[VOIPSEC] Feds Warn Deploy VoIP With Care - Analysis of NIST Recommendations

[Christian Wieser]

Hello Ari et al,

[snip]

> 
> "Softphones are not necessarily any more unsecure than other devices
> including stand-alone telephone sets."
> 
> Softphones are definitely more unsecure. It is not only the bad
> quality of desktop software in general but also the access that any
> other software can possess over the softphone (typically through IE or
> Outlook). It is not too common to route attacks from one software to
> another. A dedicated device is always more "simple" and therefore more
> secure, although in many cases more difficult to keep updated.
> 

Whereas I agree with you that we find more injection vectors for
exploitations in an average desktop environment, please let me point
out, that we face a much more stringent resource condition in embedded
devices. We have simply less memory and processing power. These
reflects also to the development environment, which is AFAIK typically
plain C. And C misses bounds checking, garbage collection, safe type
casting, etc.

In research done over here at the OUSPG we tested SIP implementations
for implementation level vulnerabilities (eg Buffer
overflows/underflows, format string vulnerabilities). Out of nine
tested implementations only one passed all test cases(the two embedded
devices both failed. OK, not a sufficient wide sample range).

For our tests have a look at

 http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/
 
> And the key thing is good quality software and that depends on the
> skills of the people making the software and the quality assurance
> processes of the company behind the products. Some pieces of software
> just are waste of bits, and nothing will help a system built using bad
> building blocks.
> 

IMHO in the security trade we fight an uphill battle to protect all
our assets from all kinds of attacks, whereas the an adversary needs
a single way of exploiting a vulnerability.

[snip]

Br,

Christian Wieser
mailto:chwieser at ee.oulu.fi