Skype's Huge, New Security Headaches

A team of international researchers has detected flaws in Skype that puts the privacy of hundreds of millions of users at risk, they say.

The research shows that even when Skype users block callers, allow only calls from their contact list, and connect from behind a firewall, hackers can plumb their identities. The researchers confirmed that intruders can use Skype to discover which files call recipients are sharing, and track their whereabouts, too. The information can be collected without the Skype user even knowing that he or she has been contacted (and is at risk of exploitation). 

Marketers could easily link a Skype user's data with other available data--including name, age, address, profession, and employer--gleaned from social media sites like Facebook and LinkedIn, to build a database of in-depth profiles, the study suggests. The research team calculated that it would cost a marketer who wanted to create such a database just $500 a week to track 10,000 users.

A professor of computer science at one of the institutions involved in the study, the Polytechnic Institute of New York University, Keith Ross, says he was surprised to find that attackers could inconspicuously obtain the IP address of any Skype user, and that such breaches would only require the skill of a sophisticated, high school-aged hacker. He explained, "A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user--from private citizens to celebrities and politicians--and use the information for purposes of stalking, blackmail, or fraud."

The challenge for the researchers was to demonstrate that hypothetically, they could track large numbers of people employed by any organization. To prove this, they called 10,000 random Skype users every hour for two weeks to discover where they were, a task that required about 20 computers working in parallel. “It took two months for two PhDs to pull off that technical feat,” Ross noted.

The researchers informed Skype’s Chief Technology Strategist, Jonathan D. Rosenberg, via email of their findings in November 2010, before Microsoft purchased Skype, and again in late September (2011).

Rosenberg thanked the researchers for the information, but did not acknowledge a flaw, they said. A Skype spokesperson wrote to Fast Company on behalf of Adrian Asher, Skype’s Chief Information Security Officer, saying: "We value the privacy of our users and are committed to making our products as secure as possible. Just as with typical internet communications software, Skype users who are connected may be able to determine each other’s IP address. Through research and development, we will continue to make advances in this area and improvements to our software." 

Ross offers this counterpoint: "The problem with Skpye is much more serious than any other system Asher may be considering, because on other voice internet communication systems it’s not possible for any user to track another’s whereabouts--they would have to be on a Friends or Contacts list. We show that the problem with Skype is particularly serious because any hacker can track the mobility and locations of any Skype user."

Currently, Microsoft’s Security Response Center is in touch with French members of the [research] team.

Ross agrees that Google Talk, China’s QQ, and MSN Live also could be insecure, because they all combine real-time and peer-to-peer communication. "It’s obvious that in any voice over internet protocol there is a natural vulnerability of getting the IP address of the person you’re speaking with, but no one had really explored this," Ross said.

His group, which studies peer-to-peer security, wanted to confirm what they think is obvious about the vulnerability of such systems and started with Skype because of its popularity. Specifically, they tested whether they could modify Skype transmissions and still obtain the Internet provider address of an unwitting Skype user. 

When people use voice and video online to call one another, both can be vulnerable because an "electronic handshake" confirming their connection involves exchanges of packets of data. They therefore reveal their IP addresses to one another. But a malicious caller can obtain a callee’s IP address by initiating a Skype call, blocking certain functions, and then quickly terminating the call without ringing or causing an alert window to pop up. The caller can then input the IP address into commercial geo-IP mapping software to determine where the receiver is and what Internet service provider he or she uses. 

Such an attack can occur whether or not the receiver is on the caller’s contact list or even when the receiver has checked the box to block calls from non-contacts, because Skype is typically running whenever a computer is on. Strangers can call and the callee just doesn’t answer. It’s like a phone that doesn’t ring. The receiver is secure only in that he or she is not alerted to the call and so won’t answer, but Skype still allows the exchange of packets of information. By repeating the process over weeks or months, the intruder can track the movements of any Skype user, unbeknownst to him or her and construct a detailed account of their daily activities. 

Using MaxMind, a geolocation and online fraud detection tool, the researchers accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, for example, his return to that New York university, lodging in Brooklyn, and finally to his home in France. 

The researchers also tracked content the volunteers downloaded with the BitTorrent file sharing eco-system, which is mainly used to illegally exchange copyrighted material like music, movies, and TV shows. Users think they can download anonymously, but the researchers showed that by crawling BitTorrent, they could determine IP addresses and then concatenate them with names they purloined via Skype. A blackmailer, for example, could use this approach to obtain knowledge of a user’s illicit activities or affiliations.

The researchers say that redesigning the Skype protocol so that users' IP addresses are revealed only if they accept a call would offer substantially greater privacy and security. An even stronger defense would be to use a relay, so that a sent packet must pass through an intermediate computer that Skype owns and then is re-sent to users. That way, they would only see Skype’s address, not the address of the party they’re connecting to, Ross says. That would require a major change in design, testing, and redistribution of software to all users, which could take years to implement, he noted.

Skype has more than a half-billion registered users, reportedly, and a monthly average of 170 million active ones who use it for phoning, texting, instant messaging, and video conferencing (30 million concurrently). Skype-to-Skype voice and video minutes totaled approximately 531 million minutes per day (194 billion minutes for the year). As of June, users made an average of 300 million minutes of video calls per day. 

Other researchers involved in this project included: Chao Zhang of Polytechnic Institute of New York University (NYU-Poly), Stevens Le Blond of the Max Planck Institute for Software Systems, Germany, and Arnaud Legout and Walid Dabbous of the French research institute INRIA Sophia Antipolis, France. They will present their research paper, "I Know Where You Are And What You Are Sharing," during the Internet Measurement Conference 2011 in Berlin on November 2, 2011.

[Image: Flickr user mislav-m]

Add New Comment

1 Comments

  • Karen Steward

    I understand that the problem revolves around lack of encryption for the skype product.  I have heard reported on radio news politicians comments transmitted via video phones as a method of encrypted messaging.  I believe the video phone technology will be the preferred method to users who want that protection teamck.acnrep I use one daily and find the HD quality of viewing the other person, at the same time it costs less than a traditional telephone line, and includes world wide free longdistance.  Cheers!