go
Doing Business in China IP Issues Before You GoDoing Business in China IP Issues Before You Go
Doing Business in China IP Issues Before You GoThis account is closed
 
Wi Fi
Wi FiWi Fi
Wi Fivenkatesh R
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityArturo Filastò
 
File000154
File000154File000154
File000154Desmond Devendran
 
Societal impacts PART 1
Societal impacts PART 1Societal impacts PART 1
Societal impacts PART 1AVISHITYAGI
 
FortressFone Overview 012915
FortressFone Overview 012915FortressFone Overview 012915
FortressFone Overview 012915Tom Malatesta
 
Internet thchnology
Internet thchnologyInternet thchnology
Internet thchnologyRajdeep Sahoo
 
Copyright Protection
Copyright ProtectionCopyright Protection
Copyright ProtectionGrittyCC
 
Ce hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksCe hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksMehrdad Jingoism
 
Impact of Government Intervention in Online Channels
Impact of Government Intervention in Online ChannelsImpact of Government Intervention in Online Channels
Impact of Government Intervention in Online ChannelsDavid Warwick
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloJohn Intindolo
 
Private Investigations in Family Court
Private Investigations in Family CourtPrivate Investigations in Family Court
Private Investigations in Family CourtELCook
 
Comic Superhasen Teil 2
Comic Superhasen Teil 2Comic Superhasen Teil 2
Comic Superhasen Teil 2VS zennerstraße 1
 
Wade Walker
Wade WalkerWade Walker
Wade Walkerguest986419
 

Weitere ähnliche Inhalte

Was ist angesagt?

10.1.1.64.2504
10.1.1.64.250410.1.1.64.2504
10.1.1.64.2504Dan Drumm
 
Phishing
PhishingPhishing
Phishingdefquon
 
Prosecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebProsecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebDarius Whelan
 
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securityCe hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securitydefquon
 
Hacked Revealed: Penetration Profession
Hacked Revealed: Penetration ProfessionHacked Revealed: Penetration Profession
Hacked Revealed: Penetration ProfessionHaris Tahir
 
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesE Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesDan York
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersKislaychd
 
Doing Business in China IP Issues Before You Go
Doing Business in China IP Issues Before You GoDoing Business in China IP Issues Before You Go
Doing Business in China IP Issues Before You GoThis account is closed
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityArturo Filastò
 
Societal impacts PART 1
Societal impacts PART 1Societal impacts PART 1
Societal impacts PART 1AVISHITYAGI
 
FortressFone Overview 012915
FortressFone Overview 012915FortressFone Overview 012915
FortressFone Overview 012915Tom Malatesta
 
Copyright Protection
Copyright ProtectionCopyright Protection
Copyright ProtectionGrittyCC
 
Ce hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksCe hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksMehrdad Jingoism
 
Impact of Government Intervention in Online Channels
Impact of Government Intervention in Online ChannelsImpact of Government Intervention in Online Channels
Impact of Government Intervention in Online ChannelsDavid Warwick
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloJohn Intindolo
 
Private Investigations in Family Court
Private Investigations in Family CourtPrivate Investigations in Family Court
Private Investigations in Family CourtELCook
 

Was ist angesagt? (20)

10.1.1.64.2504
10.1.1.64.250410.1.1.64.2504
10.1.1.64.2504
 
Phishing
PhishingPhishing
Phishing
 
Cybercrime Inc. v2.2
Cybercrime Inc. v2.2Cybercrime Inc. v2.2
Cybercrime Inc. v2.2
 
Prosecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the WebProsecuting Cybercrime and Regulating the Web
Prosecuting Cybercrime and Regulating the Web
 
Ce hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional securityCe hv6 module 14 denial of service TH3 professional security
Ce hv6 module 14 denial of service TH3 professional security
 
Hacked Revealed: Penetration Profession
Hacked Revealed: Penetration ProfessionHacked Revealed: Penetration Profession
Hacked Revealed: Penetration Profession
 
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best PracticesE Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
E Tel2007 Black Bag Session - VoIP Security Threats, Tools and Best Practices
 
Ce Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database ServersCe Hv6 Module 42 Hacking Database Servers
Ce Hv6 Module 42 Hacking Database Servers
 
Doing Business in China IP Issues Before You Go
Doing Business in China IP Issues Before You GoDoing Business in China IP Issues Before You Go
Doing Business in China IP Issues Before You Go
 
Wi Fi
Wi FiWi Fi
Wi Fi
 
Crash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and securityCrash course of Mobile (SS7) privacy and security
Crash course of Mobile (SS7) privacy and security
 
File000154
File000154File000154
File000154
 
Societal impacts PART 1
Societal impacts PART 1Societal impacts PART 1
Societal impacts PART 1
 
FortressFone Overview 012915
FortressFone Overview 012915FortressFone Overview 012915
FortressFone Overview 012915
 
Internet thchnology
Internet thchnologyInternet thchnology
Internet thchnology
 
Copyright Protection
Copyright ProtectionCopyright Protection
Copyright Protection
 
Ce hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networksCe hv8 module 15 hacking wireless networks
Ce hv8 module 15 hacking wireless networks
 
Impact of Government Intervention in Online Channels
Impact of Government Intervention in Online ChannelsImpact of Government Intervention in Online Channels
Impact of Government Intervention in Online Channels
 
ISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_IntindoloISSC456_Project_Presentation_Intindolo
ISSC456_Project_Presentation_Intindolo
 
Private Investigations in Family Court
Private Investigations in Family CourtPrivate Investigations in Family Court
Private Investigations in Family Court
 

Andere mochten auch

2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...
2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...
2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...D.I.C.S.S. Inc
 
Newsletter sample
Newsletter sampleNewsletter sample
Newsletter sampleguest986419
 
