[VOIPSEC] Soft phone as trojan horse
Matthew Kaufman
matthew at matthew.at
Wed Sep 6 12:31:03 CDT 2006
Randell Jesup:
> Does open protocols solve this problem? No. But it provides
> another tool in figuring out how much to trust an application
> - and in verifying that trust, or for a 3rd-party (like an
> anti-spyware/anti-virus maker) to verify it. It's hard to
> even start to verify an application like Skype, for example.
Agreed. One of the biggest complexities is that with a SIP softphone, if
you're on a call, there's data streaming to/from the softphone. If you're
not, there isn't. That's pretty easy to test.
But with an application like Skype, there's data streaming to/from the
softphone at random times that aren't related to your calls, whenever your
node is being used as a relay for another party. It is pretty hard to tell
whether that data does or does not include your local microphone audio.
Solutions to that problem include open protocols that one can audit and open
source code that one can audit, or even compile for yourself after
inspection.
It must not be that important a problem market-wise though, given the number
of people who're happily running Skype.
Matthew Kaufman
matthew at matthew.at
http://www.amicima.com
More information about the Voipsec
mailing list