[VOIPSEC] Soft Phone Vulnerabilities

[Michael Slavitch]

On 6/14/06, Craig Southeren <craigs at postincrement.com> wrote:
>
> On Wed, 14 Jun 2006 09:17:20 -0400
> "Michael Slavitch" <slavitch at gmail.com> wrote:
>
> > Hello;
> While Berson's paper appears to be an excellent review of one version of
> the Skype code, I don't consider that one review constitutes a
> comprehensive
> peer review of the entire network. See my previous email on this list on
> this topic.


Why should peer review be a market requirement for a vendor?

eBay's executives and board are sophisticated enough not to expose
themselves to undue risk.
They are using Skype to tunnel PayPal transactions.  Given that there is an
internal incentive to be secure.


> As a comparison, millions of financial transactions use IIS/IE as
> > the underlying platform.  Any public opinions on IIS/IE security are
> best
> > left to the reader.
>
> Not sure why a comparison to IIS/IE security is relevant here.


Because we don't live in a world of distinct silos.  The comparison is valid
on an apples/apples basis.  If vendors and consumers trust IIS/IE enough to
use it for non-trivial global commerce even though the security model is
considered suspect by 'experts', then the security model in Skype/PayPal is
valid even if it doesn't satisfy all your concerns.  Ultimately it's not
your decision, it's the decision of consumers and service implementors and
occasionally regulators.


> > Point 2:  The security aspects of Software vs Hardware. Many SIP phones
> have
> > a default password that cannot be changed. One vendor in particular has
> one
> > 3-digit numeric root password for all its phones that cannot be
> overridden.
> > Many commodity phones have Linux firmware with open holes in
> telnet/ftp/tftp
> > and onwards, the better ones have passwords that are difficult to crack.
> > Almost all have a default root password that is stored in firmware and
> > almost all do their provisioning over clear text http.  Given the choice
> > between using one of these phones and Skype for a sensitive conversation
> > outside a NAT I must choose Skype because it is more
> trustworthy.  Hardware
> > is insecure because the underlying platform is almost certainly poorly
> > implemented. It is closed hardware that cannot be trusted, not closed
> > software.
>
> The issues you raise (open holes in telnet/ftp etc) are actually all
> software issues, not hardware, so I can't really see the differentce
> between security holes in embedded software and security holes in
> software that runs on general purpose PCs.


Given that you must then agree that proprietary Skype with a valid security
model, even one you don't know about, must always trump a
proprietary embedded system with no security model that you don't know
about.

> I won't get into the security aspects of POTS.  That would be
> silly.

"Not so much silly as well known."

I have to strongly disagree with that. Well known by telecoms experts
perhaps, but those are few.  Well known by the public? No.

"As long as the relay (voluntary or not) is a closed system the privacy
problems still remain."

That's a religious argument.  You can trust a closed system if you trust the
vendor. The Bell network was and remained a closed system for most of its
history, only becoming documented using standards it created on it's own
schedule, at it's convenience, almost a century after it's creation.  The
same was true for most national carriers, which were considered strategic
assets by their governments.  By definition they were closed, they were
considered state secrets. In some cases they were run by private interests,
in most cases they were and are run by the post office, operating ultimately
under direct state control as a strategic asset with a direct link to the
security state.   I suggest some reading on how national telephone networks
were established..

"I know from personal experience that Skype is far from being as reliable as
the PSTN, and it's got nothing to do with the reliability of the boxes that
Skype is running on."

That is not true at all.  The reliability problem in Skype is entirely based
on the quality and number of supernode peers in the overlay. For details on
this *Henning Schulzrinne* <http://www.cs.columbia.edu/~hgs/> is an expert
and I will defer to him, but both the problem space and solution space are
well known, they just need working implementations.  In the case of Skype it
can be accomplished with policy extensions on existing supernodes.

"I expect users within the continental US don't see the problems that we get
here out here in the back-blocks, but try calling between (say) Australia
and Turkey via Skype. You can do it anyway you like - Skype to Skype-Out,
Skype to Skype, and in either direction. You'll get a connection no more
often than one in two call attempts, and when you do get a connection, the
latency will be about 3-4 seconds. And that's with an ADSL broadband
connection at both ends. Of course, calling to and from the US works just
fine on both those endpoints. But PSTN, or even cellphone, will get a
connection over the same route nearly every time."

All of this not withstanding, the fact still remains that Skype is a highly
useful service, and has managed to acheive many objectives that previous
attempts to monetise the VoIP space have failed to do. And I have no doubt
that the people behind Skype are nice and enthusiastic people with all of
the best intentions and motives."

I suspect much of that has to do with a horrible backbone with carriers
playing dirty tricks on communications they don't like.  The same would be
true for SIP or H.323.

"But none of these are reason to gloss over the hard technical facts that it
is still a closed system, and as such, cannot be assumed to be any more
secure than any other closed system."

Agreed.  But I can also assert that I can trust closed systems more than
open systems if I trust the closed system vendor more than I trust open
source implementors.  A closed system vendor usually has a bank account, a
closed system vendor can sign a legally binding contract, and a closed
system vendor can be sued not just by other vendors but by users at large in
a class action.  My bank uses a closed system for it's transactions, and I
trust my bank to either be secure or compensate me for failure.

I also trust that the market and that reputation is a powerful motivator for
both quality and security.  Vendors will not destroy themselves if they can
avoid it.  Those that do fail.

"No amount of straw-man comparisons with other failed closed source and open
source systems will change that fact."

Failed? Sorry. Skype has already won. The consumer has decided.  The rest is
cleanup.

"Experience shows that security comes from interoperabilty with devices
written by third parties to a documented standard, and from the ability to
withstand attacks (either on paper or in real-life) by parties that are
knowledgable about the internal design of the system. This applies to both
the design and the implementation of the components."

This experience is fine in theory but in reality almost all secure
communications implementations in wide use are proprietary.

"Neither of these conditions apply (yet) to Skype."

They don't exist for 99.999% of a multi-trillion dollar global economy,
either.  Much of it still runs over SNA.