Skype Exploits: I know where you are, what you are sharing, and how to best stalk you

Security researchers discovered several serious security and privacy flaws in Skype that even a 'high school-age hacker' could use to track not only users’ locations over time but also their P2P file-sharing activity. The security team warned that this information could easily be used for "stalking, blackmail or fraud."

While lurking at Wilders Security Forum, I ran across a link to a research paper filled with terrible news for the half-billion registered Skype users. Security researchers have uncovered some really serious security and privacy flaws in Skype that could reveal the identities, locations over time, digital files, and even P2P activity of hundreds of millions of Skype users. In fact it's bad news for users of any Internet-based phone systems or P2P file sharing services. Researchers at NYU Polytechnic Institute and colleagues in France and Germany will present their paper, "I Know Where You are and What You are Sharing: Exploiting P2P Communications to Invade Users' Privacy" [PDF] at the Internet Measurement Conference 2011 in Berlin on November 2, 2011.

I Know Where You are and What You are Sharing explains how to exploit real-time communication applications. The team first designed a scheme to call the target inconspicuously to find his IP address, even if he or she is hiding behind a NAT firewall (that makes your public IP appear different than your local IP). Then by periodically making those 'secret' calls to the target, they were able to map the mobility of the victim. But it's not just tracking one person, as "marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands."

Next, the researchers considered the "linkability threat" and demonstrated it by "combining Skype and BitTorrent to show that it is possible to not only track a "users' locations over time but also their peer-to-peer (P2P) file-sharing activity." They were able "to verify with high accuracy whether the identified user is participating in specific torrents." In fact, the researchers concluded that anyone with an Internet connection could leverage these vulnerabilities in Skype to "observe the mobility and file-sharing usage of tens of millions of identified users."

According to Keith Ross, the Leonard J. Shustek Professor of Computer Science at NYU-Poly, "These privacy weaknesses are fairly easy to exploit, and that a sophisticated high school-age hacker would likely be capable of executing similar attacks." Ross explained, "These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services. A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user - from private citizens to celebrities and politicians - and use the information for purposes of stalking, blackmail or fraud."

A press release stated, the team demonstrated the severity of these security vulnerabilities by tracking the "Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period." Their techniques do not interfere with Skype and a user would never even know he or she were a target. "The researchers used commercial geo-location mapping services and found that they could construct a detailed account of a user's daily activities even if the user had not turned on Skype for 72 hours." For example, they tracked one vacationing volunteer from New York to Chicago, back to New York, and then to his home in France. "If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when."

In the researchers' report, the conclusions were creepy bad:

We have shown that it is possible for an attacker, with modest resources, to determine the current IP address of identified and targeted Skype user (if the user is currently active). It may be possible to do this for other real-time communication applications that also send datagrams directly between caller and callee (such as MSN Live, QQ, and Google Talk). In the case of Skype, even if the targeted user is behind a NAT, the attacker can determine the user's public IP address. Such an attack could be used for many malicious purposes, including observing a person's mobility or linking the identity of a person to his Internet usage.

We have further shown that by deploying modest resources, it is possible for an attacker to scale this scheme to not just one user but tens of thousands of users simultaneously. A prankster could use this scalable calling scheme to, for example, create a public web site which provides the mobility and file-sharing history of all active Skype users in a city or a country. Parents, employers, and spouses could then search such a web site to determine the mobility and file-sharing history of arbitrary Skype users.

The team anonymized their data and informed Skype and Microsoft of their findings, including the "security breach - that of obtaining users' IP addresses through inconspicuous calling" and the need to redesign Skype protocol "so that a user's IP address is never revealed unless the call is accepted would offer substantially greater privacy."

Skype is now officially a business division within Microsoft. The Big M press release quoted Skype CEO Tony Bates as saying, "By bringing together the best of Microsoft and the best of Skype, we are committed to empowering consumers and businesses around the globe to connect in new ways. Together, we will be able to accelerate Skype's goal to reach 1 billion users daily."

Previously, Privacy International warned that Skype users might be vulnerable to interception, impersonation and surveillance. Then after discovering a Microsoft patent to put in spy and pry backdoors for easy law enforcement eavesdropping, I wondered if Microsoft would ruin Skype. An infographic said that Skype video calling is on the rise with over 300,000,000 minutes of video calls per day and Microsoft is shooting for 1 billion Skype users daily. So it would seem important to address the researchers' findings. Yet after contacting Microsoft, there was no reply, no comment upon what, if anything, it intended to do about these Skype security and privacy vulnerabilities, or when, if ever.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2011 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)