Adoptame Plis
Adoptame PlisAdoptame Plis
Adoptame Plismelysiu3m
 
Cellulare Magazine: PrivateGSM e parli con tutti
Cellulare Magazine: PrivateGSM e parli con tuttiCellulare Magazine: PrivateGSM e parli con tutti
Cellulare Magazine: PrivateGSM e parli con tuttiPrivateWave Italia SpA
 
U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...
U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...
U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...tsisves
 
C:\Fakepath\Genre Power Point
C:\Fakepath\Genre Power PointC:\Fakepath\Genre Power Point
C:\Fakepath\Genre Power Pointmichael foxwell
 
Eltigani Osman.CV
Eltigani Osman.CVEltigani Osman.CV
Eltigani Osman.CVtaaaj
 
Medical Assistance Direct Review 2010
Medical Assistance Direct Review 2010Medical Assistance Direct Review 2010
Medical Assistance Direct Review 2010Chris Alford
 
NeoLibre for a Private University
NeoLibre for a Private UniversityNeoLibre for a Private University
NeoLibre for a Private UniversityNeoLibre
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)Deloitte Australia
 
Unit 1 specification
Unit 1 specificationUnit 1 specification
Unit 1 specificationBrownr
 
Movt patterns in holding a rugby ball
Movt patterns in holding a rugby ballMovt patterns in holding a rugby ball
Movt patterns in holding a rugby ballrrajanpt
 

Andere mochten auch (20)

Comic Superhasen Teil 2
Comic Superhasen Teil 2Comic Superhasen Teil 2
Comic Superhasen Teil 2
 
Wade Walker
Wade WalkerWade Walker
Wade Walker
 
Cristobal
CristobalCristobal
Cristobal
 
2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...
2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...
2e Colloque international sur les Technologies en Éducation - Montréal 2014 1...
 
Newsletter sample
Newsletter sampleNewsletter sample
Newsletter sample
 
Adoptame Plis
Adoptame PlisAdoptame Plis
Adoptame Plis
 
Ayuda tareas
Ayuda tareasAyuda tareas
Ayuda tareas
 
Cellulare Magazine: PrivateGSM e parli con tutti
Cellulare Magazine: PrivateGSM e parli con tuttiCellulare Magazine: PrivateGSM e parli con tutti
Cellulare Magazine: PrivateGSM e parli con tutti
 
U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...
U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...
U N I T 10 C O N D I T I O N A L S G O L D I N T E R M E D I A T E ...
 
C:\Fakepath\Genre Power Point
C:\Fakepath\Genre Power PointC:\Fakepath\Genre Power Point
C:\Fakepath\Genre Power Point
 
Never Gonna Be Alone
Never Gonna Be AloneNever Gonna Be Alone
Never Gonna Be Alone
 
Mo willems
Mo willemsMo willems
Mo willems
 
Giovanni
GiovanniGiovanni
Giovanni
 
Eltigani Osman.CV
Eltigani Osman.CVEltigani Osman.CV
Eltigani Osman.CV
 
Medical Assistance Direct Review 2010
Medical Assistance Direct Review 2010Medical Assistance Direct Review 2010
Medical Assistance Direct Review 2010
 
NeoLibre for a Private University
NeoLibre for a Private UniversityNeoLibre for a Private University
NeoLibre for a Private University
 
Our Website And Its Purpose2
Our Website And Its Purpose2Our Website And Its Purpose2
Our Website And Its Purpose2
 
What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)What is the worldwide intranet challenge (wic)
What is the worldwide intranet challenge (wic)
 
Unit 1 specification
Unit 1 specificationUnit 1 specification
Unit 1 specification
 
Movt patterns in holding a rugby ball
Movt patterns in holding a rugby ballMovt patterns in holding a rugby ball
Movt patterns in holding a rugby ball
 

Ähnlich wie Voice security and privacy - Today’s solutions and technologies

Voice communication security
Voice communication securityVoice communication security
Voice communication securityFabio Pietrosanti
 
DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011
DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011
DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011Andris Soroka
 
Information Security 5 06
Information Security 5 06Information Security 5 06
Information Security 5 06johnhewitt_cpp
 
Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentHamilton Turner
 
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP SecurityPLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP SecurityPROIDEA
 
wipo_iis_05_ledwards_cwaelde (1).ppt
wipo_iis_05_ledwards_cwaelde (1).pptwipo_iis_05_ledwards_cwaelde (1).ppt
wipo_iis_05_ledwards_cwaelde (1).pptssuserd26df0
 
Dubai 1
Dubai 1Dubai 1
Dubai 1mmavis
 
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
 
Internet Science
Internet ScienceInternet Science
Internet Sciencei_scienceEU
 
By Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs CorpBy Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs CorpFabio Ghioni
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
 
International laws and standards controlling information security. Latest dev...
International laws and standards controlling information security. Latest dev...International laws and standards controlling information security. Latest dev...
International laws and standards controlling information security. Latest dev...USAID CEED II Project Moldova
 
Anti-Child Porn Act & Privacy (slides from ICT4PHD)
Anti-Child Porn Act & Privacy (slides from ICT4PHD)Anti-Child Porn Act & Privacy (slides from ICT4PHD)
Anti-Child Porn Act & Privacy (slides from ICT4PHD)Winthrop Yu
 
Information Technology and IT act
Information Technology and IT actInformation Technology and IT act
Information Technology and IT actDivesh Mewara
 

Ähnlich wie Voice security and privacy - Today’s solutions and technologies (20)

Voice communication security
Voice communication securityVoice communication security
Voice communication security
 
DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011
DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011
DSS - ITSEC Conference - Cellcrypt - Making secure voice calls - Riga Nov2011
 
Information Security 5 06
Information Security 5 06Information Security 5 06
Information Security 5 06
 
Cybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile EnvironmentCybersecurity Risks In the Mobile Environment
Cybersecurity Risks In the Mobile Environment
 
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP SecurityPLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
PLNOG 5: Rainer Baeder - Fortinet Overview, Fortinet VoIP Security
 
wipo_iis_05_ledwards_cwaelde (1).ppt
wipo_iis_05_ledwards_cwaelde (1).pptwipo_iis_05_ledwards_cwaelde (1).ppt
wipo_iis_05_ledwards_cwaelde (1).ppt
 
Dubai 1
Dubai 1Dubai 1
Dubai 1
 
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The LawBSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
BSidesROC 2016 Keynote - Nate Cardozo - The State Of The Law
 
Whose content? whose revenue? who should be liable for a user's content? jo...
Whose content? whose revenue? who should be liable for a user's content? jo...Whose content? whose revenue? who should be liable for a user's content? jo...
Whose content? whose revenue? who should be liable for a user's content? jo...
 
IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?IoT security is a nightmare. But what is the real risk?
IoT security is a nightmare. But what is the real risk?
 
Internet Science
Internet ScienceInternet Science
Internet Science
 
By Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs CorpBy Roberto Preatoni Fabio Ghioni Corp Vs Corp
By Roberto Preatoni Fabio Ghioni Corp Vs Corp
 
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...
 
International laws and standards controlling information security. Latest dev...
International laws and standards controlling information security. Latest dev...International laws and standards controlling information security. Latest dev...
International laws and standards controlling information security. Latest dev...
 
Anti-Child Porn Act & Privacy (slides from ICT4PHD)
Anti-Child Porn Act & Privacy (slides from ICT4PHD)Anti-Child Porn Act & Privacy (slides from ICT4PHD)
Anti-Child Porn Act & Privacy (slides from ICT4PHD)
 
Mobile security - Intense overview
Mobile security - Intense overviewMobile security - Intense overview
Mobile security - Intense overview
 
Mis chapter 9
Mis chapter 9Mis chapter 9
Mis chapter 9
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Information Technology and IT act
Information Technology and IT actInformation Technology and IT act
Information Technology and IT act
 
Raaja kanwar
Raaja kanwarRaaja kanwar
Raaja kanwar
 

Mehr von PrivateWave Italia SpA

PrivateGSM user manual multiplatform_en
PrivateGSM user manual multiplatform_enPrivateGSM user manual multiplatform_en
PrivateGSM user manual multiplatform_enPrivateWave Italia SpA
 
PrivateGSM demo quickstart guide blackberry_en
PrivateGSM demo quickstart guide blackberry_enPrivateGSM demo quickstart guide blackberry_en
PrivateGSM demo quickstart guide blackberry_enPrivateWave Italia SpA
 
PrivateGSM demo quickstart guide iphone_it
PrivateGSM demo quickstart guide iphone_itPrivateGSM demo quickstart guide iphone_it
PrivateGSM demo quickstart guide iphone_itPrivateWave Italia SpA
 
PrivateGSM demo quickstart guide iphone_en
PrivateGSM demo quickstart guide iphone_enPrivateGSM demo quickstart guide iphone_en
PrivateGSM demo quickstart guide iphone_enPrivateWave Italia SpA
 
Private gsm demo quickstart guide nokia_it
Private gsm demo quickstart guide nokia_itPrivate gsm demo quickstart guide nokia_it
Private gsm demo quickstart guide nokia_itPrivateWave Italia SpA
 
PrivateGSM demo quickstart guide nokia_en
PrivateGSM demo quickstart guide nokia_enPrivateGSM demo quickstart guide nokia_en
PrivateGSM demo quickstart guide nokia_enPrivateWave Italia SpA
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Enterprise voip security suite brochure_es
Enterprise voip security suite brochure_esEnterprise voip security suite brochure_es
Enterprise voip security suite brochure_esPrivateWave Italia SpA
 
Enterprise vo ip security suite brochure_it
Enterprise vo ip security suite brochure_itEnterprise vo ip security suite brochure_it
Enterprise vo ip security suite brochure_itPrivateWave Italia SpA
 
Privatewave e marketing communication online
Privatewave e marketing communication onlinePrivatewave e marketing communication online
Privatewave e marketing communication onlinePrivateWave Italia SpA
 
Sicurezza delle comunicazioni nella Pubblica Amministrazione
Sicurezza delle comunicazioni nella Pubblica AmministrazioneSicurezza delle comunicazioni nella Pubblica Amministrazione
Sicurezza delle comunicazioni nella Pubblica AmministrazionePrivateWave Italia SpA
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishPrivateWave Italia SpA
 
Khamsa Italia lancia PrivateWave sui social network
Khamsa Italia lancia PrivateWave sui social networkKhamsa Italia lancia PrivateWave sui social network
Khamsa Italia lancia PrivateWave sui social networkPrivateWave Italia SpA
 

Mehr von PrivateWave Italia SpA (20)

PrivateGSM user manual multiplatform_en
PrivateGSM user manual multiplatform_enPrivateGSM user manual multiplatform_en
PrivateGSM user manual multiplatform_en
 
PrivateGSM demo quickstart guide blackberry_en
PrivateGSM demo quickstart guide blackberry_enPrivateGSM demo quickstart guide blackberry_en
PrivateGSM demo quickstart guide blackberry_en
 
PrivateGSM demo quickstart guide iphone_it
PrivateGSM demo quickstart guide iphone_itPrivateGSM demo quickstart guide iphone_it
PrivateGSM demo quickstart guide iphone_it
 
PrivateGSM demo quickstart guide iphone_en
PrivateGSM demo quickstart guide iphone_enPrivateGSM demo quickstart guide iphone_en
PrivateGSM demo quickstart guide iphone_en
 
Private gsm demo quickstart guide nokia_it
Private gsm demo quickstart guide nokia_itPrivate gsm demo quickstart guide nokia_it
Private gsm demo quickstart guide nokia_it
 
PrivateGSM demo quickstart guide nokia_en
PrivateGSM demo quickstart guide nokia_enPrivateGSM demo quickstart guide nokia_en
PrivateGSM demo quickstart guide nokia_en
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical Overview
 
