Skype Security Flaw

Just announced:

The researchers found several properties of Skype that can track not only users' locations over time, but also their peer-to-peer (P2P) file-sharing activity, according to a summary of the findings on the NYU-Poly web site. Earlier this year, a German researcher found a cross-site scripting flaw in Skype that could allow someone to change an account password without the user's consent.

"Even when a user blocks callers or connects from behind a Network Address Translation (NAT) ­-- a common type of firewall ­-- it does not prevent the privacy risk," according to a release from NYU-Poly.

The research team tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and found that callers using VoIP systems can obtain the IP address of another user when establishing a call with that person. The caller can then use commercial geo-IP mapping services to determine the other user's location and Internet Service Provider (ISP).

The user can also initiate a Skype call, block some packets and quickly terminate the call to obtain an unsuspecting person's IP address without alerting them with ringing or pop-up windows. Users do not need to be on a contact list, and it can be done even when a user explicitly configures Skype to block calls from non-contacts.

Posted on December 7, 2011 at 12:49 PM • 14 Comments

Comments

kashmarekDecember 7, 2011 2:08 PM

I wonder how this plays into the Microsoft patent with regard to tracing and/or logging VOIP traffic (significantly, with regard to their ownership of Skype)? Since one person's bug is often another person's feature, maybe this "flaw" is Microsoft's "intellectual property".

kshepherdDecember 7, 2011 2:27 PM

To put a positive spin on this, at least IP address disclosure is recognised as a potential flaw...
Who remembers the days when ICQ would display a contact's IP in their profile along with all their other public information?

(the XSS thing seems more nasty)

ZanDecember 7, 2011 3:07 PM

I remember reading about this quite a while ago, unless this is a new flaw with the same effects?

MikeDecember 7, 2011 3:46 PM

Not really sure how IP address disclosure is particularily relevant with a P2P program... ?

I guess you could POSSIBLY design around it for calls that would be blocked, but for calls that you actually accept? Not really.

Clive RobinsonDecember 8, 2011 7:54 AM

For those not up on the technology most VoIP or Internet Telephony is point to point (P2P) when in communications as are most other forms of Internet based communication.

Thus finding out a persons IP address is not that difficult, providing you can lure them into connecting to a service under your control some how.

What is different about many VoIP systems is the connection front end. For this you call a front end directory service, that looks up the details of the person you wish to call and then (depending on the type of VoIP system) hands off the caller and callee to communicate independently.

The reason for the handoff is not to reduce the load on the systems services but to (hopefully) reduce pathlength and latency thus improve call quality (though this can go horribly wrong).

There are two basic ways the handoff can work,

1, The service gives the callee IP address to the caller. The caller then calls the callee. This is similar to the way DNS works.

2, The service gives the callee the IP address of the caller. The caller then waits for the callee to call them.

Both ways have advantages and disadvantages over the other. Importantly neither way directly allows for independent proxied calling. This gives rise to issues when both the caller and callee are mobile devices where their IP address may change at the whim of a service provider etc or both are located behind NAT/PAT firewalls etc.

The need to have an automated proxie service which both the caller and callee can conect to which acts a bridge between the two helps remove a lot of the problems but will usuall introduce latency into the call.

Once such a proxie potential is added into any service that would be more normally considered P2P then the potential to add Privacy Enhancing Technology (PET) becomes very much easier.

And yes there are VoIP systems out there that built in proxie ability from day one, in many cases initialy just to get past the double NAT/PAT issues.

Dirk PraetDecember 8, 2011 9:17 AM

Skype has a long history of such flaws. It's just one of many products that started out as a good idea but got poorly executed by folks paying insufficient attention to security and privacy related issues in their haste to take it to market and get the money in.

MoeLuvDecember 8, 2011 8:57 PM

I have Skype using port 1701 which is for L2TP/IPsec as Skype uses UDP. Now Skype encryption is itself going thru an encrypted tunnel based on my computers IPsec settings. Hopefully this helps?!

MoeLuvDecember 8, 2011 9:19 PM

P.S. I have Tor configured to only use ports 22, 1701 and 1723 for all inbound connections. Not perfect but....Any feedback would be welcome.

meDecember 9, 2011 12:39 PM

Lots of people using Skype want other people to use it. Like me. I don't. Not because it's insecure, but geez...how much time are we all supposed to have for interruptions and panic?!!

AC2December 12, 2011 1:07 AM

@Nick P

Could you please put in a few pointers to good Skype alternatives.

I'm on Ubuntu Linux, bro's on Mac and dad on Win7... And in different countries...

I thought that Skype was the only way we could do free 3-way confs and occasional paid calls to PSTN, but I'd be happy to be proved wrong...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..