[VOIPSEC] Soft Phone Vulnerabilities

[Mark Baugher]

hi Henry,

On Jun 7, 2006, at 6:02 AM, Henry Sinnreich wrote:

>> This is why people worry about Skype being used in the workplace,
>
> I am afraid this is just sour grapes. Skype has been attested as being
> secure,

I think it has been attested by a paid consultant and that there have  
been a number of voices pointing out the failings of this technology  
in the security realm.

> enhances the productivity in the enterprise, supports communications
> worldwide with customers and partners and may become the AT&T of VoIP.
> And is profitable as well, which is an exception to the rule in the  
> VoIP
> provider world.
>
> We can only hope the "pre-standard" Skype will get some competition  
> from a
> standards based system.

The largest problem facing the peer-to-peer model is that absence of  
control on which peers are handling the calls and getting information  
beyond what's carried in the voice packets.  The problems with tamper- 
resisting of the peer implementations in Skype have been publicized  
by some white-hat security firms.

Mark
>
> Thanks, Henry
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec- 
> bounces at voipsa.org] On
> Behalf Of Martyn Davies
> Sent: Wednesday, June 07, 2006 3:02 AM
> To: Jacobs, Marcia; Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] Soft Phone Vulnerabilities
>
> A softphone is just a normal executable application, no more and no
> less.  Its just that (unlike, for example, Word) its main job is to
> handle streaming audio.
>
> As an application it has full access to all the resources of the  
> PC, and
> runs with the rights of the user that started the softphone.   
> Therefore
> if you login with administrative rights (which I guess an awful lot of
> people do), the softphone application has all administrative rights to
> the machine.  Therefore if a softphone is carrying some kind of Trojan
> or backdoor inside it, an attacker could do any of the following:
>
> * Listen to any inputs on the soundcard
> * Read all your files and transmit them somewhere else
> * Capture data being sent to the screen, or coming in from the  
> keyboard
> * Scour your machine looking for passwords, etc.
> * Disable antivirus or other protective tools
> * Monitor the LAN that the computer is attached to, and perhaps even
> attack other machines
>
> Since the soundcard is always powered on in a PC, there's nothing to
> stop an application switching on the mic at any time and listening.
>
> In summary, its not just 'softphone vulnerablities' that are the worry
> per se, but that fact that the whole PC is vulnerable to attack if the
> wrong kind of malware gets run on it.
>
> This is why people worry about Skype being used in the workplace,
> because (a) a lot of desktops have it across the world, which is an
> opportunity for hackers and (b) if they succeed in compromising Skype
> then not just audio but all kinds of secrets could be funneled out of
> the organization without anyone even knowing that an attack was
> underway.
>
> Regards,
> Martyn
>
>
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec- 
> bounces at voipsa.org] On
> Behalf Of Jacobs, Marcia
> Sent: 06 June 2006 19:04
> To: Voipsec at voipsa.org
> Subject: [VOIPSEC] Soft Phone Vulnerabilities
>
> Wondering if anyone can recommend a good security document on
> softphones, and the potential of turning on microphone remotely.
>
> Thanks!
>
> Marcia Jacobs
> Sandia National Labs
> CA Telecommunication Ops
> Phone & Fax:  925.294.1586
> mjacob at sandia.gov
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org