An expert has released a proof-of-concept program to show how easy it would be for criminals to eavesdrop on the VoIP-based phone calls of any company using the technology.
Called SIPtap, the software is able to monitor multiple Voice-over-IP (VoIP) call streams, listening in and recording them for remote inspection as .wav files. All that the criminal would need would be to infect a single PC inside the network with a Trojan incorporating these functions, although the hack would work at ISP level as well.
The program can index 'IP-tapped' calls by caller -- using SIP identity information -- and by recipient, or even by date. Running from August this year until the most recent tap on November 21st, SIPtap had no problems in extracting enough information on the test network to prove that call recording of any and every VoIP call at a hypothetical company was now a trivial exercise.