[VOIPSEC] Soft Phone Vulnerabilities

Sat Jun 10 08:19:37 CDT 2006

Hello Henry,

Actually as long as we use computers for VoIP all those concerns remain, 
no matter if we talk about Skype or Skinny or SIP or any other protocol. 
As long as the voice is passing something which can be affected on any 
way malicious software we will have the same problem. No matter if we 
like it or not PC's aren't secure. As a reference or what a trojan can 
do with your computer please take a look at: 
http://www.f-secure.com/v-descs/subseven.shtml

Please notice the actions:
1. Record Sound file from remote mic.
2. Show files/folders and navigate
3. Enable Key Logger / Disable
4. List Recorded Passwords
5. Open CD-ROM Drive / Close

And a few others. If you like to use a phone which may have this 
problems, you are free to do it, but i love my privacy.

Diana Cionoiu

P.S. Softphones are a solution but not the ultimate one.

Henry Sinnreich wrote:

>>This is why people worry about Skype being used in the workplace,
>>    
>>
>
>I am afraid this is just sour grapes. Skype has been attested as being
>secure, enhances the productivity in the enterprise, supports communications
>worldwide with customers and partners and may become the AT&T of VoIP. 
>And is profitable as well, which is an exception to the rule in the VoIP
>provider world.
>
>We can only hope the "pre-standard" Skype will get some competition from a
>standards based system.
>
>Thanks, Henry
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
>Behalf Of Martyn Davies
>Sent: Wednesday, June 07, 2006 3:02 AM
>To: Jacobs, Marcia; Voipsec at voipsa.org
>Subject: Re: [VOIPSEC] Soft Phone Vulnerabilities
>
>A softphone is just a normal executable application, no more and no
>less.  Its just that (unlike, for example, Word) its main job is to
>handle streaming audio.
>
>As an application it has full access to all the resources of the PC, and
>runs with the rights of the user that started the softphone.  Therefore
>if you login with administrative rights (which I guess an awful lot of
>people do), the softphone application has all administrative rights to
>the machine.  Therefore if a softphone is carrying some kind of Trojan
>or backdoor inside it, an attacker could do any of the following:
>
>* Listen to any inputs on the soundcard
>* Read all your files and transmit them somewhere else
>* Capture data being sent to the screen, or coming in from the keyboard
>* Scour your machine looking for passwords, etc.
>* Disable antivirus or other protective tools
>* Monitor the LAN that the computer is attached to, and perhaps even
>attack other machines
>
>Since the soundcard is always powered on in a PC, there's nothing to
>stop an application switching on the mic at any time and listening.
>
>In summary, its not just 'softphone vulnerablities' that are the worry
>per se, but that fact that the whole PC is vulnerable to attack if the
>wrong kind of malware gets run on it.  
>
>This is why people worry about Skype being used in the workplace,
>because (a) a lot of desktops have it across the world, which is an
>opportunity for hackers and (b) if they succeed in compromising Skype
>then not just audio but all kinds of secrets could be funneled out of
>the organization without anyone even knowing that an attack was
>underway.
>
>Regards,
>Martyn
>
>
>-----Original Message-----
>From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
>Behalf Of Jacobs, Marcia
>Sent: 06 June 2006 19:04
>To: Voipsec at voipsa.org
>Subject: [VOIPSEC] Soft Phone Vulnerabilities
>
>Wondering if anyone can recommend a good security document on
>softphones, and the potential of turning on microphone remotely.
>
>Thanks!
>
>Marcia Jacobs
>Sandia National Labs
>CA Telecommunication Ops
>Phone & Fax:  925.294.1586
>mjacob at sandia.gov
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>  
>