• United States



Is Skype a security risk that endangers your privacy?

Mar 25, 20115 mins
Data and Information SecurityEnterprise ApplicationsMicrosoft

From China's censorship to the NSA's warrantless surveillance, there's an ugly history of eavesdropping. But can spoken phrases be detected in encrypted VoIP conversations? Privacy International believes Skype has security flaws that endanger users' privacy and can put activists' lives at risk.

According to the NYTimes and Slashdot, there are reports of China stepping up electronic communications censorship beyond e-mail and the Internet in the form of “policing cellphone calls” such as if “antigovernment sentiment” words are spoken. Two callers, one speaking English and the other Chinese, have reported being cut off mid-sentence after saying “protest.”

Perhaps NSA didn’t cut people off mid-sentence, but it intercepted electronic communications and, with help from AT&T, engaged in warrantless surveillance of Americans during the Bush administration. The ACLU recently declared a victory when a federal appeals court revived a lawsuit challenging NSA surveillance and the constitutionality of the FISA Amendments Act (FAA) [PDF]. The Bush wiretapping law gave the government the power to electronically snoop on Americans’ international communications without needing a probable cause warrant – if an American was communicating with someone outside of the United States.

These days for electronic communication and placing international calls, many people use the free Voice-over-IP (VoIP) provider Skype to talk, transfer files and video chat. While the majority of users love Skype, there have been concerns in the past about if Skype had a back door for eavesdropping. In 2008, Skype downplayed “a report revealed that its Chinese service not only monitors text chats with sensitive keywords, which it had earlier admitted, but also stores them along with millions of personal user records on computers that could easily be accessed by anybody.” Then Heise Security reported on a back door built into Skype which might allow “connections to be bugged.” Australian police had claimed they were “able to listen in on Skype connections.”

While international long-distance calling slumped in this current economy, TeleGeography reported that Skype-to-Skype international calls soared, making up 12% of all long-distance calls. Because so many people depend upon Skype, Privacy International (PI) recently asked Skype to improve the security of its VoIP service to protect users’ privacy – especially those in oppressive regimes which could have their lives endangered. PI believes Skype users are vulnerable to interception, impersonation and surveillance. Specific complaints included that it’s easy to impersonate users, poor audio encoding could allow eavesdropping, and the lack of HTTPS for Skype download service which could be spoofed so users download compromised versions of Skype like what happened previously in China.

PI mentioned a research paper called Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations [PDF]. Researchers wrote “We evaluate our techniques on a standard speech recognition corpus containing over 2,000 phonetically rich phrases spoken by 630 distinct speakers from across the continental United States. Our results indicate that we can identify phrases within encrypted calls with an average accuracy of 50%, and with accuracy greater than 90% for some phrases. Clearly, such an attack calls into question the efficacy of current VoIP encryption standards.”

Yet during a Risky Business podcast, Paul Ducklin of Sophos Naked Security took issue with PI’s criticism of Skype security. “Paul called this out as a desperate attempt on PI’s part to get press and was a voice of reason about the real risks to activists and dissidents that might be present when using Skype.” Ducklin said even if Skype used HTTPS for downloads, it would not prevent trojanized versions of Skype if a country like China issued its own SSL certification. In fact, the podcast went so far as to call it “worse than a bucket of fail” and suggested PI educate dissidents how to use safely download and use Skype.

But Privacy International’s Human Rights and Technology Advisor, Eric King, says: “Skype’s misleading security assurances continue to expose users around the world to unnecessary and dangerous risk. It’s time for Skype to own up to the reality of its security and to take a leadership position in global communications.”

At the time of PI’s security concerns about Skype, a spokesman for Skype said: “Privacy International has not been in touch with us so it will take us some time to read and digest the report before we are in a position to respond. We will look into the points they have raised and will reach out to them. Skype takes these issues seriously and aims to provide users with the best possible levels of privacy and security.”

When asked if Skype has responded since then, PI’s King said, “Julie Petrini, Vice President & General Counsel, Operations, who is privacy lead for Skype has been in touch with us and wants to talk. We’re hoping for a phone conference next week.”

Meanwhile, Skype was one of the sites targeted with fraudulent digital SSL certificates in a malicious attack which appears to have come from the Iranian government. The digital certificates impersonated Skype, Google, Yahoo, Microsoft’s Live, and other websites.

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.