Monthly Archives: September 2009

VoIP on the iPhone and iPod Touch – a security warning

iVoIP clientsAt first sight, using any VoIP client on the iPhone or the iPod Touch (a.k.a. iDevices) may seem like a uninteresting thing. The reason for this is that Apple does not allow 3rd party applications to run in the background. So when a user close down his iVoIP Client he will not be able to receive any calls at all, thus defeating the reason for using VoIP on these devices in the first place.

However, if we take a look at some of the VoIP clients offerings available we notice that a few of these clients have the ability to receive incoming calls, even when the software it self is not running.

At first sight this seems to be a Good Thing – however, there are severe security implications by doing this. Users will in fact willingly, put them self under a man-in-the-middle attack.

Continue reading

Added RSS Cloud plugin to this site (and what that means)

For those interested in the underlying plumbing of this site, today I added the RSS Cloud plugin for WordPress to this site that is described in more detail in this post: “RSSCloud for WordPress

What does this mean for you as readers?

In the short term, not much.  The only RSS Cloud-enabled reader right now is Dave Winer’s River2.

However, both RSS Cloud and PubSubHubbub are moving us closer to a “realtime” web where you as a reader can “subscribe” to feeds and receive updates as soon as those feeds are updated.  Currently, when you “subscribe” to our RSS feed, you only see updates when your news reader polls the feeds to which you are subscribed.  Given that a good number of feeds may not have changed since the last polling interval this process is also quite a waste of packets.

So the idea is to move from a “polling” paradigm to one of “subscribe/notify”.  Much more will be happening in this space in the time ahead.  In the meantime, if you do use River2 or any of the other readers that may support the RSSCloud tag, you’ll be able to interact with the Voice of VoIPSA blog in that model.

P.S. Yes, I’m also working to add the PubSubHubbub plugin for WordPress to this blog, but I’ve run into a technical issue I’m trying to debug.

Stoned Bootkit

stoned bootkitTypically I don’t follow the deluge of Windows rootkits available because the sheer number and variety make diligently understanding all of them more than fairly daunting. After all, given limited resources, one must choose their battles and specialties in the security field.

That said, occasionally a Windows rootkit surfaces that is so mean, nasty and downright cool, that it becomes a must-know. Such is the case with the newest release of Stoned Bootkit. Be sure to go to their site and check it out, along with the paper, but here are a few highlights:

  • Attacks Windows XP, Sever 2003, Windows Vista, Windows 7 with one single master boot record
  • Attacks TrueCrypt full volume encryption
  • Has integrated FAT and NTFS drivers
  • Has an integrated structure for plugins and boot applications (for future development
  • Understanding the threats that Windows rootkits like this pose to VoIP security, especially on end users, is key.

    Home Medical Devices and VoIP Security

    With all the hubbub surrounding medical insurance reform, town hall meetings, and other distractions events it’s worthwhile looking at some of the technical medical devices coming into the marketplace to be placed in patients’ homes, connected to their broadband internet connection.
    death panels!
    Of several products in the patient home monitoring space, the Intel Health Guide PHS 6000 is perhaps one of the better positioned to garner marketshare because of several factors: including the size of Intel, on-going placement of the PHS 6000 in settings, and FDA approval in July, 2008.

    Of the many PHS 6000 features, the device also supports two-way video conferencing between patient and caregiver. As this communication takes place over the broadband connection, it’s reasonable to assume that some sort of VoIP software is in place. Of course, details at this point are thin, and it’s even hard to get a real handle on what the PHS 6000 operating system really is, with some reports indicating Microsoft Windows XP, and others indicating a embedded Linux derivative. Still, it looks like there is a VoIP stack, and it’s likely SIP-based.

    Clearly, the importance of the security of devices like the Intel PHS 6000 is apparent. And with the growing interest and funding towards cost-reduction and tele-health, we can expect to see these types of devices deployed widely. But what of the security posture? Sure, there’s boasting of encryption for the connection, but features like SSL mean little in the face of real attacks and vulnerabilities — think SSL encryption downgrade attacks, spoofing and man-in-the-middle vectors to start.

    To get the word out, I’ve started a LinkedIn group called MedSec to get together like-minded, talented security people with an interest in medical device security. I’ve been chumming the waters with this approach in the hopes that the right people with the right connections conduct proper security evaluations of this PHS 6000 device, and it’s back-end management system as well. Of course, if approached, I’m interested in some hand’s on time too 🙂