NEWS: Hotspot sniffer eavesdrops on iPhone [VoIP & video] ..

On 2009-10-25, Jeff Liebermann <jeffl.RemoveThis@cruzio.com> wrote:
> On Sat, 24 Oct 2009 14:06:30 -0700, John Navas
><spamfilter1.RemoveThis@navasgroup.com> wrote:
>> they will eavesdrop on a call between two audience members using
>> popular iPhone applications that route the calls over the conference
>> network.
>>
>>MORE:
>><http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>
>
> I guess that might be Skype. I'll believe it when I see it:
><http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/>
><http://intelligencenews.wordpress.com/2009/08/28/02-140/>

No, my guess would be that they're talking about standard,
SIP-based VoIP (mostly because they quote someone from Sipera
about business usage).

Dennis Ferguson

On Sun, 25 Oct 2009 01:33:54 -0500, Dennis Ferguson
<dcferguson DeleteThis @pacbell.net> wrote:

>On 2009-10-25, Jeff Liebermann <jeffl DeleteThis @cruzio.com> wrote:
>> On Sat, 24 Oct 2009 14:06:30 -0700, John Navas
>><spamfilter1 DeleteThis @navasgroup.com> wrote:
>>> they will eavesdrop on a call between two audience members using
>>> popular iPhone applications that route the calls over the conference
>>> network.
>>>
>>>MORE:
>>><http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>
>>
>> I guess that might be Skype. I'll believe it when I see it:
>><http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/>
>><http://intelligencenews.wordpress.com/2009/08/28/02-140/>

>No, my guess would be that they're talking about standard,
>SIP-based VoIP (mostly because they quote someone from Sipera
>about business usage).
>
>Dennis Ferguson

Oh well. SIP Sniffing is not rocket science. I use Cain and Abel:
<http://www.oxid.it/ca_um/topics/voip.htm>
or WireShark with a SIP/RTP capture filter:
<http://wiki.wireshark.org/SIP>
<http://wiki.wireshark.org/CaptureFilters> (near bottom of page)
<http://www.wireshark.org/docs/dfref/s/sip.html>
I've never tried it via wireless but as long as I don't have to deal
with WPA encryption, it doesn't seem like much of a challenge.


--
Jeff Liebermann jeffl DeleteThis @cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Sun, 25 Oct 2009 05:14:17 +0000, Larry <noone RemoveThis @home.com> wrote:

>Download TCPView from the net and install it. Take a look for
>yourselves the shitstorm of Skype IPs that are used on every call. It
>must be a government nightmare....worldwide.

Skype uses a distributed directory, rather than a centralized
directory server. In order to run such a distributed system, each
client shares some of the load resulting in considerable traffic. Very
roughly, each Skype client services between zero and several hundred
directory lookups (supernode), depending on bandwidth. For the
average broadband user, the bandwidth used is about 5Kbit/sec. If you
have a fat pipe, you can disable supernode functionality with a
registry hack in Skype version 3.0 and up.

Anyway, this has nothing to do with VoIP sniffing on the iPhone. We
don't even know if the target application is really Skype or some
other VoIP application.

It might be a virus or trojan residing on the client computer.
<http://www.physorg.com/news171131038.html>
That would be trivial as it would catch the digitized audio directly
from the sound card, before Skype even sees it. It's been done for
recording streaming music, essentially by tapping the clients sound
card. For example:
<http://www.totalrecorder.com/productfr_tr.htm>
If the target VoIP software uses the sound card, I see no reason why
such software could not be used to deliver (i.e. wiretap) the session
in real time.



--
Jeff Liebermann jeffl RemoveThis @cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Larry <noone.TakeThisOut@home.com> wrote in
news:Xns9CAFC997AD82noonehomecom@74.209.131.13:

<snip>

You don't read very well, among other things.

The goal was not to trace the call, but to listen to it. Listen to it
after coming out of your computer and before going to it's next
destination. Listening to it as it gets to your computer. All easily done
by sniffing the hotspot you're computer is using at the time.

But thanks for once again showing that you have no clue about technology.
The only difference between you and John Novice is...well...nothing. Oh
wait- that's not fair- you are much more paranoid.



>

Jeff Liebermann <jeffl.RemoveThis@cruzio.com> wrote in
news:1739e5pakd3spurloajhnke6jibmp9ninv@4ax.com:

>
> <http://www.totalrecorder.com/productfr_tr.htm>
> If the target VoIP software uses the sound card, I see no reason why
> such software could not be used to deliver (i.e. wiretap) the session
> in real time.
>

Total Recorder works quite well both transmit and receive on Skype
calls....

If they got a virus in that would work. Maybe there's ALREADY a virus in a
new Iphone to do just that. God, that'd make a headline Apple would
regret, wouldn't it. Even the apologist fanbois would be furious!

--
Larry

John Blutarsky <bluto.TakeThisOut@faber.com> wrote in
news:Xns9CAF5306F4C6Ablutofabercom@188.40.43.213:

> All easily done
> by sniffing the hotspot you're computer is using at the time

Ok, we ARE talking about VoIP calls, not sellphone calls which are easily
monitored by design at the central switch. We're NOT hooked up to the same
hotspot all the time. Every connection I make to Cricket is a new IP
across a vast range of LEAP Communications IPs, even on the same Cricket
tower. AT home, anyone interested in security is using Ethernet, not wifi,
on a real computer, not a toyphone, confounding the scanners.

Even then, if you make the call from home and they KNOW what channel wifi
you're using, they have to scan 65,535 PORTS and try to figure out which
one of the active ones is used by the randomized, 256-bit encrypted Skype
noise. This takes TIME. TIME they don't have! My call to Mom is only 5
minutes long. The time used by the shitstorm of port calls on my initial
CALL press on Skype is less than a second on a huge range of IPs and PORTS
across my wifi connection, as listed in my other post of an actual call.
The key is long gone before they even figure out I'm making a call.

You guys watch way too many spy movies and give the government hacks way
too much credit. I know some NSA guys and have known them for years.
They're not that smart, really! Throwing money and massive computers at
this isn't going to be any better than the dumbest programmer in the
office. Notice how the articles say they are STILL trying to crack
it....after how many years of Skype? Duhh...


--
Larry

Larry <noone.TakeThisOut@home.com> wrote in
news:Xns9CAF95CCD9743noonehomecom@74.209.131.13:


>
> You guys watch way too many spy movies and give the government hacks
> way too much credit.


So says the alt.cellular.* bulk tinfoil buyer.

On 2009-10-25, Jeff Liebermann <jeffl RemoveThis @cruzio.com> wrote:
> On Sun, 25 Oct 2009 01:33:54 -0500, Dennis Ferguson
><dcferguson RemoveThis @pacbell.net> wrote:
>
>>On 2009-10-25, Jeff Liebermann <jeffl RemoveThis @cruzio.com> wrote:
>>> On Sat, 24 Oct 2009 14:06:30 -0700, John Navas
>>><spamfilter1 RemoveThis @navasgroup.com> wrote:
>>>> they will eavesdrop on a call between two audience members using
>>>> popular iPhone applications that route the calls over the conference
>>>> network.
>>>>
>>>>MORE:
>>>><http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>
>>>
>>> I guess that might be Skype. I'll believe it when I see it:
>>><http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/>
>>><http://intelligencenews.wordpress.com/2009/08/28/02-140/>
>
>>No, my guess would be that they're talking about standard,
>>SIP-based VoIP (mostly because they quote someone from Sipera
>>about business usage).
>
> Oh well. SIP Sniffing is not rocket science. I use Cain and Abel:
><http://www.oxid.it/ca_um/topics/voip.htm>
> or WireShark with a SIP/RTP capture filter:
><http://wiki.wireshark.org/SIP>
><http://wiki.wireshark.org/CaptureFilters> (near bottom of page)
><http://www.wireshark.org/docs/dfref/s/sip.html>
> I've never tried it via wireless but as long as I don't have to deal
> with WPA encryption, it doesn't seem like much of a challenge.

I think the ARP cache pollution they do to get everyone to send
the packets they want through the PC doing the tap is kind of
cute (though this may just show my ignorance of the state of the
art for this stuff), but you are right that none of that is rocket
science.

They do mention, however, that Sipera plans to introduce a SIP/RTP
encryption product next week, so demonstrating how low the bar
is for wiretapping SIP-based VoIP with a nice applicaton is
probably good marketing. Of course iPhone applications in
particular could also secure this stuff by sending it over the 3G
phone company connection rather than WiFi, but I don't think Apple's
restrictions on what applications can do on the phone are there
to protect their users' best interests.

Dennis Ferguson

On Sun, 25 Oct 2009 22:55:05 -0500, Dennis Ferguson
<dcferguson RemoveThis @pacbell.net> wrote:

>I think the ARP cache pollution they do to get everyone to send
>the packets they want through the PC doing the tap is kind of
>cute (though this may just show my ignorance of the state of the
>art for this stuff), but you are right that none of that is rocket
>science.

You don't really need a man-in-the-middle type of exploit in order to
sniff SIP traffic. It can be done by simply taping the ethernet
cable, or sniffing the 802.11 traffic. I don't know why that was
included. The only problem is that stock NDIS5 Windoze driver does
not have a wireless monitor mode sniffing ability. That means you can
only sniff traffic to/from a device to which you are connected.
Monitor mode (and promiscuous mode) work fine for wired ethernet, but
not for 802.11.
<http://en.wikipedia.org/wiki/Monitor_mode>
CACE has a monitor/promiscuous mode driver for Windoze that will work.
<http://www.cacetech.com/products/airpcap.html>
Wireless sniffing with Linux works just fine.

