[VOIPSEC] Soft phone as trojan horse

Randell Jesup rjesup at wgate.com
Wed Sep 6 08:55:34 CDT 2006 

Lee Dilkie <lee_dilkie at mitel.com> writes:
>mailinglist wrote:
>> The point is: If you are using a unknown protocol, there is no one (who you
>> can trust) who can cross check if that tool is doing something bad.
>>
>> For example. Skype protocol is still a secret. How can you tell they are not
>> abusig their user database? Ok they are big company now, but they started
>> very small and hungry and maybe there are still backdoors open.
>>
>> If you publish a SIP soft phone that is doing dirty things, it is much more
>> likely that someone sits down and checks what this phone is actually
>> transporting out of your computer. Because he can do that.
>>   
>There's nothing preventing a SIP soft phone (or hard phone for that 
>matter) from doing some very un-SIP like things. Having an open protocol 
>means very little to your overall security if, as your premise seems to 
>be, you cannot trust your vendor. Since this has little to do with soft 
>phones, SIP or otherwise, but is just a general "I can't trust any 
>software" position, I suggest you remove the source of your problem 
>(your computer).

I see and mostly agree with your point, however the original poster has a
point too.

How do you decide to trust a vendor or a piece of software (or hardware you
put on your local net)?

One way is to audit it at the source level (requires open source of some
form).  Another way is to simply decide "they wouldn't do that" for
whatever reason - that's more belief, though, not verification.  Another is
to run it in a sandbox with limited permissions (the Java model), or with a
SW firewall that allows/disallows access to things like the net on a
per-executable basis.  A real firewall can block many outgoing connections
(requires things like http proxies, etc).  And one more is to perform an
audit of the program's actions, such as with ethereal, or trust someone
else's audit of the program (the anti-Spyware program method).  Plus with
"open" protocols you can log them and block any outside connections not
using the known protocol.  And you can combine these approaches.

Does open protocols solve this problem?  No.  But it provides another tool
in figuring out how much to trust an application - and in verifying that
trust, or for a 3rd-party (like an anti-spyware/anti-virus maker) to verify
it.  It's hard to even start to verify an application like Skype, for
example.

-- 
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup at wgate.com
"The fetters imposed on liberty at home have ever been forged out of the weapons
provided for defence against real, pretended, or imaginary dangers from abroad."
		- James Madison, 4th US president (1751-1836)

More information about the Voipsec mailing list