Zimmermann calls his new creation Zfone, a VoIP phone software product that lets users encrypt their calls over the Internet. Zfone uses a new cryptography protocol called ZRTP, which has a better architecture than such other VoIP security protocols as SIP (Session Initiation Protocol), H.323 and IAX. Users can download a free beta of Zfone from the Zfone Project Web site.
"Zfone sits in the IP protocol stack and runs as a filter, and it works with multiple programs such as Windows Mobile, Apple iChat, Symbian and Nokia," he said before running a demonstration of how the technology works.
"To prevent a man-in-the-middle attack, we have to use the same session key," he said, pointing out how his software allows for that to happen. "When you have the same session key at both ends, there can be no man in the middle."
Throughout his presentation, Zimmermann stressed the importance of encrypting VoIP transmissions, even though, as he noted, some in the government believe that would hobble law enforcement's ability to tap VoIP conversations as part of criminal investigations. The problem, he said, is that organized criminal outfits are quickly figuring out how to turn the tables by tapping VoIP calls made by the authorities attempting to bring them to justice.
"We have to encrypt our phone calls because the VoIP environment just isn't safe," he said. "It's getting easier for the bad guys to use something like spyware to tap the VoIP conversations of judges, prosecutors and the police."
Zimmermann's demonstration received a positive response from the audience, and other experts backed his claim that it's no longer difficult for digital miscreants to exploit VoIP insecurity.
"Four to five years ago, we started hearing about the security problems of VoIP, and it's really no better today," Dwivedi said. "The security vendors are not on top of the problem and users are relying on protocols they think are safe, when in fact they are not."
The two then ran through a series of examples showing how attackers could exploit the protocols to listen in on VoIP conversations and extract sensitive information in the process, and create havoc through denial-of-service attacks and by impersonating certain people on the call. IDs, time stamps and certain hashing functions can easily be sniffed, they warned.
Several Black Hat attendees said their organizations aren't using a lot of VoIP yet, but that they know it's something they'll soon have to deal with.
Andrew Fried, an IT security specialist with the U.S. Treasury Department, said his agency wants to increase its VoIP capabilities and hopes the Black Hat sessions will bring him up to speed on the security risks he'll have to be worrying about.
"The government is trying to push more and more work at home and VoIP will be used as part of that … but fraudulent use of VoIP is something we're more concerned about, with [attackers] making calls in the name of the IRS using VoIP services that are nearly untraceable," Fried said. "Welcome to the world of fraud."