[VOIPSEC] Soft Phone Vulnerabilities

[Ari Takanen]

My favourite topic! Hello all again!

With the danger of annoying people by again advertising with research
conducted by us here in Oulu/Finland (OUSPG, PROTOS, Codenomicon), I
would like to add some comments on the discussion:

On Wed, Jun 07, 2006 at 05:25:18PM -0500, Henry Sinnreich wrote:
> I believe Jon has touched the key issue - Skype is useful and no
> more risky that the PSTN (if you give away a secret) or mobile
> phones.

I am sorry Henry! It is more risky. Any softclient has access to all
resources that the platform it is running on has access to. As someone
pointed out, it is just a communication application. But also a
"hardphone" is no more secure than softphone. There is no real
difference as both are just software but only running on different
platforms. A "hardphone" just has less resources it can abuse. Think
of Snom (great phone!) as a softphone running on Linux with a weird
user interface (what I do not have alphabets with SIP?). Think of
Skype running on Nokia (I truly do not know if there is one, but here
think about annoyance of writing an SIP URI on a mobile phone?)
similarly to it running on a PC. VoIP is always about software.

Also a good deployment of "hardphone" should include that it is
separated from an enterprise network with VLAN (argh I will not go
there...) or separate cabling. Also for security, VoIP does not need
to traverse the internet. Hacking a PSTN has its benefits (free
calls), and hacking mobile phones has additional benefits (data such
as contacts, calendars, passwords, etc...), but hacking a PC based
softphone phone is equal or more than stealing an identity of a person
or a company. You can do anything. Whether the softphone
implementation is Skype or SIP has no difference.

You have to decide something between "free" and "secure". It will
always be a compromise. If not for anything else, you pay for a
service or a product because afterwards you can go after the guilty
ones (and they might not be the hackers but the vendors). You pay for
quality that you expect (well I admit that open source projects like
Apache and OpenBSD are exceptions).

> This reminds us the LAN and PC were introduced into the enterprise
> _in spite_ of the IT organization. IT at that time just liked the
> big blue mainframe (still a good product BTW) and SNA/DECnet. IP was
> an adventure :-)

Good old times, right? After that it has been just downhill for
security, except for the business for us security companies. Well
actually it has been good but unfortunately very few companies really
care about security in their products... I think most of you know that
we have been annoying you since 2001. ;) And some of you are still not
testing for security! Shame on you! I hope you use PROTOS at least...

More comments below:

> On 7 Jun 2006, at 7:44 AM, FOUCHE Nicolas ROSI/DAS wrote:
> What's the real problem with Skype? By that I mean what problem  
> exists with it that does not exist with some other system.

The problem with Skype is only that nobody easily and legally can
assess the security of it. Reverse-engineering fortunately is illegal
in most civilized countries. Still, even being from a very
security-critical security company (well knowing perhaps a little bit
too much I never would use telephony for confidential communications
anyways) I think Skype is more secure from confidentiality perspective
than SIP or PSTN. This is only because it is "close-to" P2P. Still,
this only is the first hint that you should go to the basics and think
of the threats that you are worried about:

1) Confidentiality: Use P2P crypto. There is no other solution. ZRTP
or Skype are fine. I do not think there are any other solutions
currently.

2) Integrity: Unless you require (1) which basically if well
implemented protects from this, at least require good quality from the
solutions. As Christian Wieser (from OUSPG/PROTOS) has on many
occasions demonstrated nobody really cares for message validity. This
is extremely dangerous with UDP based protocols. (Try our RTP test
tool!)

3) Availability: Not solved by (1) nor (2). It is always easier to
hack a system with load or malicious trafic than breaking encryption
or message integrity. Look at NIST or CERT statistics and you can see
that 70-80% of all security problems are because of people not
understanding good secure development practices. Use code auditing
(Klocwork, Parasoft, Purify, ...) and robustness-testing/fuzzing
(Codenomicon, IWL, PROTOS, ...) to fix these problems. Use Spirent,
Agilent, Ixia, whatever for load-testing. There is no one solution,
you need all of these...

As I mentioned, encryption does not help against problems in problems
with category (3). If you are afraid of problems in categories (1) and
(2), Skype is fine (and so are many SIP solutions such as
Snom). Threats in category (3) are still a problem. If threats against
(3) such as viruses, worms, 0-day exploits and so on are a problem,
use products from reliable vendors. Also separate your VoIP network
from the enterprise network. If you look for reliable products, we can
definitely promote products of our customers and I am sure other QA
vendors will do the same. We even have those listed on our web site.

In short for (1) and (2): Ask for P2P encryption.

In short for (3):

For SIP or H.323: Ask them if they use PROTOS. If not, forget about
it. For critical systems, ask for more. ;)

For (3) with Skype and other proprietary systems: All you can do is
hope that it is too complex for hackers, which they usually are
not. :(

/Ari 

PS: "Offence is the best defence!" That equals to our tools...
PS2: Update your voip software now! It is not for the features only...

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-