>They do mention, however, that Sipera plans to introduce a SIP/RTP
>encryption product next week, so demonstrating how low the bar
>is for wiretapping SIP-based VoIP with a nice applicaton is
>probably good marketing.

The hints of impending disclosure of a possible serious vulnerability
might have inspired Sipera to pre-announce new encryption technology.
If the exploit fizzles, or there's no clamor for encryption, they'll
just quietly drop the idea. Incidentally, I couldn't find a link to
such a product announcement. Oh, it's Sipera, not Sipura/Linksys. One
of these daze, I'll get them straight.
<http://www.sipera.com>

>Of course iPhone applications in
>particular could also secure this stuff by sending it over the 3G
>phone company connection rather than WiFi, but I don't think Apple's
>restrictions on what applications can do on the phone are there
>to protect their users' best interests.

There are no current restrictions on VoIP over 3G on the iPhone.
However, making phone calls over 3G is silly. The cost per byte is
much more than over Wi-Fi. The main draw is free (or almost free)
phone calls using a coffee shop, home, office, airport, hotspot at
costs far less than cellular.

>Dennis Ferguson
--
Jeff Liebermann jeffl RemoveThis @cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Meanwhile, at the alt.internet.wireless Job Justification Hearings, Larry chose
the tried and tested strategy of:

> Even then, if you make the call from home and they KNOW what channel wifi
> you're using, they have to scan 65,535 PORTS and try to figure out which
> one of the active ones is used by the randomized, 256-bit encrypted Skype
> noise.

What on earth are you talking about? If somebody's intercepting your wireless
traffic, they're not going to be scanning any ports. Fire up Wireshark some time
and you'll see what I mean.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
09:37:57 up 8 days, 4:32, 4 users, load average: 0.14, 0.16, 0.17
"Stupid is a condition. Ignorance is a choice" -- Wiley Miller

On 2009-10-26, Jeff Liebermann <jeffl.DeleteThis@cruzio.com> wrote:
> On Sun, 25 Oct 2009 22:55:05 -0500, Dennis Ferguson
><dcferguson.DeleteThis@pacbell.net> wrote:
>
>>I think the ARP cache pollution they do to get everyone to send
>>the packets they want through the PC doing the tap is kind of
>>cute (though this may just show my ignorance of the state of the
>>art for this stuff), but you are right that none of that is rocket
>>science.
>
> You don't really need a man-in-the-middle type of exploit in order to
> sniff SIP traffic. It can be done by simply taping the ethernet
> cable, or sniffing the 802.11 traffic. I don't know why that was
> included. The only problem is that stock NDIS5 Windoze driver does

Sure, except there's a whole bunch of ethernet cables but only a
few of them will be carrying the traffic you want to look at. Ethernets
are always L2-routed by switches these days so if you plug into a random
port in a switch on the network the only third party traffic you'll see
coming out are multicasts, not someone else's RTP. If you want to see
unicast traffic to and from a particular host you need to physically
insert yourself into the wire which connects that host to its switch port,
or the wire which attaches the router the host is using to a switch port,
or one of the interswitch trunks between the host's switch and the
router's switch, without anyone noticing. That's 3 or 5 particular
wires that you'd need to attach to, out of maybe 100's or even 1000's
on a big network. And for a passive 802.11 tap you'd need to not only
be hearing the same AP as the client you're interested in but also
close enough to hear the client's transmissions in the other direction.

Compared to this the ARP thing is very nice. If you know who you want
to hear then just connect to the network anywhere, at any random
switch port or any AP on the same ethernet (not necessarily even in
the same room, or building) and arrange for the particular traffic
you want to look at to be delivered directly to where you are by
the network.

>>Of course iPhone applications in
>>particular could also secure this stuff by sending it over the 3G
>>phone company connection rather than WiFi, but I don't think Apple's
>>restrictions on what applications can do on the phone are there
>>to protect their users' best interests.
>
> There are no current restrictions on VoIP over 3G on the iPhone.
> However, making phone calls over 3G is silly. The cost per byte is
> much more than over Wi-Fi. The main draw is free (or almost free)
> phone calls using a coffee shop, home, office, airport, hotspot at
> costs far less than cellular.

I didn't know they'd removed that restriction. I don't get the
cost thing, though, at least if we're talking about costs the user
pays (and I'm not sure why the user would care about anything else).
iPhone data plans are flat rate unlimited on AT&T so the marginal
cost for using the phone company's network is the same as WiFi,
i.e. free or close to it. If VoIP-over-3G isn't popular (and I'd
bet that's the case if the phone company, which does pay the
costs, isn't complaining about it any more) I'd bet it has more
to do with the delays their network introduces.

Dennis Ferguson