[VOIPSEC] Soft Phone Vulnerabilities

Jon Callas jon at pgpeng.com
Thu Jun 8 13:34:25 CDT 2006 

On 8 Jun 2006, at 12:19 AM, David MENTRE wrote:

> Hello,
>
> Jon Callas a écrit :
>> What's the
>> difference between someone expensing their mobile bill and using
>> Skype, from a security and control aspect? Especially when one of the
>> things we let people expense is a data plan?
>
> I'm quite surprised you ask such a question considering the firm you
> work in: your mobile phone has no access[1] to your local network and
> thus all other machines of your network. Your mobile phone has no
> control on the working of your computer.
>

So are you then saying that if someone buys one of these new devices  
that does Skype, but is not a general-purpose computer it would be okay?

You seem to be

>
>> What's the real problem with Skype? By that I mean what problem
>> exists with it that does not exist with some other system.
>
>  - no knowledge of Skype's network structure and use of cryptography;
>

Actually, that's been documented rather well. I understand how Skype  
works much better than I understand how a Nokia 6230 tied to Cingular  
works, network-wise.

Nonetheless, you are correct in saying that we have much better  
knowledge of the details of GSM cryptography than we do of Skype's.  
However, what we know about GSM crypto is that it's crap.

My point is that the alternative to Skype -- a cell phone -- doesn't  
have better security.

>  - no possible[2] review of code (at least compared to Free Software
> products);
>

Nice little footnote there. It saves me from making a cheap crack  
about OpenSSH. Nonetheless, you're missing my point again.

I don't have the alternative of free software products. My cell phone  
is not open software. I have far less knowledge of its internals than  
I do of Skype.

>  - no possible control by a network administrator of the working of  
> the
> software[3].
>

Unlike those mobile phones?

> Sincerely yours,
> david
>
> [1] That might change with the new GSM/Wifi phones.
>
> [2] I do not imply that Free Softwares are effectively reviewed.
>
> [3] Would you allow the use of MS Word without the possibility to
> disable macro execution?

I think you're completely missing my point.

The point is that whatever we may not like about Skype, it is not  
worse and often better than the alternatives.

if you say that you're going to disallow Skype because it's doing  
stuff on the network that you don't control, I think that's silly,  
because if you ban Skype, they'll use a mobile phone. You have less  
knowledge and control on the GSM network, and the cryptography is  
known to suck so badly it can be broken in realtime.

If you're going to ban Skype because it's running on a PC that could  
have malware, it ignores software issues on mobile phones and  
software issues on other VOIP phones. We are switching our local  
infrastructure over to Cisco VOIP phones, which are also at the  
bottom -- software.

If you're going to ban Skype because it's VOIP and VOIP is inherently  
less secure than POTS, then that is the best reason I know of to ban  
it. The argument has its own problems, but it's a better argument  
than many I've heard.

If you want to complain that Skype isn't documented as well as we'd  
like, then I am with you. However, the more I learn about Skype the  
better it looks. Its architecture is pretty good, if eccentric in  
places. They have their own anti-malware defenses built in. Yeah, it  
has bugs. My Nokia 6230 also has bugs, and in trying to get those  
fixed, Cingular has told me to call Nokia who tell me to talk to  
Cingular. I can't download a new mobile.

If you're worried about the security of running Skpye on a PC, it's a  
valid complaint, but it's a complaint applicable Gizmo, EyeBeam, etc.  
The problem isn't a *Skype* problem. it's a problem with running VOIP  
on a PC.

There are other reasonable complaints about Skype, such as that if  
everyone started using it, it might soak up the entire net  
connection. That is also a good complaint, but not one that is a  
Skype issue, but a VOIP issue.

Most of the complaints I hear about Skype are just not logical.  
They're like the hysteria around banning iPods from the workplace  
because people can steal data on them. If you want to ban iPods  
because you don't like people listening to music, fine. But state  
your reason. If you are worried about data escaping on mobile  
storage, fine. However, iPods are merely one way to get data, and not  
even the best one if you're a thief.

Similarly, most of the complaints I hear about Skype are not unique  
to Skype. Skype is not the only closed system. Skype is not the only  
system beyond my control. Skype is not the only VOIP system.

So I'll repeat my question -- what are the problems with Skype that  
are unique to Skype? I have my answers to this question (which I  
haven't stated at all). I'm not a Skype fan. But I'm not an enemy,  
either. The more I see of it, the more I am willing to tolerate it,  
and that in itself makes grumpy because I think they should just hire  
some people to come out with an Inside Skype book. Heck, they could  
present it at some $1000/day conference and I'd be there in a heartbeat.

	Jon

-- 
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d

More information about the Voipsec mailing list