[VOIPSEC] Re: Securing Softphones..........???
sourabh
sourabh_email at yahoo.com
Mon Apr 18 18:27:10 CDT 2005
Randall Shimizu <rshimizu <at> consultant.com> writes:
>
> I was wondering if anyone has any recommendation for securing
softphones....??? I know that NIST has
> recomenned against using them.
An intriguing question indeed! I have been wondering about this for quite
sometime myself and have not found any good reference on this front. Even
besides NIST recommendation, Softphones are going to be prevalent simply looking
at how well accepted IM clients are. Also Softphones are cheaper alternatives
for many before trying out the VoIP phone which might not be able to offer all
the features that PC version might be able to offer. Have you not tried FWD?
Now for security ... I think that SoftPhones, if accepted widely, will follow
the footprints of browsers from attack target point of view. If your softphone
will always remain ON (which makes sense if you intend to receive calls!) will
be a very lucrative attack target. Softphones allows for exchange of content of
all forms via SIP/SDP which could be good or bad. Just imagine, putting up a
malformed JPEG as my photograph that could exploit the JPEG vulnerability and
cause a buffer overflow! Not only this but on PC one could get very creative ...
for example request a CODEC that is known to be vulnerable, and since its a
SoftPhone and is smart... it could popup to the user that xyz CODEC is being
requested but is not supported, would you like to download the CODEC, very much
like Media Player, to which most users are going to say YES. And then it’s going
to be exploited. Also exchanging files, docs, and binaries is also going to be
very common with use of Softphones during a call (same like IM), which means
that content needs to be scanned before use. That's the whole point of a
SoftPhone, right? And what about a SoftPhone worm, that exploits your address
book to call and email everybody, thus using multiple channels of migration.
So the point being that SoftPhones are and could be very extensible with
plethora of services and functions unlike VoIP phones which will require a
firmware update or a patch update kind of model. Thus increasing the chances of
a successful exploit. More the capabilities, more the chances of a weakness
getting exploited.
- Sourabh
More information about the Voipsec
mailing list