[VOIPSEC] Soft Phone Vulnerabilities
Craig Southeren
craigs at postincrement.com
Thu Jun 15 09:48:02 CDT 2006
On Thu, 15 Jun 2006 08:44:43 -0400
"Michael Slavitch" <slavitch at gmail.com> wrote:
> On 6/14/06, Craig Southeren <craigs at postincrement.com> wrote:
> >
> > On Wed, 14 Jun 2006 09:17:20 -0400
> > "Michael Slavitch" <slavitch at gmail.com> wrote:
> >
...lots deleted
It took me a long time to work out what Michael was saying here and I'm
not sure I succeeded, so I'm not going to bother putting my replies
inline as that would make them too disjointed. Here is my go at
summarising his reply as it bears on the original thread of softphone
security.
1) "Skype must be secure, because it is a successful business and the
market would not let an insecure network be sucessful".
Not only is this circular logic, but he undermines his own argument with
snide comments on the technical merits of SNA, IIS and the PSTN networks
(all successful businesses, and also known to have serious security
problems)
2) "The problems experienced with Skype in Australia are due to carriers
interfering with IP traffic in order to disrupt Skype voice traffic"
This is this remarkable claim - I'd like to see it substantiated,
especially in way that explains why high revenue destinations like the
US and Western Europe are unaffected, and why direct peer to peer VoIP
(using SIP or H323) works just fine.
Or you can just believe that Skype actually may have some deployment or
technical problems that have not been solved yet (or are not economic to
solve, more likely)
Regardless of the reason why it does not work, the fact still remains
that PSTN is more reliable over those routes.
And lets not even get into the issue of emergency call handling which
Skype neatly disclaims all repsonsibilty for. Don't get rid of your
landline or cell phone just yet :)
3) "Closed systems can be trusted if you trust the vendor. And if they
fail, you can sue the vendor"
The first part of this claim is trivially obvious, if you trust the
vendor. But the problem always is, can we trust the vendor? If the
vendor is not held accountable, how do we know they are doing their job?
Michael would have us beleive that we should trust the market because
the market will destroy any companies that have insecure products.
Yeah, right :)
The second part of the claim is trivially falsiable - simply read the
terms of service for your ISP. Here is quote from the Skype terms of
service (section 2.1) titled "No warranties"
"Skype shall endeavour to provide the VoIP service with minimum
disruptions. However Skype cannot guarantee that the VoIP service will
always function without disruptions, delay or other imperfections. Since
the VoIP service will be transmitted through public Internet lines and
the public switched telephony network, You understand that there may be
power outages or Internet service disruption and You may experience some
disruptions in the VoIP service, e.g. packet loss and delay.
Additionally, You also understand that calls to or from the public
switched telephony network are not encrypted and as such, could be
potentially subject to eavesdropping by law enforcement officials or
other third parties over the public Internet. Skype will not be liable
for any disruption, delays, eavesdropping or other omissions in the VoIP
service."
All of which is perfectly reasonable, but hardly leaves any room to sue
them if anything goes wrong (which is the intent)
4) "Skype has already won. The consumer has decided. The rest is cleanup."
I guess I missed the announcement :)
This will be my last post in this thread. Thanks to all that
participated - I learnt a lot more than I thought I would, and most of
it was not about soft-phone security :)
Craig
On Thu, 15 Jun 2006 08:44:43 -0400
"Michael Slavitch" <slavitch at gmail.com> wrote:
> On 6/14/06, Craig Southeren <craigs at postincrement.com> wrote:
> >
> > On Wed, 14 Jun 2006 09:17:20 -0400
> > "Michael Slavitch" <slavitch at gmail.com> wrote:
> >
> > > Hello;
> > While Berson's paper appears to be an excellent review of one version of
> > the Skype code, I don't consider that one review constitutes a
> > comprehensive
> > peer review of the entire network. See my previous email on this list on
> > this topic.
>
>
> Why should peer review be a market requirement for a vendor?
>
> eBay's executives and board are sophisticated enough not to expose
> themselves to undue risk.
> They are using Skype to tunnel PayPal transactions. Given that there is an
> internal incentive to be secure.
>
>
> > As a comparison, millions of financial transactions use IIS/IE as
> > > the underlying platform. Any public opinions on IIS/IE security are
> > best
> > > left to the reader.
> >
> > Not sure why a comparison to IIS/IE security is relevant here.
>
>
> Because we don't live in a world of distinct silos. The comparison is valid
> on an apples/apples basis. If vendors and consumers trust IIS/IE enough to
> use it for non-trivial global commerce even though the security model is
> considered suspect by 'experts', then the security model in Skype/PayPal is
> valid even if it doesn't satisfy all your concerns. Ultimately it's not
> your decision, it's the decision of consumers and service implementors and
> occasionally regulators.
>
>
> > > Point 2: The security aspects of Software vs Hardware. Many SIP phones
> > have
> > > a default password that cannot be changed. One vendor in particular has
> > one
> > > 3-digit numeric root password for all its phones that cannot be
> > overridden.
> > > Many commodity phones have Linux firmware with open holes in
> > telnet/ftp/tftp
> > > and onwards, the better ones have passwords that are difficult to crack.
