[VOIPSEC] Softphone Security
art at codenomicon.com
Sat Oct 15 17:46:43 BST 2005
I would add:
5. Malware that affects the VoIP software will affect all other
applications on the PC and data services available to that PC (a
separated VoIP phone would not require access to file services,
databases, intraweb, ...)
6. Any special permissions that the VoIP application has over firewall
rules will apply to all applications on that desktop
(e.g. peer-to-peer software will use SIP for bypassing the security
policy, which interestingly relates to earlier discussion on
analyzing the real data content inside the RTP streams)
7. Reliability problems (robustness, load, stress) in data services
will not disturb voice, and vice versa.
I hope this was relevant to you.
Codenomicon Ltd. - Robustness and Security Testing Tools
On Fri, Oct 14, 2005 at 04:26:27PM -0400, Porter, Thomas (Tom) wrote:
> If anyone has thoughts or experiences w/ softphone security, I'd be interested in hearing them...
> >From my POV, the threats that are particular to softphone use include:
> 1. Many softphones contain advertising software that "phones home" with private user information.
> 2. Softphones require that PC-based firewalls open a number of high UDP ports as part of the media stream transaction
> 3. Malware that affects any other application software on the PC can also interfere with voice communications
> 4. Because a softphone resides on a PC, the principle of logically separating voice and data networks is defeated as the PC must reside in both domains.
> Point 1 is easy to deal with. Points 2 & 3 are slightly more troubling, but if the PC is secure enough for email & IM, a softphone should not add too much more risk. Point 4 is troubling.
> Thanks, Tom
> Thomas Porter, PHD
> Lead Security Architect
> Avaya Services Research & Development
> tporter at avaya.com
> [O] 919.967.2909
> [Cell - USA] 919.593.3130
> [Cell - Germany] +49.0163.505.9150
> [SIP] 919.951.0052
> [IM] AvayaTPorter
> Voipsec mailing list
> Voipsec at voipsa.org
Ari Takanen Codenomicon Ltd.
ari.takanen at codenomicon.com Kaitovayla 1
tel: +358-40 50 67678 FIN-90570 Oulu
More information about the Voipsec