Author Archives: Martyn Davies

About Martyn Davies

Martyn is Principal Consultant for Weird Crater, a telecom and software consultancy.

Blue Boxes of the Future

Being in Malaysia myself this week, I stumbled across this article by the Grugq in the Malaysia Star.  It’s quite a nice roundup of the coming threats in the VoIP world.  The mention of phone freakers brought back a thought I had a few weeks ago.  Before digital networks, phone phreakers were able to play tones down the phone handset (using a Blue Box), emulating the tones used by the telco themselves, and this allowed them to get free calls and mess around with the network.

With digital networks, all the signalling started to be done with SS7, carried on a parallel network dedicated to signalling traffic.  SS7 doesn’t extend to the phone handset, so suddenly phreakers were out of business.  This has been great for telcos, since the SS7 net was isolated and pretty safe from evildoers.

In some ways with VoIP, we’ve now gone back the other way.  Now all the VoIP signalling protocols, as well as the voice, go to the handset.  This allows phreakers to send any kind of message (SIP, H323 etc) they like into the net, to see what the result is.  This is a much worse proposition for the telcos, since they now need to make sure their edge switches are stable, secure, and as far as possible invulnerable to poorly formed messages, or floods of messages.  Today, it’s not a huge problem, but with Next Generation Networks (like IP Multimedia Subsystem or IMS) an awful lot of work is going to be needed to make the networks safe from attackers.

The Grucq is speaking at the HITB Security Conference in Malaysia, as is security guru Bruce Schneier.

Remote Control

Insecurity of wireless has been much in the news.  Reading reports from the recent Black Hat conference and Defcon, there was a demonstration of how to compromise wireless devices by crashing the drivers, and also news about how easy it is to compromise RFID devices, for example cloning new, hi-tech passports that use the technology.  Flipping open the pages of the August PC World USA, (yes, paper magazines do still exist!), I see a report about the “10 Biggest Security Risks You Don’t Know About”, and this includes a report about how Bluetooth devices can be infected by malicious Bluetooth apps that are passing by, perhaps a metre away. They also talk about viruses that travel via SMS messages.

It’s a gloomy picture.  Whatever platform we choose to carry around with us for our calendar/agenda or communications needs, it seems that they can be compromised in some way, even without anyone touching the thing.  As we have noted in this blog before on a few occasions, a key way to compromise VoIP is to compromise the platform that you use to host it.  But I guess it all comes back to the same point: we love Bluetooth because it’s so damn convenient, but convenience is the enemy of security.  When we get lazy, other people out there get busy, trying to find ways to mess things up for us.

Which brings me very much to today’s situation with the current terror plot (that Tom Keating talks about here): I’m travelling back to the UK today, and thankfully the restrictions this end aren’t too bad tonight: I can’t carry a bottle of water onboard, but at least I can get home with all my precious tech gadgets intact.  Back in London, people are checking in their laptops, PDAs, Skype headsets and smartphones as hold baggage, and who knows how that stuff will look when the bags are unzipped tomorrow after the airline baggage handlers have had a go at them.  Life is about to get much harder for travellers, as we confront the reality that eternal vigilance is the price of safety.

 

The Past Is Another Country

Clearing out some old papers, I came across an old copy of Byte magazine from 1990, celebrating 15 years of Byte, looking back to the birth of the microcomputer revolution, and on into the future. 

At the time, Windows 3.0 was starting to erode DOS as the OS of choice for PCs, and IBM’s OS/2 was making its attempt for the title too.  It was also the time of word processor wars, spreadsheet wars and development tool wars, all categories where Microsoft was the eventual winner.

TCP/IP had yet to make its mark.  Hard to remember now, but Novell were the kings of the enterprise LAN, with their proprietary IPX protocol.  Banyan Vines and IBM’s Netbios were alternatives, but whichever way you looked, you found companies reluctant to bring in the IP alternative.  One of the news stories in this Byte was the release of an add-on TCP/IP for OS/2.  I remember myself the struggles adding the optional TCP/IP stack to Windows 3.0 instead of the default IPX and Netbios.  Although email was well established within enterprises, the idea of routinely exchanging emails with just anyone was alien.  Some thought that X.400 was going to interconnect the world, before SMTP and POP jumped up to take centre stage. 

In the Byte Summit, they gathered a panel of experts to guess at the future of computer systems.  Names like Bill Gates, Chuck Peddle, Tony Hoare, Grace Hopper, Danny Hillis and Philippe Kahn.  They came out with some great predictions, including flat panel displays and CD-ROMs on all machines.  They underestimated the pace of change, of course, imagining a minimum hard disk requirement of only 100 Mb. 

The significance of networks attracted less comment, but I guess the idea of a universal Internet was too big a step of the imagination at that point.  The Internet idea was too distant, so Voice over IP was inconceivable.  As the saying goes “The past is another country, they do things differently there”, and by the same token, the future is so different we cannot imagine how things will be done there.  Anyone care to make some predictions for the computers of 2020?

VoIP Phreaking in the Desert

On the Infoworld Zero Day Security page, Garza talks a little about the VoIP Phreaking session at the Black Hat conference, which is on right now in Las Vegas.  I’m looking forward to the promised podcast with The Grugg, who led that class.

On the Black Hat website is an archive of presentations from previous conferences, and the ones from the current conference should pop-up there in the coming weeks. 

Why Skype Should Open Up

Ted Shelton makes a very good case in in VoIP Magazine as to why Skype should open up their protocol to other partners.  From what I see, Skype have had great success attracting development partners to using their API, and surely opening up the protocol is just a logical extension of that?  It’s just that while the API allows applications to do a lot of things, there are some areas that it cannot address. 

