Question on encryption and security of magicJack calls.

JohnDoe · Post by **JohnDoe** » Thu Jul 09, 2009 2:45 pm

Hi everyone,

I recently switched to magicJack. I work in network security and came across a security issue with magicJack. This is my first experience with these types of VoIP services, so please feel free to comment if this is an issue with other VoIP providers such as magicJack.

Here's the issue... once your call has been established, any keys you press on your phone are NOT encrypted going over the Internet. Here's an example: you call your credit card company or bank and their automated system asks you for your account number and perhaps your PIN or part of your social security number. As you type these into your phone that is connected to magicJack, they are NOT encrypted and are sent in clear text across the Internet. I confirmed this by using a network sniffer. I asked magicJack Support and they confirmed this.

This is something people need to be aware of. Does anyone know if this is an issue with other VoIP providers?

Thanks.

Post by **laserjobs** » Thu Jul 09, 2009 3:01 pm

All VoIP providers I know of send DTMF in unencrypted when terminating to a POTS line. After the Patriot Act was enacted we basically lost all rights to privacy. The best you can do is hope anyone who does have access to anything personal is not a criminal.

Zfone will allow you to encrypt VoIP to VoIP calls only not VoIP to POTS
http://zfoneproject.com/

JohnDoe · Post by **JohnDoe** » Thu Jul 09, 2009 3:05 pm

laserjobs wrote:All VoIP providers I know of send DTMF in unencrypted when terminating to a POTS line. After the Patriot Act was enacted we basically lost all rights to privacy. The best you can do is hope anyone who does have access to anything personal is not a criminal.

Zfone will allow you to encrypt VoIP to VoIP calls only not VoIP to POTS
http://zfoneproject.com/

Thanks for the information. When calling a credit card company or bank from magicJack, is this probably a VoIP to POTS connection so we're SOL?

Post by **laserjobs** » Thu Jul 09, 2009 3:11 pm

JohnDoe wrote:
laserjobs wrote:All VoIP providers I know of send DTMF in unencrypted when terminating to a POTS line. After the Patriot Act was enacted we basically lost all rights to privacy. The best you can do is hope anyone who does have access to anything personal is not a criminal.

Zfone will allow you to encrypt VoIP to VoIP calls only not VoIP to POTS
http://zfoneproject.com/
Thanks for the information. When calling a credit card company or bank from magicJack, is this probably a VoIP to POTS connection so we're SOL?

Yep, you can just call the FBI if you ever forget your account information.

jebise · Post by **jebise** » Fri Jul 10, 2009 12:56 am

See i was thinking the same thing if it's via internet is it encrypting the keys we type and I guess you answered my question. I will make sure no one in my family uses MJ to call a number that requires sensitive information like a credit card number.

i was thinking of using a sniffer to see what it might do, thanks for saving me some time.

P.S They should put that on the box "Waring do not input credit card info when using MJ" like they do with cigarettes boxes "warning make cause cancer"

dan · Post by **dan** » Fri Jul 10, 2009 9:53 am

Well, I would have to trap a call again to be 100% sure. but I believe that MJ uses 0 100 in their SDP information

0= G711
100= inband DTMF

using 100 means there is an actual audio pulse. that is the traditional way of passing DTMF and has been for numerious years.. So this would be nothing new.

If MJ is using 101=out-of-band.. then yes you will actually see the digit or number being sent in a network capture.

Keep in mind this would be for IP to PSTN calls.. PSTN to IP calls will come in as an audio pulse.