Ict encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosantiIct encryption agt_fabio_pietrosanti
Ict encryption agt_fabio_pietrosanti
 
Enterprise voip security suite brochure_es
Enterprise voip security suite brochure_esEnterprise voip security suite brochure_es
Enterprise voip security suite brochure_es
 
Enterprise vo ip security suite brochure_it
Enterprise vo ip security suite brochure_itEnterprise vo ip security suite brochure_it
Enterprise vo ip security suite brochure_it
 
Private gsm demol manuale nokia_it
Private gsm demol manuale nokia_itPrivate gsm demol manuale nokia_it
Private gsm demol manuale nokia_it
 
Private gsm demo user_manual_nokia_en
Private gsm demo user_manual_nokia_enPrivate gsm demo user_manual_nokia_en
Private gsm demo user_manual_nokia_en
 
Privatewave e marketing communication online
Privatewave e marketing communication onlinePrivatewave e marketing communication online
Privatewave e marketing communication online
 
Sicurezza delle comunicazioni nella Pubblica Amministrazione
Sicurezza delle comunicazioni nella Pubblica AmministrazioneSicurezza delle comunicazioni nella Pubblica Amministrazione
Sicurezza delle comunicazioni nella Pubblica Amministrazione
 
Technical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - englishTechnical Sheet - PrivateGSM VoIP - english
Technical Sheet - PrivateGSM VoIP - english
 
Technical Sheet - PrivateGSM CSD
Technical Sheet - PrivateGSM CSDTechnical Sheet - PrivateGSM CSD
Technical Sheet - PrivateGSM CSD
 
Technical Sheet - PrivateGSM VoIP
Technical Sheet - PrivateGSM VoIPTechnical Sheet - PrivateGSM VoIP
Technical Sheet - PrivateGSM VoIP
 
Sicurezza per le comunicazioni VoIP
Sicurezza per le comunicazioni VoIP Sicurezza per le comunicazioni VoIP
Sicurezza per le comunicazioni VoIP
 
Khamsa Italia lancia PrivateWave sui social network
Khamsa Italia lancia PrivateWave sui social networkKhamsa Italia lancia PrivateWave sui social network
Khamsa Italia lancia PrivateWave sui social network
 
La sicurezza dei dispositivi mobili
La sicurezza dei dispositivi mobiliLa sicurezza dei dispositivi mobili
La sicurezza dei dispositivi mobili
 