> > > Almost all have a default root password that is stored in firmware and
> > > almost all do their provisioning over clear text http. Given the choice
> > > between using one of these phones and Skype for a sensitive conversation
> > > outside a NAT I must choose Skype because it is more
> > trustworthy. Hardware
> > > is insecure because the underlying platform is almost certainly poorly
> > > implemented. It is closed hardware that cannot be trusted, not closed
> > > software.
> >
> > The issues you raise (open holes in telnet/ftp etc) are actually all
> > software issues, not hardware, so I can't really see the differentce
> > between security holes in embedded software and security holes in
> > software that runs on general purpose PCs.
>
>
> Given that you must then agree that proprietary Skype with a valid security
> model, even one you don't know about, must always trump a
> proprietary embedded system with no security model that you don't know
> about.
>
> > I won't get into the security aspects of POTS. That would be
> > silly.
>
> "Not so much silly as well known."
>
> I have to strongly disagree with that. Well known by telecoms experts
> perhaps, but those are few. Well known by the public? No.
>
> "As long as the relay (voluntary or not) is a closed system the privacy
> problems still remain."
>
> That's a religious argument. You can trust a closed system if you trust the
> vendor. The Bell network was and remained a closed system for most of its
> history, only becoming documented using standards it created on it's own
> schedule, at it's convenience, almost a century after it's creation. The
> same was true for most national carriers, which were considered strategic
> assets by their governments. By definition they were closed, they were
> considered state secrets. In some cases they were run by private interests,
> in most cases they were and are run by the post office, operating ultimately
> under direct state control as a strategic asset with a direct link to the
> security state. I suggest some reading on how national telephone networks
> were established..
>
> "I know from personal experience that Skype is far from being as reliable as
> the PSTN, and it's got nothing to do with the reliability of the boxes that
> Skype is running on."
>
> That is not true at all. The reliability problem in Skype is entirely based
> on the quality and number of supernode peers in the overlay. For details on
> this *Henning Schulzrinne* <http://www.cs.columbia.edu/~hgs/> is an expert
> and I will defer to him, but both the problem space and solution space are
> well known, they just need working implementations. In the case of Skype it
> can be accomplished with policy extensions on existing supernodes.
>
> "I expect users within the continental US don't see the problems that we get
> here out here in the back-blocks, but try calling between (say) Australia
> and Turkey via Skype. You can do it anyway you like - Skype to Skype-Out,
> Skype to Skype, and in either direction. You'll get a connection no more
> often than one in two call attempts, and when you do get a connection, the
> latency will be about 3-4 seconds. And that's with an ADSL broadband
> connection at both ends. Of course, calling to and from the US works just
> fine on both those endpoints. But PSTN, or even cellphone, will get a
> connection over the same route nearly every time."
>
> All of this not withstanding, the fact still remains that Skype is a highly
> useful service, and has managed to acheive many objectives that previous
> attempts to monetise the VoIP space have failed to do. And I have no doubt
> that the people behind Skype are nice and enthusiastic people with all of
> the best intentions and motives."
>
> I suspect much of that has to do with a horrible backbone with carriers
> playing dirty tricks on communications they don't like. The same would be
> true for SIP or H.323.
>
> "But none of these are reason to gloss over the hard technical facts that it
> is still a closed system, and as such, cannot be assumed to be any more
> secure than any other closed system."
>
> Agreed. But I can also assert that I can trust closed systems more than
> open systems if I trust the closed system vendor more than I trust open
> source implementors. A closed system vendor usually has a bank account, a
> closed system vendor can sign a legally binding contract, and a closed
> system vendor can be sued not just by other vendors but by users at large in
> a class action. My bank uses a closed system for it's transactions, and I
> trust my bank to either be secure or compensate me for failure.
>
> I also trust that the market and that reputation is a powerful motivator for
> both quality and security. Vendors will not destroy themselves if they can
> avoid it. Those that do fail.
>
> "No amount of straw-man comparisons with other failed closed source and open
> source systems will change that fact."
>
> Failed? Sorry. Skype has already won. The consumer has decided. The rest is
> cleanup.
>
> "Experience shows that security comes from interoperabilty with devices
> written by third parties to a documented standard, and from the ability to
> withstand attacks (either on paper or in real-life) by parties that are
> knowledgable about the internal design of the system. This applies to both
> the design and the implementation of the components."
>
> This experience is fine in theory but in reality almost all secure
> communications implementations in wide use are proprietary.
>
> "Neither of these conditions apply (yet) to Skype."
>
> They don't exist for 99.999% of a multi-trillion dollar global economy,
> either. Much of it still runs over SNA.
-----------------------------------------------------------------------
Craig Southeren Post Increment – VoIP Consulting and Software
craigs at postincrement.com.au www.postincrement.com.au
Phone: +61 243654666 ICQ: #86852844
Fax: +61 243656905 MSN: craig_southeren at hotmail.com
Mobile: +61 417231046
"It takes a man to suffer ignorance and smile.
Be yourself, no matter what they say." Sting
More information about the Voipsec
mailing list