[VOIPSEC] Soft Phone Vulnerabilities

[Ari Takanen]

All,

Excellent comments Jon... I agree with almost everything you
said. Note that mobile phone software is also just software, and it
can (sometimes easily) be updated. Some of them even run Linux. But
not everyone walks to a handset software upgrade every week. And not
all manufacturers want to do software updates over the expensive data
connections. There are many different and interesting technologies in
this space. Try to check the revision date of your mobile phone
software, and imagine running equally old softphone on your desktop.

On Thu, Jun 08, 2006 at 11:34:25AM -0700, Jon Callas wrote:
> So I'll repeat my question -- what are the problems with Skype that
> are unique to Skype?

It shares all the same problems as any softphone (any p2p software),
and like any softphone risks everything running on the same device,
and more. But special to Skype is that you depend on their
infrastructure and security model on who can call you. This behaviour
can be modified by the user, but not by the enterprise system
administrators. With SIP you can have peering agreements, and not just
anyone can call an another party without the involvement of perimiter
defences that can validate and "rewrite" the messages to filter out
unwanted and mis-formatted calls.

Replace the word "call" with "attack" anywhere above...

P2P SIP has all the same issues as Skype, but then the protocol is
open. It would be just like having an unprotected TLS-enabled
web-server and web-client on every enterprise PC. Content-aware
perimeter defences and hop-by-hop encryption become a must.

/Ari

PS: Update your VoIP software (even mobile) regularly!

-- 
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-
Ari Takanen                       Codenomicon Ltd.
ari.takanen at codenomicon.com       Tutkijantie 4E
tel: +358-40 50 67678             FIN-90570 Oulu
http://www.codenomicon.com        Finland
PGP: http://www.codenomicon.com/codenomicon-key.asc
-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-