Kürzlich hochgeladen

Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 

Kürzlich hochgeladen (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 

Voice security and privacy - Today’s solutions and technologies

  • 1. Voice security and privacy: Confidentiality protection today’s protection, today s solutions and upcoming technologies and standards d t d d March 2009 Fabio Pietrosanti CTO @ PrivateWave Pietrosanti, Fabio Pietrosanti 1 www.privatewave.com
  • 2. 1 The need to intercept phone calls Fabio Pietrosanti 2 www.privatewave.com
  • 3. 1 - The need to intercept phone calls Once upon a time... • Communication interception was limited to fixed phone lines • Few companies, Telco monopoly, were involved • The interception was limited in providing useful information for investigation and intelligence needs Fabio Pietrosanti 3 www.privatewave.com
  • 4. 1 - The need to intercept phone calls But now now... • Ubiquitous computing is a reality and mobility is everywhere • Plenty of different operators • Plenty of different technologies (voip, virtual operators, etc) (voip operators • Cross-border communication services complexity • More data can be retrieved (ex: Location data, phone call logs, sms messages, etc,) Fabio Pietrosanti 4 www.privatewave.com
  • 5. 1 - The need to intercept phone calls An appealing business today • Acquiring access to communications today means acquiring *full* access to a person’s life • But who has such a need? Fabio Pietrosanti 5 www.privatewave.com
  • 6. 1 - The need to intercept phone calls Subjects interested in other parties communications • Law Enforcement Agencies • National Secret Services • Foreign Secret services • Almost all large corporations in international context • Outsourced intelligence service providers • Organized crime (those information may require dedicated slides for each subject) Fabio Pietrosanti 6 www.privatewave.com
  • 7. 1 - The need to intercept phone calls Lawful interception Lawful i f l interception i • Action (based on the law) - performed by a network operator / access provider / service provider (NWO/AP/SvP) id i id ( ) - to make certain information available and provide that information to a law enforcement monitoring facility for investigation purposes Fabio Pietrosanti 7 www.privatewave.com
  • 8. 1 - The need to intercept phone calls Unlawful interception Unlawful interception U l f li t ti • Action (against the law) - performed by a government agency / network operator / access provider / service provider (NWO/AP/S P) / t k t id i id (NWO/AP/SvP) Large enterprise / Intelligence Agency / Intelligence professional / disgruntled employee – to make certain information available and provide that information to an interested third party who provided enough budget to proceed to an information collection Fabio Pietrosanti 8 www.privatewave.com
  • 9. 2 Methods to intercept phone calls (do-it-yourself) Fabio Pietrosanti 9 www.privatewave.com
  • 10. 2 - Methods to intercept phone calls Tactical Vs Non-Tactical Vs. Interception • Tactical interception • It directly applies to communication lines • Does not involve the telecommunication operator knowledge • It can be lawful or unlawful • Almost most unlawful interception use Tactical methods l h d Fabio Pietrosanti 10 www.privatewave.com
  • 11. 2 - Methods to intercept phone calls Interception targets and approach • Target Identity • Target Devices • Target Communication lines g • Parametric Interception • Most methods can be cheap, only a few are expensive i Fabio Pietrosanti 11 www.privatewave.com
  • 12. 2 - Methods to intercept phone calls Practical Approach: Once upon a time... • Manual switching cable on Telco offices was an easy task to do. Fabio Pietrosanti 12 www.privatewave.com
  • 13. 2 - Methods to intercept phone calls Practical Approach: Mobile interception (1) • Mobile phones can be intercepted with appropriate equipment (GSM, CDMA, UMTS) • Passive Method (A5 Cracking) • Active Method (Risk of detection) • Active/Passive Method (100% success) Fabio Pietrosanti 13 www.privatewave.com
  • 14. 2 - Methods to intercept phone calls Practical Approach: Mobile interception (2) • Can be leased along with intelligence professionals for 2000 EUR/day list price • In theory they are illegal in their use but, in practice... Ask a quotation to serious investigation agency! Fabio Pietrosanti 14 www.privatewave.com
  • 15. 2 - Methods to intercept phone calls Practical Approach: Mobile interception (3) • Uplink of operators between towers are not encrypted and monitoring devices are even less costly! Fabio Pietrosanti 15 www.privatewave.com
  • 16. 2 - Methods to intercept phone calls Practical Approach: ISDN/PSTN Interception • Simple cable cut gives impressive results! • Budget? Less than 250 USD for a professional equipment transmitting in VHF Fabio Pietrosanti 16 www.privatewave.com
  • 17. 2 - Methods to intercept phone calls Practical approach: Fiber Tapping (VoIP) • Less than 300 USD equipment • Open the bottle, bypass the fiber, get the h l t ffi f th whole traffic of area Fabio Pietrosanti 17 www.privatewave.com
  • 18. 2 - Methods to intercept phone calls Practical approach: DSL copper tapping (VoIP) • Tap directly on ADSL copper with Tactical ADSL probe probe. Fabio Pietrosanti 18 www.privatewave.com
  • 19. 2 - Methods to intercept phone calls Practical Approach: Easy ethernet tapping (VoIP) • From 20 to 150 USD b d t F t budget Fabio Pietrosanti 19 www.privatewave.com
  • 20. 3 The risk of eavesdropping (for people’s safety and democracy) p p y y Fabio Pietrosanti 20 www.privatewave.com
  • 21. 3 - The risk of eavesdropping Quis custodiet ipsos custodes? Who will watch the watchers? • The most important sentence • Reflect on the impact that eavesdropping has on the democracy Fabio Pietrosanti 21 www.privatewave.com
  • 22. 3 - The risk of eavesdropping The human factor: Can we trust all of them together? • Law E f L Enforcement E l t Employee • Telco Employee • Outsourced interception services employee • Technical support employee of interception h i l l fi i products • Any party involved in the process... Fabio Pietrosanti 22 www.privatewave.com
  • 23. 3 - The risk of eavesdropping The h Th human factor: Quiz f t Q i An employee of a Telco, a 1800 USD net salary, working on technical structure is asked by an unknown person to wiretap a certain line. He is given 20k USD in advance What he will do? advance. a) Refuse the offer and report to the authority the request. He has an ethic! b) Accept the offer and execute the taping ) p p g c) Accept and propose also a list price for phone call logs and details on owners of lines Fabio Pietrosanti 23 www.privatewave.com
