[VOIPSEC] Soft Phone Vulnerabilities

[Irwin Lazar]

Ken, I think you nailed it - I don't see Skype being any different from a
risk perspective as any other application that allows in-bound, unsolicited
access from the Internet (e.g. Any other public IM service such as AIM, MSN,
Yahoo, etc.)

In "theory" someone could find some as of yet undiscovered flaw in Skype and
write a script that can take advantage of that flaw.  In "theory" they could
do things like cause a PC to reboot, take remote control, cause data loss,
and so on.

The fact that this hasn't happened yet, despite tens of millions of Skype
users is a very good sign, and speaks to the effort to which the Skype
developers have gone to secure their product.

But, the risk is still there.  And there are other flaws that have been
recently exposed, such as the ability to create a rogue Skype client and
attach to the Skype network.

In the research report on Skype that I wrote for Burton Group clients (which
is now free if you want to register at burtongroup.com for guest access), I
noted that the bigger issues from an enterprise perspective with Skype is
the simple fact that enterprises can't track how it's being used.  For
enterprises subject to regulations such as SOX & HIPPA, this is a
show-stopper.  Someone brought up the cell phone argument earlier, at least
with cell phones I can get the call records.  If my employees are using
Skype I have no way of knowing what they are doing.

Irwin

> 
>> From an enterprise perspective, Skype is a black box that relays
> traffic to other skype users. I think the concern is not so much what
> people are saying over skype and if it can be intercepted. But more
> like any p2p app, what threats does it introduce by having employees
> running it on their enterprise laptops and desktops. At least thats
> how I see it.
> 
> -Ken