NEWS: Hotspot sniffer eavesdrops on iPhone [VoIP & video] in real-time

People who use public WiFi to make iPhone calls or conduct video
conferences take heed: It just got a lot easier to monitor your
conversations in real time.

At a talk scheduled for Saturday at the Toorcon hacker conference in
San Diego, two security researchers plan to show the latest advances
in the open-source UCSniff tool for penetrating
voice-over-internet-protocol systems. With a few clicks of a mouse,
they will eavesdrop on a call between two audience members using
popular iPhone applications that route the calls over the conference
network.

...

"If we can do this, there are many, many people out there who can do
this. It's not rocket science," ...

MORE:
<http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>

--
Best regards,
John <http:/navasgroup.com>

If the iPhone is really so impressive,
why do iFans keep making excuses for it?

On Sat, 24 Oct 2009 14:06:30 -0700, John Navas
<spamfilter1@navasgroup.com> wrote:
> they will eavesdrop on a call between two audience members using
> popular iPhone applications that route the calls over the conference
> network.
>
>MORE:
><http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>

I guess that might be Skype. I'll believe it when I see it:
<http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/>
<http://intelligencenews.wordpress.com/2009/08/28/02-140/>

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

John Navas <spamfilter1@navasgroup.com> wrote in
news:1tq6e59ek5ld1sjmtqa568btrbg50330f1@4ax.com:

> People who use public WiFi to make iPhone calls or conduct video
> conferences take heed: It just got a lot easier to monitor your
> conversations in real time.
>
> At a talk scheduled for Saturday at the Toorcon hacker conference
in
> San Diego, two security researchers plan to show the latest
advances
> in the open-source UCSniff tool for penetrating
> voice-over-internet-protocol systems. With a few clicks of a mouse,
> they will eavesdrop on a call between two audience members using
> popular iPhone applications that route the calls over the
conference
> network.
>
>

I'd love to see 'em do it to a Skype phone call of 5 minutes duration
over any open wifi you choose. I want to hear the voice recording of
the conversation as proof they can do it that quickly.

"Bullshit" comes to mind.

1 - Skype uses ANY of the 65,535 port numbers, making it hard to find in
the first place...lots of port scanning to start with.

After finding which port your Skype is using, say port 49,273 for grins,
they can start working on the per-call 256-bit encryption they don't
have the key for that changes with every call.

Now, can they do all that within the 5 minutes of my phone call?

Bullshit.....pure bullshit....even if they have my current sellphone IP,
which changes with every call, also.

My call is long over before they even identify the data stream.....5
minutes, 300 seconds.....NOT THROUGH A SERVER, IP to IP, through a
massive network of Skype users' computers used as network interface in
background.

At 0047 EDT 10/25/09, My Skype is connected for interface data to:
Skype.exe:10308 TCP schultz:1184 cpe-24-210-197-
182.woh.res.rr.com:36334 ESTABLISHED

Skype.exe:10308 TCP schultz:54683 69.171.167.3:55703 ESTABLISHED

That last IP seems to be on Leap Wireless (Cricket is Leap) in
Charlotte, NC, that does have Cricket service. My trace to it stopped
at:
9 4.69.132.161 25ms 24ms 25ms TTL: 0 (ae-4-
4.car1.Charlotte1.Level3.net ok)
10 4.71.124.58 26ms 25ms 26ms TTL: 0 (LEAP-
WIRELE.car1.Charlotte1.Level3.net ok)

How are the bullshit experts at NSA going to suck my data off this guy's
Cricket aircard and his netbook at Bert's Bar on port 54683? Hell, how
are they ever going to find it?!

Where's woh on Road Runner...res means it's a residence, somebody's
desktop. I can see a small amount of encrypted data going through these
connections with my sniffer.

