I recently switched my home phone service from POTS (plain old telephone service) to VoIP (voice over IP). One friend asked, whether or not I was concerned about the security of my calls. I said that I was less concerned now, than I was before. Here’s why:
There are two basic types of calls I can make using VoIP: VoIP to VoIP and VoIP to PSTN (public switched telephone network). The latter uses the numbers we are familiar (that vary country-to-country), and the former uses a different style of identifying endpoints, but that is often hidden by mapping the familiar numbers (formally called E.164 for the international standard governing them) to the unfamiliar addresses. The figures below illustrate the two types of call. There are other variations of these, but I’ll use these to illustrate.
Note, the red and blue lines. The blue lines represent encrypted data (at least in my case), and the red lines represent unencrypted. As I note below, the data may not be encrypted at all. The general rule is that traffic to and from my VoIP provider is encrypted, while phone-to-anything is not.
In my case, Internet access is delivered by fiber optic cable. It is converted to Ethernet and then routed inside my home. My VoIP device is connected by cable to the router I use to connect to the Internet. With POTS service, the phones were wired to a box outside the house, and the box was connected to the phone company. The path from the phone to the telephone exchange was analog all the way and simple for anyone to tap with little effort.
Now, the only analog signal is from my phone to the VoIP device. The Internet is provided over fiber and thus quite difficult to tap. Even if they could, they wouldn’t get much information – my VoIP device encrypts the calls.
When I call my mom, the call goes part of the way over the Internet (encrypted) and is then connected to the PSTN and sent unencrypted to mom. This means, at least the portion of my call from me to my VoIP provider is encrypted, and that is a lot more than before! When I call another customer of my provider, the call is encrypted device-to-device.
Not all VoIP traffic is encrypted. I use a provider that encrypts data from me to them. In fact, most commercial VoIP isn’t encrypted. Bruce Schneier wrote about this a decade ago, and we are still not encrypting as much as we should. There are multiple ways to encrypt VoIP calls, but what is used depends on the provider. I should also note that the majority of long distance communication in many countries – including the US and the UK – is unencrypted VoIP. The main business reason is additional (inexpensive) hardware is required to make the encryption fast enough that it doesn’t introduce latency in the calls.
I’d like to see more VoIP encrypted. I’m still not worried, though, about my own calls as there are fewer points where an attacker can access the actual unencrypted call data easily. How about you? Let us know in the comments below your thoughts about the safety of VoIP calling.
To your safe computing,