I meet people that want to do just what Ted Shelton is talking about, and actually implement alternative Skype client software.  Some want to create Skype gateways, for example tromboning Skype calls to other VoIP or TDM calls under their control.  Some want to use Skype’s IM and presence information as part of a larger VoIP platform.  I use and like the Skype client software, but I can see that Skype’s power is not in the software; it is in the number of desktops they own.  Skype’s would-be partners want to touch that user base too. 

Shanghai Calling … Not

Antonio Nucci, CTO of software firm Narus writes here about the Challenges In Detection of Skype Traffic.  Of course don’t expect them to give away too much detail on trade secrets, but the general approach described is not to decode or reverse-engineer the protocol, but rather to profile traffic using a heuristic approach. 

Firstly, he talks about signature analysis of the TCP, UDP packets, and then about analyzing/profiling the behaviour, for example traffic patterns.  How this can be done in a way that is CPU-efficient and with a low rate of false positives, he does not say.

Narus is one of the companies that has been linked with the Shanghai Telecom story, regarding the blocking of VoIP traffic.  It is not clear whether Shanghai have in fact bought Narus’ Skype-blocking module.

Do You Expect Me To Talk, Goldfinger?

Skype and Sandisk recently made a joint announcement about shipping USB flash drives preloaded with Skype.  The idea behind it is that you can carry the stick in your pocket, and then wherever you go, plug it into an available PC, and be able to make calls with Skype, with all your contacts at your fingertips.  Great idea, very convenient, but of course a security nightmare.

First of all, corporate security people don’t like these flash disks anyway, bringing as they do risks of walking in unwanted stuff, like Trojans, and allowing people to carry out large amounts of data copied from internal servers.

Secondly, some of these devices are bootable and therefore vulnerable to carrying viruses.  A  friend of mine has a USB key smaller than the top part of a thumb, which he carries around on a key ring.  When he plugs it in, it boots the PC for Linux and allows him to remote control his machines back at work from wherever he happens to be.  Now security managers can also worry about strangers coming in, poking in their Sandisk sticks and Skypeing out from the corporate net, regardless of what the policy on Skype might be.

But losing data on flash drives must be a major security concern, since the devices are so small and light, and easy to lose.  Periodically, in the UK, we hear stories about government employees or even people in the security services, who lose their laptop, or have it stolen while they are out of the office.  In the old days, taking data out of the office just wasn’t allowed.  For example there’s the story about Malcolm Williamson, who worked for GCHQ (one of the intelligence departments in the UK), in the 1970’s.  Then the rule was that no materials could be taken out of GCHQ, and nothing about work should be written down while people were outside of work.  Incredibly, Williamson thought up an algorithm for secure key exchange over dinner without making any notes.  This algorithm is now known as Diffie Hellman.

These days, James Bond and all his chums can take their laptops home.  God forbid that they should be given flash drives as well.  These would be sure to fall out of your pockets while you parachuted, scuba-dived and karate-kicked your way through the day job.  It would be bad news to find out that you’ve dropped your Sandisk key, containing the Skype details of all your fellow field officers.

Beyond the Bitpipe

I recently installed BT Communicator, which is British Telecom’s answer to Skype.  Like Skype it allows free calls (PC to PC) and offers the capability to break out onto the PSTN to call anyone anywhere, for a fee.  Being naturally curious, I fired up Wireshark and captured some of the activity on the line, and I was delighted to discover that it’s using our old friends SIP and RTP to signal and carry the calls.  In contrast, if you capture Skype traffic, you can’t figure out what’s happening unless you put an awful lot of research into it.

Are BT offering unique value with their service?  I think so: firstly the billing backs into the same BT billing system, and ends up on my phone bill, where Skype operate a pay-as-you-go system that needs charging via card etc.  One less thing to worry about with BT.  Secondly, unlike Skype, BT are embracing open standards, but still with an eye on security (the service uses Proxy Authentication to secure the calls, but no crypto yet).  Skype consider their softphone to be an important part of their service offering, and won’t open up the protocol to other clients.  As I see it, most of the Skype value is in the sheer number of customers that use the service, and I imagine Ebay also saw it this way, but this is a topic for another day.  BT, on the other hand, are looking further out to the open standards world, where it will be an advantage to be SIP-compatible.  Perhaps this is already architected to slot right in to their IMS backbone, 21CN.  One final advantage is that there are actually people out there that don’t use the Internet much, and don’t know about Skype.  So BT are actually using their marketing money to tell these people that they can call their friends for free using Communicator.   Of course they are cannibalizing their own call revenue, but perhaps they see the bigger picture, that like Skype, this can be used to pull through all kinds of other revenue generating services.

I like this approach to business better than that of companies like Shanghai Telecom and China Telecom, who reportedly have bought software technology to detect and block Skype traffic.  Presumably, they will also be blocking SIP, since this is technically much less difficult.  The thinking behind this is that if people aren’t calling with Skype, then they have to pick up the legacy phone.  This kind of thinking, “I don’t make any money out of this; can I block it?” is just the kind of blinkered approach that leads to telco lobbying in the net neutrality debate in the US.  Companies like AT&T would like to get paid twice, once by the Skypes and Googles, and then again by their telco customers.  Of course we’d all like to get paid twice, but most of us don’t have the political clout to make it happen. 

BT have not always been the most dynamic company, but I imagine that if they can learn something about business from Skype, then all large telcos stand a chance.  So come on guys, stop wringing your hands and worrying about becoming the bitpipe, and get out there and innovate.