[VOIPSEC] Soft Phone Vulnerabilities

Sebastien Tricaud sebastien.tricaud at wengo.fr
Fri Jun 9 12:06:53 CDT 2006 

Irwin Lazar wrote:
> Ken, I think you nailed it - I don't see Skype being any different from a
> risk perspective as any other application that allows in-bound, unsolicited
> access from the Internet (e.g. Any other public IM service such as AIM, MSN,
> Yahoo, etc.)
>   
Unlike IM applications written above, Skype has a peer-to-peer
architecture.

> In "theory" someone could find some as of yet undiscovered flaw in Skype and
> write a script that can take advantage of that flaw.  In "theory" they could
> do things like cause a PC to reboot, take remote control, cause data loss,
> and so on.
>   
This is not because Skype is security aware (see
http://www.skype.com/security/bulletins.html) that what you are stating
won't happen.
That *can* happen, and this is not just theory.

> The fact that this hasn't happened yet, despite tens of millions of Skype
> users is a very good sign, and speaks to the effort to which the Skype
> developers have gone to secure their product.
>   

They are quite good at it indeed!

> But, the risk is still there.  And there are other flaws that have been
> recently exposed, such as the ability to create a rogue Skype client and
> attach to the Skype network.
>   
As far as I know, being able to communicate with foreign networks isn't
a flaw. You can even use Skype provided API to do that.

> In the research report on Skype that I wrote for Burton Group clients (which
> is now free if you want to register at burtongroup.com for guest access), I
> noted that the bigger issues from an enterprise perspective with Skype is
> the simple fact that enterprises can't track how it's being used.  For
> enterprises subject to regulations such as SOX & HIPPA, this is a
> show-stopper.  Someone brought up the cell phone argument earlier, at least
> with cell phones I can get the call records.  If my employees are using
> Skype I have no way of knowing what they are doing.
>
>   
Well, this is the same issue with MSN. But I don't think this is a key
point.

Skype, being peer-to-peer, closed-source and encrypted flows has more
impact than just "I don't know what my user are doing".
When you call a customer and you *know* that your talk/files are shared
with others (anyone) that is enough to get rid of Skype in your network.

More information about the Voipsec mailing list