[VOIPSEC] Soft Phone Vulnerabilities

Jon Callas jon at pgpeng.com
Mon Jun 12 14:05:51 CDT 2006 

I'm going to take a giant step back, Craig, because you and I are  
down a rathole. I'm will restate my points back from the beginning.

As I've said before, I'm not a Skype fan. I share all your concerns  
about Skype security, its lack of openness, and so on. I'm a co- 
author on a competing protocol (ZRTP) that I think has better  
security and better scaling.

However, there are two very good documents I've read, and it appears  
that you're unfamiliar with them.

The first is Tom Berson's. It is at <http://www.anagram.com/berson/ 
abskyeval.html>, and he didn't reverse engineer it. He spent time  
with the developers, and at their request. Skype commissioned this  
report themselves. I think it counts as "peer review" when you hire  
someone reputable to do an analysis. This is not as good in my  
opinion as completely opening the doors up (which I do with PGP  
software), but it is nonetheless a form of peer review.

I've also spoken to Tom about it, and he had many good things to say  
about them, their architecture, and their dedication to producing a  
quality cryptosystem. He's someone I trust, and he has said many good  
things about Skype. Before I read Berson't report, I was completely  
and peremptorily dismissive of Skype. Now, my criticisms of it (which  
we've not gotten to) are complex enough that they don't fit in a  
sentence or three. I understand that relatively few people have had  
the luxury of lunch with Tom to talk about what he thinks about Skype.

The second important report to read is the one from this year's Black  
Hat Europe.  You can find it at: <http://www.secdev.org/conf/ 
skype_BHEU06.pdf>. They *did* get their results through reverse- 
engineering. Nonetheles, I was pleasantly amazed to read about some  
very cool things in Skype that gosh-darn it, they *should* talk about  
publicly, like their anti-malware mechanisms.

So, there are two things to read, and I am surprised to see that  
there is as much attention to security in Skype as there is. While I  
disagree with some of the decisions they made, they're not idiots. If  
you are a competitor with them, the biggest favor they're doing for  
you is by *not* showing up in standards meetings. If Skype showed up  
in Montreal for the IETF and said, "Hi, we're here to open the  
kimono," that would be devestating to many competitors. The criticism  
that they are not open vanishes, and we're left with a protocol-to- 
protocol discussion of features and benefits. And they're not stupid  
people.

Okay, on to what I have been saying:

I have been hearing people say something of the form, "I don't like  
Skype because of X," and that remark puzzles me. I think that there  
are a couple of possibilities about this complaint:

1) I don't understand it. People get in a hurry and they don't have  
the time to be clear and precise, so they type some shorthand. I am  
reasonably certain that most of the issues are in this category,  
particularly here. We're all smart, busy people. That's why I've been  
asking questions. I think I don't understand.

2) The problem isn't a problem with Skpye per se, but with something  
larger.

That's why I've been asking for the complaints about things that are  
*uniquely* Skype issues.

Let me give some examples.

If the complaint is, "I don't like Skype because it chews up my  
precious network bandwidth," then this is not a Skype issue, it is a  
problem of resources and allocation. Yes, indeedie, if you are in a  
small office on the tail end of an IDSL line, then you are not a  
candidate for VOIP of any sort.

If the complaint is, "I don't like Skype because my users might do  
scary stuff I can't see," then I am genuinely confused. In the  
absence of VOIP, most of these people would be doing the same scary  
stuff some other way. I also wonder what the scary stuff is.

If the scary stuff is the usual sort of phone abuse (calling  
relatives in Elbonia on company phones), VOIP in general makes that  
less of a problem (except for the lost time). It's certainly no  
worse. If the scary stuff is information leakage, then mobile phones,  
particularly ones that can operate as network connections (EDGE/GPRS  
etc.) are a far bigger threat.

I am genuinely puzzled about the genuine problem. I must be missing  
something because every threat about Skype I can think of is not  
Skype-specific. If I wave a magic wand and make Skype go away, any  
threat I think of moves to some other place. Some threats to mobile  
phones, some to POTS, some to other VOIP systems, and some to  
networking in general.

Even my complaints about Skype (it's insufficiently documented,  
overly complex network architecture, etc.) are not unique to it. As  
someone said earlier today, the security parts of GSM are still  
secret. And there's a bit of a brouhaha going on about a mysterious  
room or three in the POTS infrastructure. One of the reasons I've  
been working on ZRTP is that I think it's a good architecture and  
good security; I'm not being paid for it. Nonetheless, at the end of  
the day, I have to give the devil his due. The more I have learned  
about Skype, the more I've been favorably impressed.

I think it is important, if one is to criticize Skype, to criticize  
it for the right things.

	Jon

-- 
Jon Callas
CTO, CSO
PGP Corporation         Tel: +1 (650) 319-9016
3460 West Bayshore      Fax: +1 (650) 319-9001
Palo Alto, CA 94303     PGP: ed15 5bdf cd41 adfc 00f3
USA                          28b6 52bf 5a46 bc98 e63d

More information about the Voipsec mailing list