London security expert Peter Cox claims to have developed a nice tool for tapping VoIP calls, called SIPtap. The application can monitor multiple VoIP call streams, listen in and record them as .wav files.

The program uses SIP identity information to index "IP-tapped" calls by caller, by recipient, and even by date.

The test results show that SIPtap is capable of proving "that call recording of any and every VoIP call at a hypothetical company was now a trivial exercise."

"We are in the early days of VoIP, but there is a knowledge gap. Companies using VoIP internally think they are protected. The threat is that an attacker engineers a Trojan and has it sit there passively recording calls from anywhere on the Internet," says Peter Cox.

Well, Cox might be thinking so, but Dameon Welch-Abemathy is not impressed.

Excerpt:

· Call Information Goes In The Clear: Yes with SIP, who you are and whom you're calling does go in the clear. Yes, you can use Transport Layer Security (TLS) to encrypt this information.
· The Voice Data Goes In The Clear: What you're saying also goes in the clear as well. This can be mitigated by using SRTP to encrypt the data portion of the call.

Another think Dameon points is that: Unless you can somehow see all the traffic between the two parties, you can't sniff a VoIP call. And you know what? That's difficult to do.

When it comes to security, encryption of data and voice streams is obligatory but the German police complains about it.

"The encryption with Skype telephone software ... creates grave difficulties for us," says Joerg Ziercke, president of Germany's Federal Police Office. "We can't decipher it. That's why we're talking about source telecommunication surveillance--that is, getting to the source before encryption or after it's been decrypted."