Las Vegas (CA) – PGP creator Phil Zimmermann is now focusing his crypto skills on making VoIP calls more secure. At the Black Hat security convention in Las Vegas, he showed off his latest version of the Zfone client that encrypts VoIP calls. Zfone can be easily used with most VoIP clients and, according to Zimmermann, will appear in future hardware-based VoIP phones.
Zfone itself is actually a daemon that runs under your VoIP client in the IP protocol stack. It implements the ZRTP protocol which is an extension of the regular VoIP RTP protocol. Zimmermann, along with Alan Johnston and PGP CTO Jon Callas, submitted the protocol to the IETF as a draft standard last year.
Zimmermann told us, “You can still use your favorite client on top and Zfone secures the call.”
Basically you can think of Zfone as a VPN client for your VoIP because it provides an encrypted tunnel for calls. The protocol adds four bytes of authentication on every voice packet and encrypts the RTP data payload with AES 128-bit or higher encryption. Zimmermann said the protocol is lightweight and modern computers shouldn’t experience any noticeable CPU slowdown.
Since ZRTP is based on open standards, Zimmermann says it can also be integrated into hardware-based VoIP phones. In fact, he told us that several vendors, including Ripcord Networks, have expressed interest in making ZRTP-protected hard phones.
Some well-known computer security experts already have some good things to say about the software and protocol. Bruce Scheneir, CTO of Counterpane, said Zfone brings, “badly needed VoIP encryption to the masses while former chief counter-terrorism advisor to Presidents Clinton and George W. Bush commented that the software was “a great advance for corporate and personal communications.”
Zfone will not work with one of the most popular VoIP clients Skype. Zimmermann told us that while Skype does use VoIP, it does so in a proprietary manner. “They don’t tell anyone how it works,” Zimmermann said.
Now you may be asking yourself how Zimmermann is making money on this. After all, he’s giving away the Zfone client and making the ZRTP specification an open standard. Integrating the ZRTP protocol into future phones and VoIP clients will require programming time, but Zimmermann will sell an SDK that should drastically reduce that time – and he’s going to charge a modest fee for it. The open nature of the protocol means that developers are free to write their own SDK, but Zimmermann probably feels that the companies won’t bother trying reinventing the wheel.
Why do we need to worry about VoIP security? Zimmermann told us that VoIP is more vulnerable than PSTN and that the phone companies will eventually completely switch over to VoIP. Even today, your regular phone calls might be going over the Internet, without you even knowing about it.
Zimmermann said the migration to VoIP will make it easier for criminals to intercept phone conversions. Typically, law enforcement has easily tapped phones because it has easy access to phone company switches. Since VoIP calls are routed through the Internet, it’s easier to place taps on the call endpoints, something that both the good guys and bad guys have equal access to.
“The advantage collapses when everyone has voip… criminals will have even playing field,” Zimmermann said.
Organized crime members and other hard-core criminals could get extremely vicious and easily listen to prosecutors, witnesses and informant calls. With the right tools, they could also listen to district attorneys calling their wives and asking when the kids are going to be picked up, according to Zimmermann.
There’s already spyware in the wild that can record VoIP calls and store them on a hard drive as a WAV file, neatly organized so the attacker can remotely listen to the most interesting calls. Zimmermann told us, “it’s like TIVO for VoIP calls” adding that he’s conveniently placed a download link on his Zfone webpage.
Black Hat and Defcon attendees may remember Zimmermann demonstrating Zfone two years ago when it was just a Python script. Since then his team has ported the software into Mac OSX, Linux and Windows versions and you can download the free beta here . “It’s now fairly polished,” said Zimmermann.