[VOIPSEC] Soft Phone Vulnerabilities

Michael Slavitch slavitch at gmail.com
Wed Jun 14 08:17:20 CDT 2006 

Hello;

This is my first post to this list, so I'll summarize my points quickly and
look forward to having detailed discussions on my points later.

I led a session on Skype in the enterprise on Monday June 12 at the  eBay
Devcon.

More details are here <http://www.well.com/%7Etheek/p2pe.html> (
http://www.well.com/~theek/p2pe.html).

Point 1:  The security aspects of Skype.  I consider Skype security to be a
solved problem, orders of magnitude better than what has been implemented by
vendors using products based on ITU,  3G and the proposed IMS standards.
Standards are useless unless implementations work correctly.  The security
analysis done by *Dr. Thomas A.
Berson*<http://www.anagram.com/berson/index.html>is valid and correct.
The only implementations that approach or exceed
Skype's level of security and trust are arguably the personal trust of PGP
ZRTP, high-cost proprietary systems for commercial or military use, and the
research coming from *Henning Schulzrinne<http://www.cs.columbia.edu/%7Ehgs/>
* and  *Eunsoo Shim* <http://www.arkko.com/tools/stats/eunsooshim.html> that
are being considered for use in a future P2PSIP standard.  The assertions in
my presentation could not have been made if Skype security was *an open
issue. * As a comparison, millions of financial transactions use IIS/IE as
the underlying platform.  Any public opinions on IIS/IE security are best
left to the reader.

Point 2:  The security aspects of Software vs Hardware. Many SIP phones have
a default password that cannot be changed. One vendor in particular has one
3-digit numeric root password for all its phones that cannot be overridden.
Many commodity phones have Linux firmware with open holes in telnet/ftp/tftp
and onwards, the better ones have passwords that are difficult to crack.
Almost all have a default root password that is stored in firmware and
almost all do their provisioning over clear text http.  Given the choice
between using one of these phones and Skype for a sensitive conversation
outside a NAT I must choose Skype because it is more trustworthy.  Hardware
is insecure because the underlying platform is almost certainly poorly
implemented. It is closed hardware that cannot be trusted, not closed
software.  I won't get into the security aspects of POTS.  That would be
silly.

Point 3:  Unknown relays in Skype.  Jon Callas rightly points out that
unknown relays in Skype cause a concern regarding sensitive communications,
and I agree with him. My proposal for Skype Enterprise Peers calls for the
creation of preferred relays.  Enterprises could put a multi-session
enterprise peer outside the NAT for all its incoming and outgoing session.
The same peer could of course be used by individuals if it was available to
them.  This places control over ingress and egress as it concerns them in
the hands of the end user without need for any core infrastructure or core
provisioning.  There are implications downstream of this: replacement of
involuntary relays with voluntary relays creates the potential for a social
network that could recover its costs through advertising ("this Skype call
brought to you by Bob's Pizza") that in turn also creates a network based on
trust and transparency. To test this I created a brute-force voluntary peer
in Skype by using hard firewall rules on a NAT gateway, which forced all
Skype peers that were behind it to use the only Skype node they could reach,
which was another Skype node under my control on the public Internet.

Point 4:  Skype Reliability.  A side-effect of my DMZ test  was increased
reliability and sound quality for nodes behind a NAT, mostly because the
relay node on the public side was on an otherwise idle machine which did
nothing but Skype.  Skype (and all P2P based systems) can be made better
than 5-nines reliable by throwing commodity hardware at the problem and let
it scale up. By definition server clusters running preferred relays and
super nodes would be far more reliable than the PSTN, the advantage is that
these supernodes would be self-organization and wouldn't need provisioning.
You could replace the PSTN with a high-limit credit card and an order from
Dell.

Regards

Michael Slavitch

http://www.well.com/~theek/

More information about the Voipsec mailing list