[VOIPSEC] Softphone Security (Porter, Thomas (Tom))
Jan Seedorf
seedorf at informatik.uni-hamburg.de
Mon Oct 17 06:06:32 CDT 2005
We tested X-Lite early this year and it turned out that X-Lite stores user credentials in
the windows registry. Not only remain these credentials in the registry after proper
uninstall of the program. The registry entry can also easily be copied and then used on
another PC to successfully impersonate another user. We tested this with German SIP
providers and it worked.
I see mainly the following risk: worms can harvest SIP credentials instead of (or in
addition to) mail adresses and passwords they already harvest. These cerdentials could
then be used by criminals for toll fraud, spamming, anything,...
Btw, we send Xten, the maker of X-Lite, a note on this. I do not know if they have fixed it
by now, they do not support X-Lite officially anymore. However, it is still used by
German SIP providers as a free softphone they offer for download on their websites.
Jan Seedorf
University of Hamburg, Germany
-----------------------------
Jan Seedorf
Arbeitsbereich SVS (Security in Distributed Systems)
University of Hamburg, faculty of informatics
Vogt-Koelln-Str. 30, 22527 Hamburg, Germany
Tel.: 0049-40-42883-2325, Fax.:-2086
seedorf at informatik.uni-hamburg.de
"Turn off the TV and pick up a book"
More information about the Voipsec
mailing list