Further to the research already done on unlicensed mobile access (UMA) by our security researchers, I've been looking at a couple of alternatives to UMA services. As you’ll recall, most UMA threats surround increased exposure to the operator’s core network, as they are basically an extension of the core network and its protocols.
The services that I’ve been looking at are very similar but are not true UMA in this regard; rather, they may be best described as Mobile VoIP. A new crop of providers are appearing in this space, fuelled by WiFi-capable smart phone handsets. And, when they do appear, they don’t have any of the operator baggage to worry about, so are free to adopt the next generation standards rather than modify existing ones.
So, where’s the security point to this post? Well, when I say “looked at” these services, I didn’t mean admiring the user interface. I set up a couple of handsets in the Symantec lab and decided to sift through the network traffic going past to see what’s going on behind the scenes. As expected, the technology takes advantage of the built-in SIP stack on my new smart phone. The SIP protocol is probably the most widely adopted standards-based answer for internet-based VoIP – partly due to its simplistic nature compared to the more bulky H.323 suite and other more proprietary protocols. SIP lends itself well to a mobile phone replacement application – we have the presence mechanism for finding out when the handset is “in coverage” and ready to receive calls, the straightforward call setup roll using INVITE, and of course MESSAGE for sending and receiving SMS (text messages).
I was surprised to find a couple of things. Firstly, despite the security features supported by my handset, the SIP call setup dialog was completely unencrypted. Secondly, so was the audio! And thirdly, so was the text messaging functionality. On top of this, I was quite surprised by the fact that the “user agent” header included my (globally unique) wireless hardware address!
Communication security in the VoIP space is something which has been dragging on for a while. Different parts of different protocols may or may not be secured in different ways. This is complicated by the fact that everything has to be done in (as close to) real-time as possible – in the case of Mobile VoIP, this would also need to contend with the challenges of a relatively low-powered handheld device. Given that most public wireless hotspots are unencrypted by their very nature – and that roaming agreements are popping up all over the place for Mobile VoIP users to “roam” into hot spotted areas (almost like the French BI-BOP system!) – this is a phenomenal change to the security position of a mobile telephone call or text message.
The question is, why are we concerned? Why is this any different from SMTP email traversing the Internet in plaintext, or any different from the other SIP providers out there who often offer little or no opportunity for privacy? The answer to this is: perception. We are told not to use email to contact our banks, but to pick up the phone and use that instead. We are led to understand that it would take the intelligence powers of a major western nation to break GSM encryption, or for a telephone company insider to read our text messages. But to listen in on someone using Mobile VoIP in your local hot spotted café? A couple of freely available tools and an off-the-shelf laptop should be enough.