Oops, the netbook on Cricket just dropped offline. I made a test call
then paused TCPView to save the paths it opened to complete this call.
Here's a list of stations just calling Skype Test in England opened:
163-161.static.quiettouch.com:63082
213.244.170.76:11079
193.88.6.12:60825
78.141.177.72:30819
78.141.177.73:41988
212.8.163.80:25585
212.8.163.80:8560
193.88.6.12:16386
213.244.170.77:63122
213.244.170.77:58692
213.244.170.76:47828
212.8.163.80:27650

These orts were open for about .8 seconds until the key was passed, I
can only assume through a few of them, one of them, all of them....who
knows? Then, these ports were dumped to System Process in Time_wait.

78.141.177.73:39688 stayed open and is my new port to replace the
netbook that died as this call completed. My new Skype partner seems to
be in Luxembourg? NSA got a PC at his house?

8 64.215.80.102 125ms 124ms 125ms TTL: 0 (P-T-LUXEMBOURG.Te4-
4.1162.ar4.AMS2.gblx.net probable bogus rDNS: No DNS)
9 213.166.61.202 133ms 133ms 130ms TTL: 0 (PTLUX-Teralink-
Frankfurt.pt.lu fraudulent rDNS)
10 213.166.61.206 126ms 125ms 131ms TTL: 0 (No rDNS)
11 213.135.247.105 * * 126ms TTL: 0 (No rDNS)
12 213.135.247.102 126ms 126ms 127ms TTL: 0 (No rDNS)
13 78.141.177.73 126ms 125ms 126ms TTL: 48 (No rDNS)


So, how in hell do you think this crazy stream of crazy IPs all over the
place on all these random ports is going to be detected, decoded,
decrypted before my 5 minute phone call to Mom is OVER?!

It's not.......All the propaganda bullshit isn't going to do it...like
the news article I posted says....

Download TCPView from the net and install it. Take a look for
yourselves the shitstorm of Skype IPs that are used on every call. It
must be a government nightmare....worldwide.

--
Larry

On 2009-10-25, Jeff Liebermann <jeffl@cruzio.com> wrote:
> On Sat, 24 Oct 2009 14:06:30 -0700, John Navas
><spamfilter1@navasgroup.com> wrote:
>> they will eavesdrop on a call between two audience members using
>> popular iPhone applications that route the calls over the conference
>> network.
>>
>>MORE:
>><http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>
>
> I guess that might be Skype. I'll believe it when I see it:
><http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/>
><http://intelligencenews.wordpress.com/2009/08/28/02-140/>

No, my guess would be that they're talking about standard,
SIP-based VoIP (mostly because they quote someone from Sipera
about business usage).

Dennis Ferguson

Larry <noone@home.com> wrote in
news:Xns9CAFC997AD82noonehomecom@74.209.131.13:

<snip>

You don't read very well, among other things.

The goal was not to trace the call, but to listen to it. Listen to it
after coming out of your computer and before going to it's next
destination. Listening to it as it gets to your computer. All easily done
by sniffing the hotspot you're computer is using at the time.

But thanks for once again showing that you have no clue about technology.
The only difference between you and John Novice is...well...nothing. Oh
wait- that's not fair- you are much more paranoid.



>

On Sun, 25 Oct 2009 01:33:54 -0500, Dennis Ferguson
<dcferguson@pacbell.net> wrote:

>On 2009-10-25, Jeff Liebermann <jeffl@cruzio.com> wrote:
>> On Sat, 24 Oct 2009 14:06:30 -0700, John Navas
>><spamfilter1@navasgroup.com> wrote:
>>> they will eavesdrop on a call between two audience members using
>>> popular iPhone applications that route the calls over the conference
>>> network.
>>>
>>>MORE:
>>><http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>
>>
>> I guess that might be Skype. I'll believe it when I see it:
>><http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/>
>><http://intelligencenews.wordpress.com/2009/08/28/02-140/>

>No, my guess would be that they're talking about standard,
>SIP-based VoIP (mostly because they quote someone from Sipera
>about business usage).
>
>Dennis Ferguson

Oh well. SIP Sniffing is not rocket science. I use Cain and Abel:
<http://www.oxid.it/ca_um/topics/voip.htm>
or WireShark with a SIP/RTP capture filter:
<http://wiki.wireshark.org/SIP>
<http://wiki.wireshark.org/CaptureFilters> (near bottom of page)
<http://www.wireshark.org/docs/dfref/s/sip.html>
I've never tried it via wireless but as long as I don't have to deal
with WPA encryption, it doesn't seem like much of a challenge.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Sun, 25 Oct 2009 05:14:17 +0000, Larry <noone@home.com> wrote:

>Download TCPView from the net and install it. Take a look for
>yourselves the shitstorm of Skype IPs that are used on every call. It
>must be a government nightmare....worldwide.

