Monthly Archives: July 2006

Traditional Telco vs. VoIP Arms Race Beginning?

New Scientist is reporting today that German company Infineon has recently filed for two patents (1,2) for technology that deliberately interferes with VoIP technology.

The application doesn’t expand on why it would be used. But it could conceivably come in handy for any company that operates both phone and internet services and would like to protect their phone business from the growing popularity of VoIP.

The first of the techniques monitors network traffic to identify voice packets, then injects additional “pseudo-packets” into the communications stream. These packets appear to be part of the media stream but in reality contain nothing useful. The device then creates an artificial bottleneck for packets that it earlier labeled as voice, essentially rate-limiting the mix of real voice packets and “pseudo-packets”, while allowing normal data packets to traverse the device unhindered. The real kicker with this method is that then, the “pseudo-packets” can be filtered back out before the voice traffic exits the device, leaving little indication to external troubleshooters as to what is actually causing the media degredation.

The second of the techniques covers methods of degrading speech sent via a WiFi hot spot.

Repeatedly, Skype has claimed that their protocol and service needs to be stealthy because large service providers who provide both Internet services and traditional telephony services see the Skype service as a threat to their telephony business and regularly try to block the Skype traffic. Also recently, multiple other companies have developed and provided VoIP filtering technologies to Chinese service providers.

If these service providers begin to employ techniques like the ones described above against not just Skype traffic but all VoIP traffic, stealthy protocols like Skype’s may have an advantage over standards-based or community developed protocols, and may begin to foster an arms race between proprietary VoIP products and services and the traditional Telcos.

Why Skype Should Open Up

Ted Shelton makes a very good case in in VoIP Magazine as to why Skype should open up their protocol to other partners.  From what I see, Skype have had great success attracting development partners to using their API, and surely opening up the protocol is just a logical extension of that?  It’s just that while the API allows applications to do a lot of things, there are some areas that it cannot address. 

I meet people that want to do just what Ted Shelton is talking about, and actually implement alternative Skype client software.  Some want to create Skype gateways, for example tromboning Skype calls to other VoIP or TDM calls under their control.  Some want to use Skype’s IM and presence information as part of a larger VoIP platform.  I use and like the Skype client software, but I can see that Skype’s power is not in the software; it is in the number of desktops they own.  Skype’s would-be partners want to touch that user base too. 

Shanghai Calling … Not

Antonio Nucci, CTO of software firm Narus writes here about the Challenges In Detection of Skype Traffic.  Of course don’t expect them to give away too much detail on trade secrets, but the general approach described is not to decode or reverse-engineer the protocol, but rather to profile traffic using a heuristic approach. 

Firstly, he talks about signature analysis of the TCP, UDP packets, and then about analyzing/profiling the behaviour, for example traffic patterns.  How this can be done in a way that is CPU-efficient and with a low rate of false positives, he does not say.

Narus is one of the companies that has been linked with the Shanghai Telecom story, regarding the blocking of VoIP traffic.  It is not clear whether Shanghai have in fact bought Narus’ Skype-blocking module.

Do You Expect Me To Talk, Goldfinger?

Skype and Sandisk recently made a joint announcement about shipping USB flash drives preloaded with Skype.  The idea behind it is that you can carry the stick in your pocket, and then wherever you go, plug it into an available PC, and be able to make calls with Skype, with all your contacts at your fingertips.  Great idea, very convenient, but of course a security nightmare.

First of all, corporate security people don’t like these flash disks anyway, bringing as they do risks of walking in unwanted stuff, like Trojans, and allowing people to carry out large amounts of data copied from internal servers.

Secondly, some of these devices are bootable and therefore vulnerable to carrying viruses.  A  friend of mine has a USB key smaller than the top part of a thumb, which he carries around on a key ring.  When he plugs it in, it boots the PC for Linux and allows him to remote control his machines back at work from wherever he happens to be.  Now security managers can also worry about strangers coming in, poking in their Sandisk sticks and Skypeing out from the corporate net, regardless of what the policy on Skype might be.

But losing data on flash drives must be a major security concern, since the devices are so small and light, and easy to lose.  Periodically, in the UK, we hear stories about government employees or even people in the security services, who lose their laptop, or have it stolen while they are out of the office.  In the old days, taking data out of the office just wasn’t allowed.  For example there’s the story about Malcolm Williamson, who worked for GCHQ (one of the intelligence departments in the UK), in the 1970’s.  Then the rule was that no materials could be taken out of GCHQ, and nothing about work should be written down while people were outside of work.  Incredibly, Williamson thought up an algorithm for secure key exchange over dinner without making any notes.  This algorithm is now known as Diffie Hellman.

These days, James Bond and all his chums can take their laptops home.  God forbid that they should be given flash drives as well.  These would be sure to fall out of your pockets while you parachuted, scuba-dived and karate-kicked your way through the day job.  It would be bad news to find out that you’ve dropped your Sandisk key, containing the Skype details of all your fellow field officers.

Beyond the Bitpipe

I recently installed BT Communicator, which is British Telecom’s answer to Skype.  Like Skype it allows free calls (PC to PC) and offers the capability to break out onto the PSTN to call anyone anywhere, for a fee.  Being naturally curious, I fired up Wireshark and captured some of the activity on the line, and I was delighted to discover that it’s using our old friends SIP and RTP to signal and carry the calls.  In contrast, if you capture Skype traffic, you can’t figure out what’s happening unless you put an awful lot of research into it.

