[VOIPSEC] Soft Phone Vulnerabilities

Zmolek, Andrew (Andy) zmolek at avaya.com
Tue Jun 13 19:01:36 CDT 2006 

Only where SkypeIn/SkypeOut touch the PSTN within the US does CALEA
fully apply, though a very liberal reading of the regulation and FCC
statements could lead one to believe that other aspects of Skype
services fall under CALEA as well. Frankly, the DOJ and FCC are having a
hard enough time getting compliance from major wireless and
data-oriented voice providers that I doubt that they're paying much
attention to Skype right now.


/\\//\Y/\   Andy Zmolek  |  zmolek at avaya.com  |  303-538-6040 
            GCS Security Technology Development  |  Avaya, Inc. 


-----Original Message-----
From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org] On
Behalf Of Randell Jesup
Sent: Tuesday, June 13, 2006 2:18 PM
To: Jon Callas
Cc: Voipsec at voipsa.org
Subject: Re: [VOIPSEC] Soft Phone Vulnerabilities

Jon Callas <jon at pgpeng.com> writes:
>One of the things Tom told me was that he liked their architecture, but

>he found bugs in their code, and suggested tweaks they could make to 
>the core system.
>
>But he also said that these are guys who literally grew up under Soviet

>occupation, and they see no need to bow to anyone. *That* is the 
>attitude I want to see. I've seen eBay follow up on it, as well.

That can be good and bad.  It can make them ignore outside criticism
(witness the discussion here of lack of peer review).  It may give them
a predeliction for security-by-obscurity (witness the lack of
information about Skype in general).  It could (and there's no proof of
this) make them more likely to roll over quietly if serious governmental
threat/weight is dropped on them while still professing to be secure.

>There's no difference between reverse-engineering and malware. I *am* 
>smiling when I say that, but I do mean it.

I think there's a big difference.  Most people define 'malware' as
"software that by design does or can do things that aren't properly
disclosed to or expected by the user".  Even if you don't define it that
way, it's easier to exploit bugs in code if you can reverse-engineer it,
but it's far from required to do so.  All you need to know is that
certain inputs cause it to do bad things.  But this is off the topic...

>I was at a conference that included law enforcement people a few months

>ago, and the Skype/eBay folks were there. They had a big slide that 
>said
>
>	Skype is software
>	  not a service
>
>as part of their preso. I interpreted this as saying that they do not 
>believe CALEA applies to them. That is another bit of info that I noted

>and thought favorable.

I'm sure they'd prefer it that way.  The current FCC rulings say
otherwise.
And Skype now touches (in both directions) the PSTN, and they're now
owned by a US company.  And how do you know they haven't cut a deal to
provide CALEA support?  They don't have to notify anyone that they
accept CALEA requests.  By definition, the target is not supposed to be
able to know, and that feeds into their obscured network design well.
For that matter, you can't know if they're funneling selected streams
and signalling through NSA-run skype 'supernodes'.

>> Comparing Skype and the GSM or 3G networks is a straw-man argument.  
>> The
>> *only* part of the GSM network protocol that is not disclosed is 
>> certain parts of the encryption scheme as well as the various 
>> mechanisms that vendors use for encrypting the SIMs (I'm not an 
>> expert here, so please feel free to demolish me on this point. But 
>> provide references, please
>> :)
>>
>> Every other part of the GSM and 3G standards (as far as I know) is 
>> available as an open standard. These protocols have been implemented 
>> countless times and have been subjected to probably millions of 
>> man-hours of review.
>>
>> Skype has a looong way to go before I will consider it to be in the 
>> same state of review as GSM or 3G, or even SIP or H.323.
>
>Well, I mentioned GSM solely because I have a GSM phone with which I 
>have a love-hate affair. I had my CSO hat on, not my protocol designer 
>hat on. I apologize for a lack of clarity. I think the data / voice 
>capabilities of other mobile protocols are the same.
>
> From the CSO perspective, if Skype represents a threat, but the same 
>threat is posed by cell phones or wireless cards, then banning Skype is

>merely shifting the threat. It also shifts it to a place that I have 
>less control over. The actual protocol matters not.

Skype is a larger threat than cellphones.  If Skype is compromised by a
3rd-party, that may give access to anything running on that PC, and
anything that PC has access to.  (Much like any trojan or exploited
app/OS.)  A compromised cellphone only will give access to calls and
perhaps act as a roving microphone, not give access to all networked
data.
Cellphones and in particular the cell network are harder to physically
hack (regardless of the security levels of the protocols themselves)
than computer networks (which are often easy to attack sitting in your
bathrobe 1/2-way around the world). Yes, I may be glossing over a few
issues, but you get my point.  And this assumes that you can totally
trust Skype and everyone who works for them (and yes, those arguments
can apply to cellphones as well - but it's easier to assess the
vulnerability in a mostly-open design).

Random example: someone figures out a way to (due to bugs) tweak the
security setup exchange when acting as a supernode, such that the data
streams are vulnerable.  Then they insinuate themselves as a convenient
supernode (by putting it on a good connection, or by blocking other
potential supernodes the target might use) and look for interesting
calls to attack.  Not to say this is possible (in a given version of
Skype) - but it could be.  We can't know.  And again, this assumes that
it isn't possible for someone inside Skype/eBay to be bribed to cause
Skype to route your calls to an attacker with an attackable key.  If
that possible?  We don't know.  If they support CALEA or equivalent now
or in the future, then the ability to do so will probably be built in,
and if it's built in, then the odds of it getting misused are
significant.  Also, if it's there it's a prime target for hackers.  Even
if one machine at Skype is compromised, an attacker might insinuate
themselves into the system, even into the binaries, in theory even
without access to a machine at Skype.  But a single carefully-placed
vulnerability if it made it into a binary release could compromise
millions of PCs.

And don't forget the Thompson attack:
http://cm.bell-labs.com/who/ken/trust.html

All of this doesn't mean Skype is an unacceptable threat.  Just that
compared to a cellphone, overall it's probably a larger threat (risk)
due to the lack of information.  Cellphones are a more well-defined
threat.

--
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS
team rjesup at wgate.com "The fetters imposed on liberty at home have ever
been forged out of the weapons provided for defence against real,
pretended, or imaginary dangers from abroad."
		- James Madison, 4th US president (1751-1836)


_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

More information about the Voipsec mailing list