  • 24. 3 - The risk of eavesdropping The technical f h h i l factor • Most interceptions are done by redirecting p y g and/or copying intercepted traffic to a centralized place • Do you think that the diverted traffic is p protected? NO! • From one place, the LEA office lines, every interception can be intercepted. • VoIP multiplies the risk factor by moving the intercepted traffic over the internet without protection. Fabio Pietrosanti 24 www.privatewave.com
  • 25. 3 - The risk of eavesdropping The political factor and new freedom risks • New parametric interception techniques are able to N ti i t ti t h i bl t detect certain kind of pattern in ALL voice flows. • Language bl kli ti L blacklisting, gender d t ti d detection and d blacklisting, keyword matching give too much power in the hands of few persons and there’s no law on how to deal with it. Fabio Pietrosanti 25 www.privatewave.com
  • 26. 3 - The risk of eavesdropping The political factor in unstable countries • Unstable countries face the issue of cross-agency interception • Wiretapping became a strong cause of political pp g g p instability Fabio Pietrosanti 26 www.privatewave.com
  • 27. 3 - The risk of eavesdropping The Th need of perfectly enforceable d f f tl f bl laws on wiretapping • Laws and procedures for efficient, controlled and guaranteed wiretapping are required • Wiretapping of civil, secret and military agencies has to be regulated and the rules have to be subject to public scrutiny Fabio Pietrosanti 27 www.privatewave.com
  • 28. 3 - The risk of eavesdropping The need of perfectly enforceable laws on wiretapping • USA: Foreign Intelligence Surveillance Act (1978) ll ll ( ) • Church Commitee Report • The Committee finds that information has been collected and disseminated in order to serve the purely political interests of an intelligence agency or the administration, and to influence social policy and political action. • White House officials have requested and obtained p q politically useful information from the FBI, including y , g information on the activities of political opponents or critics. • The FBI has also used intelligence as a vehicle for covert efforts to influence social policy and political action. • NSA Warrantless Wiretapping (Bush Administration) • New York Times: Bush Lets U.S. Spy on Callers Without Courts • “The White House asked The New York Times not to publish this article” • http://www.cfr.org/publication/9763/ • http://www.commondreams.org/headlines05/1216-01.htm Fabio Pietrosanti 28 www.privatewave.com
  • 29. 4 Real R l case, R l world Real ld Real risk scenario Fabio Pietrosanti 29 www.privatewave.com
  • 30. 4 - Real case, Real world, Real risk scenario Global interception: Echelon • USA confirmed their global interception program with the support of Great Britain and New Zealand • European Parliament confirmed that Echelon was used to illegally divert airplane deals to make US company win respect to EU company Fabio Pietrosanti 30 www.privatewave.com
  • 31. 4 - Real case, Real world, Real risk scenario 2006 - Italy: Interception scandals, thousands of persons were profiled, intercepted and someone blackmailed. • Adamo Bove, the head of Security of the Mobile Telco TIM was found “suicided” suicided • The head of secret services was wiretapped • Thousands of people’s phone logs were acquired • A numbers of illegal interception has been done • http://www.edri.org/edrigram/n http://www edri org/edrigram/n umber4.15/italy Fabio Pietrosanti 31 www.privatewave.com
  • 32. 4 - Real case, Real world, Real risk scenario 2005 - Greece: Interception scandals, a bug has been put in Vodafone ICT infrastructure • Costas Tsalikidis has been found dead head of Security of the Mobile Telco was found “suicided” • The prime minister, the chief of minister secret services, a lot of activists have been intercepted • No N responsibility has been found ibilit h b f d • All phone calls were diverted to a bunch of prepaid anonymous SIM p p y cards Fabio Pietrosanti 32 www.privatewave.com
  • 33. 4 - Real case, Real world, Real risk scenario 2001 - Finland: Interception scandals, mobile phones intercepted without warrants • 3 top officials of Finland Security Policy and the head of f the security department of Sonera are charged for illegally intercepting user ill ll i t ti phone calls. • The recording has been going for nearly a year without any formal authorization nor request Fabio Pietrosanti 33 www.privatewave.com
  • 34. 4 - Real case, Real world, Real risk scenario 1996-today 1996 today - Turkey: Continuous interception scandals, blackmailing and transcripts of wiretapping p pp g • Since 1996 in Turkey the political instability has caused a continuous tapping of phone calls of journalists, politicians, journalists politicians military and police representative • Almost every year a scandal gets out Fabio Pietrosanti 34 www.privatewave.com
  • 35. 4 - Real case, Real world, Real risk scenario France: F Political spying by Mitterand causes him to loose election Fabio Pietrosanti 35 www.privatewave.com
  • 36. 4 - Real case, Real world, Real risk scenario 2007 - USA: FBI missed to get authorization for interceptions because of too complicated laws p Fabio Pietrosanti 36 www.privatewave.com
  • 37. 4 - Real case, Real world, Real risk scenario 2009 - C l Colombia: bi Continue the debate and fight on corrupted officials doing wiretapping paid by drug traffickers Fabio Pietrosanti 37 www.privatewave.com
  • 38. 4 - Real case, Real world, Real risk scenario UK: UK Incredibly increased interception power and revelation of past activities Fabio Pietrosanti 38 www.privatewave.com
  • 39. 4 - Real case, Real world, Real risk scenario 1996 - P l d Poland: Plenty of requests by citizens to ombudsman that received illegal transcripts of intercepted phone calls Fabio Pietrosanti 39 www.privatewave.com
  • 40. 4 - Real case, Real world, Real risk scenario 2002 - N th l d Netherlands: Dutch secret services interception equipment brought from Israel is tapping the interceptors • Interception equipment used by Dutch Intelligence agencies was brought from the Israel company Verint. The equipment was leaking information on interception to Israel. • Interception technology is intercepting the interceptor! Another fall into the monitoring systems! Fabio Pietrosanti 40 www.privatewave.com
  • 41. 4 - Real case, Real world, Real risk scenario Conclusion of real world scenarios: The tip of the iceberg • It s It’s a serious problem that affects democracy and freedom, even western “democratic” countries • It’s a concrete and real problem • Only few facts reach the public media Fabio Pietrosanti 41 www.privatewave.com
  • 42. 5 Currently available protection technologies Fabio Pietrosanti 42 www.privatewave.com
  • 43. 5 - Currently available protection technologies Communication technologies C i ti t h l i • Traditional telephony (circuit switched) • ISDN (fixed) • PSTN (fixed) • GSM/CDMA/UMTS (mobile) • SAT (iridium, turaya, inmarsat, etc) • VoIP Telephony (packet switched) p y (p ) • Softphone on PC • Hardware phones • Mobile internet (GPRS, EV-DO, EVDO, etc) Fabio Pietrosanti 43 www.privatewave.com
