July 19, 2006

VoIP Security Issues: Skype and Asterisk

By now you've likely heard that a clone of the ultra-popular Skype VoIP client was supposedly created by reverse engineering. Charlie Paglee, a blogger and head of VoIP provider Vozin Communications stirred up the Internet recently when he claimed a friend called him from China with the supposed clone, a screenshot of which is posted at his VoIPWikiBlog.

Skype has denied the claim. Because Skype's system is proprietary, there is nothing officially compatible with their soft client. Skype must have been sure that no one would crack their code, though, because apparently, they never patented their protocol.

Art Reisman thinks the Skype clone is unlikely and gives a great explanation of why (via a discussion of encryption), and why it doesn't matter. Even if a clone did exist, for Skype, a large-scale migration to clones would crash their network, but would not otherwise be a security risk.

Security issues are more likely to occur in other components of VoIP systems, such as the hardware or software switching mechanisms, particularly in PBXes (Private Branch eXchanges).

In fact, two flaws have just been patched in Asterisk, an open source VoIP PBX package. The flaws, were they not patched, could lead to DOS (denial-of-service) attacks, thus bringing down a business's VoIP phone system.

DOS attacks have been used in the recent past to bring down websites for a variety of reasons, including attempts to take the site over, or just have mischievous fun. In the case of enterprise VoIP phone systems, the purpose would be to inhibit a business' telephony functions. For some businesses, that obviously means a temporary shutdown of operations.

A DOS attack is usually accomplished by overloading a web server or, in this case, a VoIP PBX. Version 1.2.10 of Asterisk PBX has fixed the flaws in the IAX protocol that would have allowed DOS attacks.

Additional sources: [ZD Net UK, CIO Tech Informer]

--
Did you enjoy this post?

July 19, 2006 in Hardware, Security, Skype, Software | Permalink

Free VoIP Newsletter

Subscribe to The RFID Gazetteer, published monthly. Enter your email address:

« Microsoft + Nortel Unified Communications Project Not A Big Deal? | Main | Jajah Phone Buddy Desktop Dialing Software »

Syndicate

Add to My Yahoo! Add to MyMSN
RSS Feed Subscribe at NewsGator Online Subscribe at Bloglines

Click Here

Features

Categories

Archives

Blogroll

Feedback

Network