Skype Security: Is the Popular VOIP Service Safe for Business?

Skype aims to break into small business environments. But are there security concerns to consider before you adopt it in your organization?

According to data released last month from research firm TeleGeography, Skype, the popular software that allows computer users to make calls over the internet, now accounts for 12 percent of all long-distance calls. The company saw its user base grow to more than 500 million accounts in 2009 and is making a run at a new market this year.

So far, the popular VOIP provider has been primarily used in personal, consumer settings. But in 2009, Skype launched Skype for SIP, a service that lets its peer-to-peer VoIP clients interact with existing IP PBXs and is aimed at small businesses looking to get in on the cost-savings of internet telephony. Skype for SIP (also know as Skype for Business) was launched in beta early last year and brought into public beta at the end of 2009.

Also see VoIP Security: The Basics for more about DDoS, eavesdropping and other VoIP threats

CSO: We know that Skype is making a play for business customers with Skype for SIP. But as it stands now, do you think it is used in many business organizations?

Michael Gough: Predominantly it is still used by individuals, but a lot of small-to-medium-sized businesses utilize Skype to cut costs for things like road warriors. Another common use I've seen in business is in outsourcing off-shore resources like help desk or support scenarios where you have a lot of people outside your state and doing off-hour support. Often Skype is an option for some of these companies.

Are there security concerns with Skype that are unique when compared to other VOIP solutions?

In any corporation, if you are going to install software on end-users computer, you have to do your governance. You have to set the rules that govern what you are going to do or allow with any piece of software. So every enterprise has the challenge of controlling the proliferation of Skype into the environment. If you're a local administrator, and you're going to install the product, now, all of a sudden, you have texting and voice conversations that are potentially encrypted and something that the enterprise or company can't monitor. That is definitely a challenge.

The first thing an administrator should do is say 'what are my rules about this? Do I have requirements that say I have to capture IM traffic?' for instance. For example, if you have employees trading stocks, bonds, anything like that, you can't use an IM solution (which Skype contains) unless it is actually auditable. It has to be recorded. Anything they chat about has to be able to be logged and printed out.

We know that a DDoS (denial of service) attack can happen at various layers with a VOIP system. How might something like a DDoS attack play out with Skype?

Fortunately for most businesses that use Skype, they will have traffic over Port 80, or your other typical web-surfing ports. But Skype users can communicate by voice, video and instant messaging. What could potentially happen is an IM could go out to the client, a user could potentially click on that message and take down or infect that computer. But that is long term issue with IM that has always existed. It's not unique to Skype. Is there something that sits on the internet with Skype that can be attacked to take it down? No, not really: Because your client doesn't know about any infrastructure.

What happens is when someone wants to call someone else, unlike a VOIP gateway or a telephone, you have to know who you are calling, click on it and it goes out to the Skype infrastructure and pings it. These systems are all over the world, its not one box that you invade. So from that perspective, it's not a really big concern.

What about eavesdropping? Does Skype technology make this any less or more possible with conversations?

This is the unique thing abut Skype that doesn't occur in most VOIP: Most companies do not encrypt their VOIP traffic, a major flaw. There are lots of tools, like Vomit and VOIP Pong for instance, which allow you to record unencrypted voice packets and recompile it. You just drop this thing, listen, and you can recompile conversations. Skype traffic is encrypted between point A and point B, so it's theoretically impossible to intercept a Skype call and encrypt it.

However, you can, on each end node, compromise that machine. Much like a solution that records your actions for a Power Point presentation, for instance if make a video you can play in Quicktime or what have you. That same kind of technology has the ability to record Skype because once it gets to your computer it's at that point decrypted and any SIM installed, or listening device that is installed, would be able to record a call. But that does require the local machine to be compromised. It's a pretty low risk from that perspective.

VOIP is sometimes criticized as making Vishing (phishing schemes conducted over the phone) easier to pull off. Is Vishing a security problem with Skype?

It can happen to anyone with any phone. It's the same exploit or concern. If someone goes and searches in Skype registry for any user and every user in a certain city, they can call them on a Skype account or a Skype out or in number, which is a number you get for calling Skype users that then transfers it your computer. Same scenario. I don't think there is any decreased or increased risk.

Is there a way to do the old phone number spoof technique using Skype?

Skype for business does have SIP gateways. What happens is this thing is running a Skype software that does the translation of Skype calls and translates it to SIP. Toll fraud is alive and well and can still happen, but for the most part you would have to break into the existing phone system in order to exploit Skype. I suppose if I logged into your account because you had a weak password then I could make and use up all of your Skype-out credits. That is a potential for people whose account is compromised. But I wouldn't say toll fraud is all that prevalent at this point with Skype.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies