13 Security considerations 13.1 Potentially insecure operations The following features of VirtualBox can present security problems: • Enabling 3D graphics via the Guest Additions exposes the host to additional security risks see chapter 4.4.1, Hardware 3D acceleration (OpenGL and Direct3D 8/9), page 64. • When teleporting a machine, the data stream through which the machine’s memory con- tents are transferred from one host to another is not encrypted. A third party with access to the network through which the data is transferred could therefore intercept that data. • When using the VirtualBox web service to control a VirtualBox host remotely, connections to the web service (through which the API calls are transferred via SOAP XML) are not encrypted, but use plain HTTP. This is a potential security risk! For details about the web service, please see chapter 11, VirtualBox programming interfaces, page 163. 13.2 Authentication The following components of VirtualBox can use passwords for authentication: • When using the VirtualBox extension pack provided by Oracle for VRDP remote desktop support, you can optionally use various methods to configure RDP authentication. The “null” method is very insecure and should be avoided in a public network. See chapter 7.1.5, RDP authentication, page 94 for details. • When using teleporting, passwords can optionally be used to protect a machine waiting to be teleported from unauthorized access. Note however that these passwords are stored unencrypted in the machine configuration XML and therefore potentially readable on the host. See chapter 7.2, Teleporting, page 97 and chapter 8.7.5, Teleporting settings, page 114. • When using remote iSCSI storage and the storage server requires authentication, a pass- word can optionally be supplied with the VBoxManage storageattach command. Note however that this is stored unencrypted in the machine configuration and is therefore po- tentially readable on the host. See chapter 5.10, iSCSI servers, page 82 and chapter 8.16, VBoxManage storageattach, page 119. • When using the VirtualBox web service to control a VirtualBox host remotely, connections to the web service are authenticated in various ways. This is described in detail in the VirtualBox Software Development Kit (SDK) reference please see chapter 11, VirtualBox programming interfaces, page 163. 13.3 Encryption The following components of VirtualBox use encryption to protect sensitive data: 179