[VOIPSEC] Soft Phone Vulnerabilities

Craig Southeren craigs at postincrement.com
Thu Jun 8 19:02:14 CDT 2006 

On Thu, 8 Jun 2006 11:34:25 -0700
Jon Callas <jon at pgpeng.com> wrote:

..deleted

> Actually, that's been documented rather well. I understand how Skype  
> works much better than I understand how a Nokia 6230 tied to Cingular  
> works, network-wise.

I don't share your understanding.

We have *one* document on the internals of Skype that was written by a
team that had to reverse engineer the information. That's all we have.
It may be correct, or it may not - again we have no way of knowing for
sure.

GSM moble phones are written to interoperable specifications that have
been around for years, and have been implemented by multiple vendors. If
you want to know how any part of a GSM network operates, just go and get
the specification. It won't be easy to understand (a GSM network is
complicated) but the information is all available. The same applies to a
SIP network or a H.323 network.

> Nonetheless, you are correct in saying that we have much better  
> knowledge of the details of GSM cryptography than we do of Skype's.  
> However, what we know about GSM crypto is that it's crap.

Thanks for proving my point!

The lack of security in GSM is well known because it was proven by peer
review. We have no way of knowing if the security in Skype is crap
because it can't be peer reviewed.
 
> My point is that the alternative to Skype -- a cell phone -- doesn't  
> have better security.

We also have no way of knowing if Skype is better than GSM :)

..deleted

> I don't have the alternative of free software products. My cell phone  
> is not open software. I have far less knowledge of its internals than  
> I do of Skype.

This is due to a lack of research, not a lack of available information.

> >  - no possible control by a network administrator of the working of  
> > the
> > software[3].
> >
> 
> Unlike those mobile phones?

The attributes of a GSM mobile network are well known because they are
based on public and interoperable standards. Given sufficient time,
anybody or company can create a GSM mobile handset, or base station, and
have it work with anybody else's equipment. It might not be technically
wonderful, but everyone can find out how it works.

Skype is a closed standard. We have no idea if the protocol is crappy or
not, because it is not open. Obviously Skype has licensed the protocol
to other vendors, but also just as obviously these vendors are
prohibited from disclosing that information.

..deleted

> I think you're completely missing my point.
> 
> The point is that whatever we may not like about Skype, it is not  
> worse and often better than the alternatives.

If you are are talking about the user experience, then I agree with you.

If you are talking about the design of the system, then I cannot agree
with you because there is insufficient information to make this
evaluation.
 
> if you say that you're going to disallow Skype because it's doing  
> stuff on the network that you don't control, I think that's silly,  
> because if you ban Skype, they'll use a mobile phone. You have less  
> knowledge and control on the GSM network, and the cryptography is  
> known to suck so badly it can be broken in realtime.

And you know this because the GSM specs have been peer reviewed and
found lacking. For all you know, the Skype protocol could be breakable
in real-time too, making it just as "crappy".
 
> If you're going to ban Skype because it's running on a PC that could  
> have malware, it ignores software issues on mobile phones and  
> software issues on other VOIP phones. We are switching our local  
> infrastructure over to Cisco VOIP phones, which are also at the  
> bottom -- software.

Again, comparing apples and oranges.

Software running on a purpose-built appliance such as GSM phone, or a
Cisco Phone, or Skype handset for that matter, will usually be more
reliable than software running in the wild ecosystem that is a general
purpose PC. 

All of which has nothing to do with how secure Skype is :)
 
> If you're going to ban Skype because it's VOIP and VOIP is inherently  
> less secure than POTS, then that is the best reason I know of to ban  
> it. The argument has its own problems, but it's a better argument  
> than many I've heard.

I also agree this is a sensible argument. Many companies I know of will
not use VoIP unless it is over a known secure transport such as IpSec or
a private network. I certainly make this clear to companies I do
business with.
 
..deleted

> If you're worried about the security of running Skpye on a PC, it's a  
> valid complaint, but it's a complaint applicable Gizmo, EyeBeam, etc.  
> The problem isn't a *Skype* problem. it's a problem with running VOIP  
> on a PC.

The difference is that those networks are not claiming to be secure and
encrypted. Skype is - but they provide no means to verify that claim
cryptographically. The same argument applies to any closed source VoIP
network.
 
..deleted

> So I'll repeat my question -- what are the problems with Skype that  
> are unique to Skype? I have my answers to this question (which I  
> haven't stated at all). I'm not a Skype fan. But I'm not an enemy,  
> either. The more I see of it, the more I am willing to tolerate it,  
> and that in itself makes grumpy because I think they should just hire  
> some people to come out with an Inside Skype book. Heck, they could  
> present it at some $1000/day conference and I'd be there in a heartbeat.

My problem with Skype is very simple. 

They claim to provide a secure network, but they provide no means to
verify that claim. Given that they also claim to be peer to peer, there
are reasons to doubt their claim to security. They are using this claim
to distinguish their product from competitors, and naive users are
believing them. 

I'll certainly not be trusting their claims of security until I have
them verified by peer review. Until then, I'll continue to use Skype (or
MSN, or Yahoo or unencrypted SIP or unencrypted H.323) but not for
anything that I would not say over the PSTN or cell phone networks.

History shows that networks developed behind closed doors are very
rarely secure, and I strongly suspect that in the end Skype will prove
to have some similar flaw. 

   Craig


-----------------------------------------------------------------------
 Craig Southeren          Post Increment – VoIP Consulting and Software
 craigs at postincrement.com.au                   www.postincrement.com.au

 Phone:  +61 243654666      ICQ: #86852844
 Fax:    +61 243656905      MSN: craig_southeren at hotmail.com
 Mobile: +61 417231046      

 "It takes a man to suffer ignorance and smile.
  Be yourself, no matter what they say."   Sting

More information about the Voipsec mailing list