Skype uses a distributed directory, rather than a centralized
directory server. In order to run such a distributed system, each
client shares some of the load resulting in considerable traffic. Very
roughly, each Skype client services between zero and several hundred
directory lookups (supernode), depending on bandwidth. For the
average broadband user, the bandwidth used is about 5Kbit/sec. If you
have a fat pipe, you can disable supernode functionality with a
registry hack in Skype version 3.0 and up.

Anyway, this has nothing to do with VoIP sniffing on the iPhone. We
don't even know if the target application is really Skype or some
other VoIP application.

It might be a virus or trojan residing on the client computer.
<http://www.physorg.com/news171131038.html>
That would be trivial as it would catch the digitized audio directly
from the sound card, before Skype even sees it. It's been done for
recording streaming music, essentially by tapping the clients sound
card. For example:
<http://www.totalrecorder.com/productfr_tr.htm>
If the target VoIP software uses the sound card, I see no reason why
such software could not be used to deliver (i.e. wiretap) the session
in real time.



--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann <jeffl@cruzio.com> wrote in
news:1739e5pakd3spurloajhnke6jibmp9ninv@4ax.com:

>
> <http://www.totalrecorder.com/productfr_tr.htm>
> If the target VoIP software uses the sound card, I see no reason why
> such software could not be used to deliver (i.e. wiretap) the session
> in real time.
>

Total Recorder works quite well both transmit and receive on Skype
calls....

If they got a virus in that would work. Maybe there's ALREADY a virus in a
new Iphone to do just that. God, that'd make a headline Apple would
regret, wouldn't it. Even the apologist fanbois would be furious!

--
Larry

John Blutarsky <bluto@faber.com> wrote in
news:Xns9CAF5306F4C6Ablutofabercom@188.40.43.213:

> All easily done
> by sniffing the hotspot you're computer is using at the time

Ok, we ARE talking about VoIP calls, not sellphone calls which are easily
monitored by design at the central switch. We're NOT hooked up to the same
hotspot all the time. Every connection I make to Cricket is a new IP
across a vast range of LEAP Communications IPs, even on the same Cricket
tower. AT home, anyone interested in security is using Ethernet, not wifi,
on a real computer, not a toyphone, confounding the scanners.

Even then, if you make the call from home and they KNOW what channel wifi
you're using, they have to scan 65,535 PORTS and try to figure out which
one of the active ones is used by the randomized, 256-bit encrypted Skype
noise. This takes TIME. TIME they don't have! My call to Mom is only 5
minutes long. The time used by the shitstorm of port calls on my initial
CALL press on Skype is less than a second on a huge range of IPs and PORTS
across my wifi connection, as listed in my other post of an actual call.
The key is long gone before they even figure out I'm making a call.

You guys watch way too many spy movies and give the government hacks way
too much credit. I know some NSA guys and have known them for years.
They're not that smart, really! Throwing money and massive computers at
this isn't going to be any better than the dumbest programmer in the
office. Notice how the articles say they are STILL trying to crack
it....after how many years of Skype? Duhh...


--
Larry

Larry <noone@home.com> wrote in
news:Xns9CAF95CCD9743noonehomecom@74.209.131.13:


>
> You guys watch way too many spy movies and give the government hacks
> way too much credit.


So says the alt.cellular.* bulk tinfoil buyer.

