T 5.12 Interception of telephone calls and data transmissions
If telephone calls or data is transmitted in an unencrypted form, there is generally the risk of attackers eavesdropping on or reading the information. For example, attackers could tap directly into the telephone cables or listen in on a switching PBX system positioned between the callers.
It is easier to eavesdrop on telephone calls and data transmissions when VoIP is used when compared to classic PBX systems. All voice information is transmitted in an IP media stream, for example using the Real-time Transport Protocol (RTP). All possible types of attacks on IP data networks are available using techniques such as spoofing and sniffing.
In many PBX systems, callers can leave a message for the recipient if the recipient is not available by telephone at the time of the call. Some answering machines, especially those in VoIP systems, send this information in the form of an audio file in an email. The contents of this email could be intercepted and listened to directly by an attacker just like with a VoIP media stream.
Moreover, telephone calls amongst colleagues may be intercepted by misusing the performance characteristics both for VoIP and for line switching PBX systems. An example includes the three-way conference. When subscriber A receives a call for subscriber B, he/she might try to secretly establish a three-way conference call instead of just forwarding the call. If subscriber B has a telephone without a display, subscriber B will not notice this.
In addition, it is possible for third parties to listen in on calls by activating disabled features, some of which are not allowed to be used in Germany. One example includes the silent monitoring feature. Activation of such features requires more detailed knowledge of the system, but this is not a serious obstacle due to the large amount of information available for free on the internet.