[VOIPSEC] Soft Phone security

[Andre Fucs de Miranda]

Marcia,

There's a  huge chance that some application could turn your microphone
remotely. This was already done a long time ago with the Back Oriffice. But I
wouldn't say that's the biggest problem on softphones.

IMHO the biggest problems with softphone are:

- The use of a multi-purpose computer to accomplish the user agent task may
compromise your user credentials. The reason is simple. Since your user is
going to use a computer running a regular operating system he may be victim
of a virus that could steal his login and password. Although this is a silly
threat, the impressive growth of trojan based bank fraud may serve as an
alert.

- The use of a soft phone can make segregation of your network harder to be
acomplished. Example:
Usualy the Voice over PacketCable networks offer the customer an specific
equipment called EMTA. This equipment can offer both Cable modem and Analogic
Telephone Adapter functionalities to the user. The interesting point is that
each of the EMTA's functionalities has can have a different MAC Address, IP
and MPLS configuration. This can help you to ensure that the VoIP traffic
will leave the user premises already tagged as voip traffic with an specific
addressing scheme. Some may say that this would be possible in a softphone
environment also, although I never saw this kind of implementation using
softphones.

Curiously the term VoIP always points to skype although this is not the only
VoIP system and getting obsessed about this subject might not help. :-)

Best regards,

Andre Fucs



> Wondering if anyone can recommend a good security document on
> softphones, and the potential of turning on microphone remotely.
>
> Thanks!