[VOIPSEC] Re: Securing Softphones..........???
Paine, Richard H
richard.h.paine at boeing.com
Tue Apr 19 08:55:25 CDT 2005
I have a recommendation for securing softphones. It is an
implementation of the Secure Mobile Architecture (SMA) that I have
mentioned on this mailing list before. One of its components is the
Host Identity Protocol (HIP). The VOIP call is secure over both the
wireless and the wired using the SMA.
Do we have a place where we can post papers for the VOIPSA? I would
post the URLs for all the references to SMA and to HIP, but I don't know
if such a site exists.
Richard H. Paine
Success is getting what you want, happiness is liking what you get!
Cell: 206-854-8199
IPPhone: 425-373-8964
Email: richard.h.paine at boeing.com
-----Original Message-----
From: sourabh [mailto:sourabh_email at yahoo.com]
Sent: Monday, April 18, 2005 4:27 PM
To: Voipsec at voipsa.org
Subject: [VOIPSEC] Re: Securing Softphones..........???
Randall Shimizu <rshimizu <at> consultant.com> writes:
>
> I was wondering if anyone has any recommendation for securing
softphones....??? I know that NIST has
> recomenned against using them.
An intriguing question indeed! I have been wondering about this for
quite sometime myself and have not found any good reference on this
front. Even besides NIST recommendation, Softphones are going to be
prevalent simply looking at how well accepted IM clients are. Also
Softphones are cheaper alternatives for many before trying out the VoIP
phone which might not be able to offer all the features that PC version
might be able to offer. Have you not tried FWD?
Now for security ... I think that SoftPhones, if accepted widely, will
follow the footprints of browsers from attack target point of view. If
your softphone will always remain ON (which makes sense if you intend to
receive calls!) will be a very lucrative attack target. Softphones
allows for exchange of content of all forms via SIP/SDP which could be
good or bad. Just imagine, putting up a malformed JPEG as my photograph
that could exploit the JPEG vulnerability and cause a buffer overflow!
Not only this but on PC one could get very creative ...
for example request a CODEC that is known to be vulnerable, and since
its a SoftPhone and is smart... it could popup to the user that xyz
CODEC is being requested but is not supported, would you like to
download the CODEC, very much like Media Player, to which most users are
going to say YES. And then it's going to be exploited. Also exchanging
files, docs, and binaries is also going to be very common with use of
Softphones during a call (same like IM), which means that content needs
to be scanned before use. That's the whole point of a SoftPhone, right?
And what about a SoftPhone worm, that exploits your address book to call
and email everybody, thus using multiple channels of migration.
So the point being that SoftPhones are and could be very extensible with
plethora of services and functions unlike VoIP phones which will require
a firmware update or a patch update kind of model. Thus increasing the
chances of a successful exploit. More the capabilities, more the chances
of a weakness getting exploited.
- Sourabh
_______________________________________________
Voipsec mailing list
Voipsec at voipsa.org
http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list