On 2009-10-25, Jeff Liebermann <jeffl@cruzio.com> wrote:
> On Sun, 25 Oct 2009 01:33:54 -0500, Dennis Ferguson
><dcferguson@pacbell.net> wrote:
>
>>On 2009-10-25, Jeff Liebermann <jeffl@cruzio.com> wrote:
>>> On Sat, 24 Oct 2009 14:06:30 -0700, John Navas
>>><spamfilter1@navasgroup.com> wrote:
>>>> they will eavesdrop on a call between two audience members using
>>>> popular iPhone applications that route the calls over the conference
>>>> network.
>>>>
>>>>MORE:
>>>><http://www.theregister.co.uk/2009/10/23/iphone_voip_sniffing_made_easy/>
>>>
>>> I guess that might be Skype. I'll believe it when I see it:
>>><http://www.theregister.co.uk/2009/02/12/nsa_offers_billions_for_skype_pwnage/>
>>><http://intelligencenews.wordpress.com/2009/08/28/02-140/>
>
>>No, my guess would be that they're talking about standard,
>>SIP-based VoIP (mostly because they quote someone from Sipera
>>about business usage).
>
> Oh well. SIP Sniffing is not rocket science. I use Cain and Abel:
><http://www.oxid.it/ca_um/topics/voip.htm>
> or WireShark with a SIP/RTP capture filter:
><http://wiki.wireshark.org/SIP>
><http://wiki.wireshark.org/CaptureFilters> (near bottom of page)
><http://www.wireshark.org/docs/dfref/s/sip.html>
> I've never tried it via wireless but as long as I don't have to deal
> with WPA encryption, it doesn't seem like much of a challenge.

I think the ARP cache pollution they do to get everyone to send
the packets they want through the PC doing the tap is kind of
cute (though this may just show my ignorance of the state of the
art for this stuff), but you are right that none of that is rocket
science.

They do mention, however, that Sipera plans to introduce a SIP/RTP
encryption product next week, so demonstrating how low the bar
is for wiretapping SIP-based VoIP with a nice applicaton is
probably good marketing. Of course iPhone applications in
particular could also secure this stuff by sending it over the 3G
phone company connection rather than WiFi, but I don't think Apple's
restrictions on what applications can do on the phone are there
to protect their users' best interests.

Dennis Ferguson

In article <slrnhea7cp.1p0.dcferguson@akit-ferguson.com>, Dennis
Ferguson <dcferguson@pacbell.net> wrote:

> Of course iPhone applications in
> particular could also secure this stuff by sending it over the 3G
> phone company connection rather than WiFi, but I don't think Apple's
> restrictions on what applications can do on the phone are there
> to protect their users' best interests.

there is no longer any restriction for using voip over 3g.

On Sun, 25 Oct 2009 22:55:05 -0500, Dennis Ferguson
<dcferguson@pacbell.net> wrote:

>I think the ARP cache pollution they do to get everyone to send
>the packets they want through the PC doing the tap is kind of
>cute (though this may just show my ignorance of the state of the
>art for this stuff), but you are right that none of that is rocket
>science.

You don't really need a man-in-the-middle type of exploit in order to
sniff SIP traffic. It can be done by simply taping the ethernet
cable, or sniffing the 802.11 traffic. I don't know why that was
included. The only problem is that stock NDIS5 Windoze driver does
not have a wireless monitor mode sniffing ability. That means you can
only sniff traffic to/from a device to which you are connected.
Monitor mode (and promiscuous mode) work fine for wired ethernet, but
not for 802.11.
<http://en.wikipedia.org/wiki/Monitor_mode>
CACE has a monitor/promiscuous mode driver for Windoze that will work.
<http://www.cacetech.com/products/airpcap.html>
Wireless sniffing with Linux works just fine.

>They do mention, however, that Sipera plans to introduce a SIP/RTP
>encryption product next week, so demonstrating how low the bar
>is for wiretapping SIP-based VoIP with a nice applicaton is
>probably good marketing.

The hints of impending disclosure of a possible serious vulnerability
might have inspired Sipera to pre-announce new encryption technology.
If the exploit fizzles, or there's no clamor for encryption, they'll
just quietly drop the idea. Incidentally, I couldn't find a link to
such a product announcement. Oh, it's Sipera, not Sipura/Linksys. One
of these daze, I'll get them straight.
<http://www.sipera.com>

>Of course iPhone applications in
>particular could also secure this stuff by sending it over the 3G
>phone company connection rather than WiFi, but I don't think Apple's
>restrictions on what applications can do on the phone are there
>to protect their users' best interests.