  • 44. 5 - Currently available protection technologies Authorities for standards • ISO • ITU-T • GSM Consortium i • 3GPP • 3GPP2 • NSA • NATO • IETF • Telecom Industry Association (US interim standards) Fabio Pietrosanti 44 www.privatewave.com
  • 45. 5 - Currently available protection technologies Result of complexity in R lt f l it i technologies and authorities • NO single standard for telephony • NO single standard for security (not even enough!) Fabio Pietrosanti 45 www.privatewave.com
  • 46. 5 - Currently available protection technologies Securing unsecure media • Scrambling Vs Encryption Vs. • Voice connection Vs. Data connection • Creating a digital data path over the media • Circuit Switched: the lossy codec issue ending with “data calls” with... data calls • VoIP: required standardization for interoperability • And what about the signaling? Fabio Pietrosanti 46 www.privatewave.com
  • 47. 5 - Currently available protection technologies Communication technologies Circuit Switched Packet Switched Data Transmission ISDN, GSM,CDMA,UMTS, PSTN, SAT VoIP GPRS / EDGE / UMTS Quality of service Granted Not Granted Coverage Full Only Urban Area Per-packet Per-second Per second Billing (sender/receiver (sender pay) pay) Signaling l Outband b d In-band (over IP) b d( ) Fabio Pietrosanti 47 www.privatewave.com
  • 48. 5 - Currently available protection technologies VoIP basic • SIP is used to transport signaling informations • RTP is used to carry media traffic (audio, video) (audio • Both usually work over UDP protocol Fabio Pietrosanti 48 www.privatewave.com
  • 49. 5 - Currently available protection technologies VoIP Security: media encryption • Born without security in mind (like most technologies) • Encryption has been brought to IETF standard in March 2004 with SRTP (RFC3711), even if it was including a NULL encryptor... • SRTP support “Counter mode” and f8-mode for symmetric encryption and HMAC SHA1 for integrity checking (32bit) ti d HMAC-SHA1 f i t it h ki • There was only one BIG issue, no really secure and efficient key agreement method • MIKEY • SDES Fabio Pietrosanti 49 www.privatewave.com
  • 50. 5 - Currently available protection technologies VoIP Security: SRTP SDES INVITE sips:*97@ietf.org;user=phone SIP/2.0 Via: SIP/2.0/TLS 172.20.25.100:2049;branch=z9hG4bK-s5kcqq8jqjv3;rport From: "123" <sips:123@ietf.org>;tag=mogkxsrhm4 p g; p To: <sips:*97@ietf.org;user=phone> Call-ID: 3c269247a122-f0ee6wcrvkcq@snom360-000413230A07 CSeq: 1 INVITE Max-Forwards: 70 • SDES is the only Contact: <sip:123@172.20.25.100:2049;transport=tls;line=gyhiepdm>;reg-id=1 User-Agent: snom360/6.2.2 widely diffused and Accept: application/sdp Allow: INVITE, ACK, CANCEL, BYE, REFER, OPTIONS, NOTIFY, SUBSCRIBE, PRACK, implemented key MESSAGE, INFO Allow-Events: talk, hold, refer agreement method Supported: timer, 100rel, replaces, callerid Session-Expires: 3600;refresher=uas Min-SE: 90 • It’s transported over d Content-Type: application/sdp Content-Length: 477 SIP v=0 o=root 2071608643 2071608643 IN IP4 172.20.25.100 • So useful and secure! s=call c=IN IP4 172.20.25.100 t=0 0 m=audio 57676 RTP/AVP 0 8 9 2 3 18 4 101 a=crypto:1 AES_CM_128_HMAC_SHA1_32 inline:WbTBosdVUZqEb6Htqhn+m3z7wUh4RJVR8nE15GbN a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 t 8 /8000 a=rtpmap:9 g722/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:4 g723/8000 a=rtpmap:101 telephone event/8000 a rtpmap:101 telephone-event/8000 a=fmtp:101 0-16 a=ptime:20 a=encryption:optional Fabio Pietrosanti a=sendrecv 50 www.privatewave.com
  • 51. 5 - Currently available protection technologies VoIP Security: SIP/TLS • But SIP channel can be enciphered, there is SIP/TLS • The key can be transported securely between the client and the intermediator (much like the security model of GSM/UMTS between mobile and radio network controller) ll ) Fabio Pietrosanti 51 www.privatewave.com
  • 52. 5 - Currently available protection technologies VoIP Security: end-to-end encryption? • NO! • There’s still a little detail, and in security details matter . • The PBX can always observe and record the key! Fabio Pietrosanti 52 www.privatewave.com
  • 53. 5 - Currently available protection technologies Traditional t l h T diti l telephony: no security it by default • Circuit S it h d T l h Ci it Switched Telephony is considered i id d secure, as much as the Telco network can be considered secure • Standards for secure telephony were built only for governmental use and usually specifications were not available Fabio Pietrosanti 53 www.privatewave.com
  • 54. 5 - Currently available protection technologies Traditional telephony: clipper, born to fail • Clipper Chip was created by White House in 1993 implementing SkipJack algorithm • In 1994 FIPS 185 Escrowed Encryption Standard was approved • AT&T release TD3600E • 56bit encryption b • 4800bps data path over PSTN • In 1996 the project was considered a complete failure • In 1998 skipJack was declassified Fabio Pietrosanti 54 www.privatewave.com
  • 55. 5 - Currently available protection technologies Traditional t l h T diti l telephony: PGPhone PGPh • In 1995 Mr. Philip Zimmermann (2 ‘n) created PGPhone Mr n) • PGPhone was a software for Windows to be used connecting the PC through a modem for dialing the other party • Was using ephemeral Diffie-Hellmann protocol • Was using a short authentication string to detect a man-in-the- man in the middle attack • Unfortunately he was too visionary, in 1996 the internet world was still not ready for such technology ill d f h h l • In 1997 it became abandonware Fabio Pietrosanti 55 www.privatewave.com
  • 56. 5 - Currently available protection technologies Traditional telephony: STE and STU • From 1987 US Government standard using STU III STU-III • A set of cryptographic algorithm inside crypto cards programmed by National Security Agency • In 2004 the STE (Secure Terminal Equipment) succeeded to STU-III • STE now uses the SCIP, Secure Communication Interoperability Protocol, formerly named Future Narrowband Digital Terminal (FNDT) b d l l( ) • SCIP was first used in 2001 in Condor Secure mobile Phone Fabio Pietrosanti 56 www.privatewave.com
  • 57. 5 - Currently available protection technologies Traditional telephony: SCIP • SCIP is also known as the NATO extension of FNDT • Born to work over land line, military radios, communication satellite and Voice over IP (used in us over SIPRNET, Secret Internet Protocol Router Network) • Uses MELPe codec, royalty free only for US Government and NATO • Very narrowband stays at minimum of 2400hz narrowband, (2400bps) as it works also over crap iridium data links • Mr. Obama uses SCIP over a Sectera Phone as a Blackberry replacement Fabio Pietrosanti 57 www.privatewave.com
