Vonage voice conversation may be vulnerable to eavesdropping

Advisory Number:	VIPER-2007-052
Release Date:	2007.10.24
Source:	Sipera VIPER Lab
Systems Affected:	Vonage Motorola Phone Adapter (VT 2142-VD)
Category:	Eavesdropping
Severity:	High

Overview

Unencrypted RTP packets in IP-based communication can be captured to reconstruct the media (e.g., voice or video) compromising confidentiality of communication. Vonage phone service does not encrypt voice conversation packets leaving it vulnerable to eavesdropping.

Impact

Eavesdropper can listen to confidential voice conversation or watch confidential video communication. It may not be possible for the communicating parties to become aware of such eavesdropping.

Description

Vonage uses RTP protocol to transport packetized voice conversation over IP network. However, this RTP is not encrypted leaving it vulnerable to reconstruction after capturing from the network. This compromises confidentiality of the communication. Additionally, availability of several free tools to reconstruct media from captured RTP packets further increases the threat.

Solution

RTP packets must be encrypted using SRTP. SRTP key negotiation channel also must be secured from such eavesdropping.

For more information on any of these threat advisories, please email Sipera VIPER Lab at viper@sipera.com

« back to advisories

UC Security Defined
Sipera Systems, the leader in real-time Unified Communications (UC) security, is the choice of enterprises and service providers around the world to support their mission-critical UC deployments.
Sipera offers groundbreaking, production-proven solutions that secure voice, video, messaging, collaboration, and other real-time communications in converged IP networks, boosting compliance with information security requirements.
Backed by the industry-leading research of the VIPER lab, Sipera's solutions provide comprehensive threat protection, policy enforcement, access control, and encryption in a single flexible appliance.