Are BT offering unique value with their service?  I think so: firstly the billing backs into the same BT billing system, and ends up on my phone bill, where Skype operate a pay-as-you-go system that needs charging via card etc.  One less thing to worry about with BT.  Secondly, unlike Skype, BT are embracing open standards, but still with an eye on security (the service uses Proxy Authentication to secure the calls, but no crypto yet).  Skype consider their softphone to be an important part of their service offering, and won’t open up the protocol to other clients.  As I see it, most of the Skype value is in the sheer number of customers that use the service, and I imagine Ebay also saw it this way, but this is a topic for another day.  BT, on the other hand, are looking further out to the open standards world, where it will be an advantage to be SIP-compatible.  Perhaps this is already architected to slot right in to their IMS backbone, 21CN.  One final advantage is that there are actually people out there that don’t use the Internet much, and don’t know about Skype.  So BT are actually using their marketing money to tell these people that they can call their friends for free using Communicator.   Of course they are cannibalizing their own call revenue, but perhaps they see the bigger picture, that like Skype, this can be used to pull through all kinds of other revenue generating services.

I like this approach to business better than that of companies like Shanghai Telecom and China Telecom, who reportedly have bought software technology to detect and block Skype traffic.  Presumably, they will also be blocking SIP, since this is technically much less difficult.  The thinking behind this is that if people aren’t calling with Skype, then they have to pick up the legacy phone.  This kind of thinking, “I don’t make any money out of this; can I block it?” is just the kind of blinkered approach that leads to telco lobbying in the net neutrality debate in the US.  Companies like AT&T would like to get paid twice, once by the Skypes and Googles, and then again by their telco customers.  Of course we’d all like to get paid twice, but most of us don’t have the political clout to make it happen. 

BT have not always been the most dynamic company, but I imagine that if they can learn something about business from Skype, then all large telcos stand a chance.  So come on guys, stop wringing your hands and worrying about becoming the bitpipe, and get out there and innovate.

Blue Box Podcast #34 – IPv6 security, VoIP security news, more

Blue Box Podcast #34 is now available for download. In this show, Jonathan and I cover VoIP security news and then have a 27-minute interview with Yurie Rich and John Spence of Command Information about IPv6: What is new with security in IPv6? Is it really more secure? Who is using IPv6? etc. A good opportunity to learn what you do – or don’t – need to know about IPv6 and security.

Multiple security flaws in Asterisk – upgrade available

Today Internet Security Systems (ISS) issued a press release announcing that they had found two vulnerabilities in the IAX2 protocol used by Asterisk. The actual security advisories can be found here and here.

A new version 1.2.10 of Asterisk was released on Saturday, July 14, to address these vulnerabilities. Users of Asterisk are, of course, strongly encouraged to upgrade.

Microsoft + Yahoo! == 350 Million New VoIP Users?

It would seem that Microsoft and Yahoo! have decided to work together and create an inter-operable messaging platform that will support both the Microsoft Live Messenger and Yahoo Instant Messanger clients and protocols, and combining their separate user-bases into one that is close to 350 million users strong, easily eclipsing the 100 million that Skype boasts.

With a clear road map to VoIP services and to adding IM services to mobile phones, both of which Yahoo!’s service already offers via it’s service, as well as the ability to make PC to PSTN calls via Yahoo!’s “Phone Out” service, it’s clear that the target is being drawn squarely on Skype. It will be interesting to see if the security aspect of Skype’s closed product approach or the apparent lack of strong encryption in the Microsoft or Yahoo! protocols (at least in their default configurations) will play any part in the upcoming shootout for subscribers.

The new unified platform is currently in beta and is available for trial.

Skype Protocol Cracked?

Several news sources are reporting that an unnamed 10-person Chinese company has successfully reverse engineered the Skype protocol. This company is supposedly planning to release their own software in two weeks that take advantage of Skype’s networks.

The main source of this information seems to be from the blog posting of Charlie Paglee, the CEO of Vozin Communications. The posting details a Skype call Paglee supposedly received from his Chinese contact at this unnamed company, through a non-Skype client. Several news outlets reporting on this:

VuNet
NetworkWorld
TechWorld
SecurityProNews

So far, no mention of this on Skype’s security blog.

FBI Drafting CALEA VoIP Expansion Legislation

Could this be the beginning of a new version of CALEA tailored for Internet communications? CNet News is reporting that the FBI is drafting new legislation intended to expand CALEA which will require ISPs to wiretap conversations and force makers of networking gear to provide hardware that can accommodate that capability. This legislation is set to be introduced by Sen. Mike DeWine (R. Ohio).

The 1994 Communications Assistance for Law Enforcement Act (CALEA) was originally drafted to apply to traditional telephony equipment and services and has since been viewed by figureheads in the Internet Telephony industry as inadequate or difficult to apply to Internet-based communications. This new legislation could potentially address those issues, however it may also eliminate safeguards that the original legislation provided.

The article published by CNet identifies four major points from the report. First, network infrastructure manufacturers will be required to upgrade their equipment to support Internet wiretapping. Second, law enforcement will have the ability to expand the reach of wiretapping beyond VoIP to other Internet communications such as Instant Messaging. Third, ISPs will have to monitor customer’s network traffic to identify only VoIP calls, and fourth, the legislation would eliminate the current CALEA requirement that the Justice Department must annually publish a public notice of the number of communication interceptions that have taken place.