  • 58. 5 - Currently available protection technologies Traditional telephony: Cryptophone • In 2001 Cryptophone was born and it kept fully open their source code and security protocol design • The company (composed of several xs4all and ccc hackers) build up the product and started selling th d t d t t d lli the hardware phones • Unfortunately the protocol did not get public attention and did not get strong public auditing nor other interoperable use Fabio Pietrosanti 58 www.privatewave.com
  • 59. 6 Upcoming protection technologies Fabio Pietrosanti 59 www.privatewave.com
  • 60. 6 - Upcoming protection technologies Voice Over IP Security: finally end-to-end encryption! • Voice over IP finally got an end-to-end encryption with key agreements methods and new protocol approved by IETF • As a story we all have already seen with OpenPGP/MIME vs S/MIME there are two competing vs. standards • A Hierarchical standard to be integrated within PKI infrastructure - DTLS • A non hierarchical standard with a very high level or paranoid - ZRTP Fabio Pietrosanti 60 www.privatewave.com
  • 61. 6 - Upcoming protection technologies Voice Over IP Security: The main the middle problem Fabio Pietrosanti 61 www.privatewave.com
  • 62. 6 - Upcoming protection technologies Voice Over IP Security: The main the middle problem • Even if the call is ‘encrypted’ it does not mean that is secure • Key agreements can be compromised and security broken if a successful MiTM (Man in The Middle) attack is carried on • MiTM attacks carry hacks and tricks to the cryptographic key exchange making the communication appear “as secure” even if a malicious third party is diverting and wiretapping all the traffic Fabio Pietrosanti 62 www.privatewave.com
  • 63. 6 - Upcoming protection technologies Voice Over IP Security: DTLS & DTLS-SRTP • In March 2006 DTLS (Datagram Transport Layer Security) has been defined to protect UDP )h b d f d streams much like SSL and the successor TLS used in the web world • RTP runs over UDP • In 2008 a method to use DTLS as a key exchange method of SRTP to encipher RTP packets won the standardization path of IETF Fabio Pietrosanti 63 www.privatewave.com
  • 64. 6 - Upcoming protection technologies Voice Over IP Security: DTLS-SRTP • Requires a PKI to be used R i t b d • It completely relies on SIP channel integrity • In order to keep the SIP channel integrity, “Enhanced SIP identity” standard (RFC4475) has to be used • Unfortunately MiTM protection cannot be guaranteed when calling a phone number (+4179123456789) and thus, DTLS- SRTP collapse in providing security • So the basic concept is that DTLS requires a PKI to work, with all the bureocracy and complexity around building it • But B t don’t worry, most of the vendors that anno nced to use orr endors announced se DTLS-SRTP, said that they will provide self-signed certificate. No security assured. Fabio Pietrosanti 64 www.privatewave.com
  • 65. 6 - Upcoming protection technologies Voice Over IP Security: ZRTP • Mr. Mr Zimmermann did it again and by leveraging the old PGPhone concept of 1995, he designed and proposed for standardization ZRTP VoIP security protocol • ZRTP does not use SIP but instead uses in a clever way the RTP packet to perform in-band (inside RTP) key handshake • The concept is simple: what do we need to protect? • The media • So why modify the SIP signaling increasing complexity? • KISS principle always stays ahead • Implemented by Philip Zimmermann (zfoneproject.com), l d b hili i ( f j ) Werner Viettmann (gnutelephony.org), MT5 (unknown non-public implementation) Fabio Pietrosanti 65 www.privatewave.com
  • 66. 6 - Upcoming protection technologies Voice Over IP Security: ZRTP • ZRTP is provided to IETF as a standard (currently in standardization path) as a key initialization method for SRTP • ZRTP uses different key agreements method inside the cryptographic protocol • ECDH • DH • Preshared Key • ZRTP supports PFS (Perfect Forward Secrecy) • Can be used over most signaling protocols that use RTP for media transport (SIP, H.323, Jingle, P2P SIP) Fabio Pietrosanti 66 www.privatewave.com
  • 67. 6 - Upcoming protection technologies Voice Over IP Security: ZRTP • Short Authentication String as a method to detect MiTM wiretapper • the two users at the endpoints verbally compare a shared value displayed at both end • If the value doesn’t match, it f h l d h indicates the presence of someone doing a man in the middle attack Fabio Pietrosanti 67 www.privatewave.com
  • 68. 6 - Upcoming protection technologies Voice Over IP Security: Comparison of key agreements method of SRTP Technology SRTP - SDES SRTP - DTLS SRTP - ZRTP Yes (with Require SIP Yes additional No security complexity) The PBX can see No (but it Yes No the key? depends) Man in the middle iddl No Yes (not always) Yes protection (always) Different Yes implementation Yes No in Q1 2009 Fabio Pietrosanti 68 www.privatewave.com
  • 69. 6 - Upcoming protection technologies Traditional Telephony Security: ZRTP/S • In 2008 Mr. Zimmermann developed jointly with KHAMSA SA an extension of ZRTP to work again, like PGPhone already did in 1995 over traditional 1995, phone lines • ZRTP/S is a communication and security protocol that works over traditional telephony technologies (GSM, UMTS, CDMA IS94a, PSTN, ISDN, SATCOM, BLUETOOTH) • Basically it works over a ‘bitstream channel’ that can be b easily represented lik a ‘ i l connection’ il d like ‘serial i ’ between two devices Fabio Pietrosanti 69 www.privatewave.com
  • 70. 6 - Upcoming protection technologies Traditional Telephony Security: ZRTP/S (Design) • ZRTP/S can be, oversimplifying, a subset of a “compatible” RTP packet refactored to works over narrowband channels • It works over very narrowband links (4800 - 9600bps) • It works over high latency links (GSM CSD and SAT) with a “compressed” ZRTP handshake “ d” h dh k • In order to function over most channels, it requires the usage of narrowband codecs with advanced DTX and CNG features (AMR 4.75, Speex 3.95, MELPe 2.4) • Implemented in open source as additional module to libzrtp • Soon to be released for public and community usage Fabio Pietrosanti 70 www.privatewave.com
  • 71. 6 - Upcoming protection technologies Traditional Telephony: Comparison of technologies Technology SCIP ZRTP/S Cryptophone PGPhone Any (soon Government Business or Usage private and Any only Government free) Interoperable Yes Yes No No Speex, AMR, Codec C d MELPe MELP ACELP N/A MELPe IETF, Cryptophone Peer review NSA/NATO Deprecated p Community itself Fabio Pietrosanti 71 www.privatewave.com
  • 72. Conclusion • Market and technologies are fragmented • Big Telco & Big Governments are against end to end-to- end encryption • A standard must win • The open source and the security communities play a fundamental role • Anyone should think about supporting it Fabio Pietrosanti 72 www.privatewave.com