[VOIPSEC] Soft Phone Vulnerabilities

Craig Southeren craigs at postincrement.com
Tue Jun 13 18:26:34 CDT 2006 

On Tue, 13 Jun 2006 07:16:25 -0700
Jon Callas <jon at pgpeng.com> wrote:

..deleted

> > Given that Skype was doing business long before this time, I think the
> > timing says more about the business acumen of eBay than it does about
> > how keen Skype is to have external reviews of their code :)
> >
> 
> Oh, yeah, it was a paid analysis, but they picked a good guy, as I said.
> 
> One of the things Tom told me was that he liked their architecture,  
> but he found bugs in their code, and suggested tweaks they could make  
> to the core system.
> 
> But he also said that these are guys who literally grew up under  
> Soviet occupation, and they see no need to bow to anyone. *That* is  
> the attitude I want to see. I've seen eBay follow up on it, as well.

It's OK to have the attitude, but legal and financial realities will
always have the final word. Look at the compromises that Google has been
prepared to make in order to get access to the Chinese market (although
I have seen hints that they are thinking about withdrawing)
 
..deleted

> There's no difference between reverse-engineering and malware. I *am*  
> smiling when I say that, but I do mean it.

I hope it is a big smile :) 

I see malware and reverse engineering as two different kinds of attacks.
The obfuscation mechanisms in the Skype executable are obvious defences
against reverse engineers which have no real purpose as a defence
against malware, other than as part of the general principle of
"security through obscurity".
 
..deleted

> I was at a conference that included law enforcement people a few  
> months ago, and the Skype/eBay folks were there. They had a big slide  
> that said
> 
> 	Skype is software
> 	  not a service
> 
> as part of their preso. I interpreted this as saying that they do not  
> believe CALEA applies to them. That is another bit of info that I  
> noted and thought favorable.

That's a pretty naive position, especially as they are now owned by a US
company. My understanding is that if they are providing US DID numbers,
then they (or their service provider) will be required to confirm to
CALEA. Good luck getting out of that one :)
 
> > But let's assume that Skype did open their kimono and let it all hang
> > out. The short-term result would be a resounding nothing. There is
> > sufficient investment (both emotional and monetary) that nobody  
> > would be
> > throwing away their SIP or H.323 networks anytime soon. I would expect
> > that a whole bunch of Taiwanese companies would write their own Skype
> > stacks and stop paying Skype royalties for their stack, but that would
> > be about the only only immediate reaction.

..deleted
> 
> I don't know. I really don't. I confess that I don't know why anyone  
> is in the VOIP business. At the risk of oversimplification and  
> caricature, it seems to me that the VOIP business has a lot of people  
> racing to see how fast they can give their stuff away (Skype  
> included). I don't see how this is a viable business model at all.
> 
> If the Skype business model is *only* that they charge for connection  
> to the POTS network, then compatible implementations are no threat to  
> that. I don't know how much licensing of the actual stack is part of  
> their plans.

I think the Skype business model was to make money by creating a market,
and then selling it to someone to who wanted that market. The fact that
VoIP was used was purely coincidental. But then, I'm a cynic :)

> > I would agree that there is certainly a lot of knee-jerk reaction to
> > Skype of the "closed source is bad, open source is good" type. I'm
> > certainly not doing that.
> 
> As someone who makes a quasi-open source system, I think open source  
> is good. I think open review is good. I look askance at closed  
> protocols. I do, however, twitch at what I mentioned before -- the  
> threat of lots of portable storage getting turned into "iPods are  
> bad." Security people are especially prone to that sort of hyperbole.

As someone who has worked almost completely in the Open Source arena for
nearly 10 years (I am a co-founder of the OpenH323 project, and I
continue to develop and maintain that project and other related projects
to this day) and I think the market is big enough to have both open and
closed protocols. To me, Open Source is another marketing mechanism, not
a religion. But for crypto, Open Source is definitely to be preferred
due to the opportunities for review 
 
..deleted

>  From the CSO perspective, if Skype represents a threat, but the same  
> threat is posed by cell phones or wireless cards, then banning Skype  
> is merely shifting the threat. It also shifts it to a place that I  
> have less control over. The actual protocol matters not.

I agree that every communication mechanism has it's own vulnerablities
and offers different opportunities for exploitation by black-hats - both
the ones inside the carrier and outside.

Skype is based on a PC, so it can (potentially) exploit the full
resources of the PC to do it's harm. A cell-phone does not have those
resources, but it is a portable device that can be used to attack
targets of opportunity with very little chance of being noticed by the
user.
 
..deleted

> > Skype calls are not provably cryptographically secure, and any  
> > claim by
> > anybody that they are needs to be carefully examined. History shows  
> > that
> > extensive and ongoing peer review is the only way in which  
> > confidence in
> > a cryptographic system can be gained - I do not yet see any reason why
> > Skype is any different.
> >
> 
> Agreed. I'd only add that I know of no system that is *provably*  
> secure, and I have a very cynical opinion of proofs of security, anyway.

It's not possible to prove that a system has no security flaws for the
same reason you cannot prove there are no space aliens amongst us. But
you can prove a system is NOT secure, and that's where the ability to
peer review comes in.

In other words, there are only two kinds of networks - those that have
been shown to be insecure, and those that are *YET* to be shown to be
insecure :)

..deleted

> Cool. Thanks. This has been a fun discussion.

Yes, it has :)

   Craig

-----------------------------------------------------------------------
 Craig Southeren          Post Increment – VoIP Consulting and Software
 craigs at postincrement.com.au                   www.postincrement.com.au

 Phone:  +61 243654666      ICQ: #86852844
 Fax:    +61 243656905      MSN: craig_southeren at hotmail.com
 Mobile: +61 417231046      

 "It takes a man to suffer ignorance and smile.
  Be yourself, no matter what they say."   Sting

More information about the Voipsec mailing list