There are no current restrictions on VoIP over 3G on the iPhone.
However, making phone calls over 3G is silly. The cost per byte is
much more than over Wi-Fi. The main draw is free (or almost free)
phone calls using a coffee shop, home, office, airport, hotspot at
costs far less than cellular.

>Dennis Ferguson
--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Meanwhile, at the alt.internet.wireless Job Justification Hearings, Larry chose
the tried and tested strategy of:

> Even then, if you make the call from home and they KNOW what channel wifi
> you're using, they have to scan 65,535 PORTS and try to figure out which
> one of the active ones is used by the randomized, 256-bit encrypted Skype
> noise.

What on earth are you talking about? If somebody's intercepting your wireless
traffic, they're not going to be scanning any ports. Fire up Wireshark some time
and you'll see what I mean.

--
<http://ale.cx/> (AIM:troffasky) (UnSoEsNpEaTm@ale.cx)
09:37:57 up 8 days, 4:32, 4 users, load average: 0.14, 0.16, 0.17
"Stupid is a condition. Ignorance is a choice" -- Wiley Miller

On 2009-10-26, Jeff Liebermann <jeffl@cruzio.com> wrote:
> On Sun, 25 Oct 2009 22:55:05 -0500, Dennis Ferguson
><dcferguson@pacbell.net> wrote:
>
>>I think the ARP cache pollution they do to get everyone to send
>>the packets they want through the PC doing the tap is kind of
>>cute (though this may just show my ignorance of the state of the
>>art for this stuff), but you are right that none of that is rocket
>>science.
>
> You don't really need a man-in-the-middle type of exploit in order to
> sniff SIP traffic. It can be done by simply taping the ethernet
> cable, or sniffing the 802.11 traffic. I don't know why that was
> included. The only problem is that stock NDIS5 Windoze driver does

Sure, except there's a whole bunch of ethernet cables but only a
few of them will be carrying the traffic you want to look at. Ethernets
are always L2-routed by switches these days so if you plug into a random
port in a switch on the network the only third party traffic you'll see
coming out are multicasts, not someone else's RTP. If you want to see
unicast traffic to and from a particular host you need to physically
insert yourself into the wire which connects that host to its switch port,
or the wire which attaches the router the host is using to a switch port,
or one of the interswitch trunks between the host's switch and the
router's switch, without anyone noticing. That's 3 or 5 particular
wires that you'd need to attach to, out of maybe 100's or even 1000's
on a big network. And for a passive 802.11 tap you'd need to not only
be hearing the same AP as the client you're interested in but also
close enough to hear the client's transmissions in the other direction.

Compared to this the ARP thing is very nice. If you know who you want
to hear then just connect to the network anywhere, at any random
switch port or any AP on the same ethernet (not necessarily even in
the same room, or building) and arrange for the particular traffic
you want to look at to be delivered directly to where you are by
the network.

>>Of course iPhone applications in
>>particular could also secure this stuff by sending it over the 3G
>>phone company connection rather than WiFi, but I don't think Apple's
>>restrictions on what applications can do on the phone are there
>>to protect their users' best interests.
>
> There are no current restrictions on VoIP over 3G on the iPhone.
> However, making phone calls over 3G is silly. The cost per byte is
> much more than over Wi-Fi. The main draw is free (or almost free)
> phone calls using a coffee shop, home, office, airport, hotspot at
> costs far less than cellular.

I didn't know they'd removed that restriction. I don't get the
cost thing, though, at least if we're talking about costs the user
pays (and I'm not sure why the user would care about anything else).
iPhone data plans are flat rate unlimited on AT&T so the marginal
cost for using the phone company's network is the same as WiFi,
i.e. free or close to it. If VoIP-over-3G isn't popular (and I'd
bet that's the case if the phone company, which does pay the
costs, isn't complaining about it any more) I'd bet it has more
to do with the delays their network introduces.

Dennis Ferguson